admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-25 02:43:07 +08:00
Code Issues Packages Projects Releases Wiki Activity
229 Commits 1 Branch 1 Tag
12629558b8b0a27a5488a0b98f1ea7042e76f8ab
Commit Graph

49 Commits

Author SHA1 Message Date
h3xduck
2b6fe08d7f README and license 2022-07-01 11:06:10 -04:00
h3xduck
102b72af05 Cleaned unnecessary files, new gitignore for previous clones 2022-06-25 12:11:04 -04:00
h3xduck
5d6619ce40 Finished section 5. Multiple changes in the code according to the performed tests. 2022-06-19 14:35:19 -04:00
h3xduck
bfcbfcfaf2 Added multiple small changes to client and code, submitting almost finished chapter 5 2022-06-18 10:57:10 -04:00
h3xduck
2b719ff0a5 Completed chapter 4 2022-06-16 20:38:15 -04:00
h3xduck
163f923c55 Continued with execve hijacking. 2022-06-13 22:16:34 -04:00
h3xduck
99ad9c5548 New explanation for the injection technique (alternative scanning process) and added flow diagram with full process. 2022-06-13 10:57:32 -04:00
h3xduck
104f4c0355 Added obfuscation for the persistance access using cron 2022-05-16 17:34:21 -04:00
h3xduck
82fa056955 Added hide directory capabilities for the rootkit 2022-05-16 11:24:59 -04:00
h3xduck
4044d7994c Added sys_openat for the injection module, fully working! 2022-05-16 08:02:38 -04:00
h3xduck
78b3132687 Updated some files for eveything to work now that it is all together. Execve hijacker and clients in particular 2022-05-15 20:47:58 -04:00
h3xduck
4a292f0f7a Merged master and develop, now all changes together. Fully tested and working. 2022-05-15 20:46:35 -04:00
h3xduck
ce3b267d01 Fixed phantom shell, added ips for all types of backdoor triggers so that we can use different interfaces 2022-05-15 16:45:47 -04:00
h3xduck
d509f20974 Completed command passing for phantom shell 2022-05-15 14:44:16 -04:00
h3xduck
28ed530aea Completed the TC Hook and payload enlargment and substitution mechanisms. Only the packet recognition on the client side remains to work 2022-05-11 17:31:38 -04:00
h3xduck
567d8d706c Further completed the phantom shell routine and added more checks in TC, still not finished, payload rewriting remains, but the rest is fully ready 2022-05-10 23:04:19 -04:00
h3xduck
4211d0b5d5 Updated all components with phantom shell 2022-05-09 22:06:29 -04:00
h3xduck
5320f35d01 Added new hidden payload stream mode, now triggered using the source port. Fully integrated already, can select between that and seqnum in client. Both launch live encrypted shell via v3 backdoor 2022-05-09 20:16:13 -04:00
h3xduck
ff2868846f Fixed a big bug in previous client terminals, also made the new multi-triggered backdoor to work completely and connect to encrypted session 2022-05-09 17:48:02 -04:00
h3xduck
073e1d3129 Completed new backdoor packet stream parsing for V3 backdoor using hidden payloads in TCP and IP header positions 2022-05-09 16:36:39 -04:00
h3xduck
ba19537ec1 Added new packet stream payload mode in client for V3 backdoor 2022-05-07 20:45:02 -04:00
h3xduck
5746ac5efb Added new hidden packets, commands and rest of structure to activate and deactivate hooks from the backdoor 2022-05-07 19:16:33 -04:00
h3xduck
ce7d36371d Finished encrypted interactive shell and encrypted protocol implementation, V2 rootkit now fully functional 2022-05-07 17:55:27 -04:00
h3xduck
f6a4c1daa0 Finished execve hijacking, added new last checks and discovered why sometimes it fails. New detached process at the userspace. Other fixes 2022-05-07 10:36:46 -04:00
h3xduck
cceca23478 Completed message sharing, starting with protocol now 2022-05-05 22:14:28 -04:00
h3xduck
213e30ba3b Fixed keys of trigger packet V1, added sample servers, fixed client bug 2022-05-05 17:52:58 -04:00
h3xduck
0553ad777f Completed message passing of commands to userspace via ebpf ringbuffer 2022-05-05 13:22:47 -04:00
h3xduck
2deebf1b9e Added V1 command sending via secret trigger on backdoor 2022-05-05 12:59:02 -04:00
h3xduck
073a911f74 Included new version of custom lib. Added checks for backdoor triggering 2022-05-04 04:40:25 -04:00
h3xduck
e881502ffa Now control flow is redirected back to the syscall after running the shared library constructor instead of skipping it 2022-04-09 14:17:09 -04:00
h3xduck
621e42e2e8 Changed shellcode to include backup of registers and stuck. Now prevents stack smashing detection via the stack canaries 2022-04-07 19:47:53 -04:00
h3xduck
be5605db5f Introduced shellcode and finished code cave writing and injection. RELRO working 2022-04-07 11:54:24 -04:00
h3xduck
3438f5846f Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated 2022-04-07 07:11:28 -04:00
h3xduck
8f28c3a883 Updated helpers and added resources to help with lib injection 2022-03-24 15:40:05 -04:00
h3xduck
671e2d671d Added extraction of original jump instruction and opcodes 2022-03-15 18:36:59 -04:00
h3xduck
1ec4ed8486 Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper 2022-02-19 11:57:32 -05:00
h3xduck
130364e6ab Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted 2022-02-18 09:08:54 -05:00
h3xduck
b68e01c057 Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00
h3xduck
9a47a2b15a Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00
h3xduck
431a019931 Updated my RawTCPLib library with newest version supporting sniffing for payloads. Also new data in preparation for complete RCE module 2022-02-16 19:38:39 -05:00
h3xduck
2ae705f037 Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor 2022-02-14 20:08:30 -05:00
h3xduck
044c85f3ff Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00
h3xduck
41ef733520 Completed faking that an user is in the sudoers file. Now user 'test' can use sudo without being there 2022-02-05 14:10:12 -05:00
h3xduck
643783004a Added new hooks and updated map fields to support new sudo module. 2022-02-05 13:49:20 -05:00
h3xduck
fc0d30f06f Completed output modification of sys_read. Created a simple PoC 2022-01-16 06:45:45 -05:00
h3xduck
106f141c7e Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00
h3xduck
193d9ec28f Fixed the whole header setup, now correctly using the kernel headers instead of normal development ones. Ready to go on with original plan of file system hooking 2022-01-06 13:31:52 -05:00
h3xduck
d18b0aa23c Further improvements in the rootkit configuration by the user 2021-12-31 12:02:35 -05:00
h3xduck
d5478ed7a0 Added more communication utils between userspace and kernel: 
* Included maps and kernel ring buffer communication
* Extended the ebpf structure to include more modules
* New utils in both user and kernelspace
* Other changes
* This update precedes a great effort on researching and learning and linux kernel tracing and studing ebpfkit from defcon. More functionalities should come rather quickly now.
 2021-12-29 14:44:09 -05:00