h3xduck
|
ad4f9b2504
|
Completed phantom shell protocol, added new checksum correctors
|
2022-05-11 20:27:52 -04:00 |
|
h3xduck
|
28ed530aea
|
Completed the TC Hook and payload enlargment and substitution mechanisms. Only the packet recognition on the client side remains to work
|
2022-05-11 17:31:38 -04:00 |
|
h3xduck
|
567d8d706c
|
Further completed the phantom shell routine and added more checks in TC, still not finished, payload rewriting remains, but the rest is fully ready
|
2022-05-10 23:04:19 -04:00 |
|
h3xduck
|
f2c3624e8b
|
Added test on tc clasiffier, added pinned maps, and obtaining the fd from other maps in order to synchronize between programs
|
2022-05-10 19:09:52 -04:00 |
|
h3xduck
|
4211d0b5d5
|
Updated all components with phantom shell
|
2022-05-09 22:06:29 -04:00 |
|
h3xduck
|
5320f35d01
|
Added new hidden payload stream mode, now triggered using the source port. Fully integrated already, can select between that and seqnum in client. Both launch live encrypted shell via v3 backdoor
|
2022-05-09 20:16:13 -04:00 |
|
h3xduck
|
ff0f34c6a4
|
Included new library version with support for tcp src port paylaod injection
|
2022-05-09 18:57:23 -04:00 |
|
h3xduck
|
ff2868846f
|
Fixed a big bug in previous client terminals, also made the new multi-triggered backdoor to work completely and connect to encrypted session
|
2022-05-09 17:48:02 -04:00 |
|
h3xduck
|
073e1d3129
|
Completed new backdoor packet stream parsing for V3 backdoor using hidden payloads in TCP and IP header positions
|
2022-05-09 16:36:39 -04:00 |
|
h3xduck
|
ba19537ec1
|
Added new packet stream payload mode in client for V3 backdoor
|
2022-05-07 20:45:02 -04:00 |
|
h3xduck
|
5746ac5efb
|
Added new hidden packets, commands and rest of structure to activate and deactivate hooks from the backdoor
|
2022-05-07 19:16:33 -04:00 |
|
h3xduck
|
ce7d36371d
|
Finished encrypted interactive shell and encrypted protocol implementation, V2 rootkit now fully functional
|
2022-05-07 17:55:27 -04:00 |
|
h3xduck
|
f6a4c1daa0
|
Finished execve hijacking, added new last checks and discovered why sometimes it fails. New detached process at the userspace. Other fixes
|
2022-05-07 10:36:46 -04:00 |
|
h3xduck
|
cceca23478
|
Completed message sharing, starting with protocol now
|
2022-05-05 22:14:28 -04:00 |
|
h3xduck
|
213e30ba3b
|
Fixed keys of trigger packet V1, added sample servers, fixed client bug
|
2022-05-05 17:52:58 -04:00 |
|
h3xduck
|
0553ad777f
|
Completed message passing of commands to userspace via ebpf ringbuffer
|
2022-05-05 13:22:47 -04:00 |
|
h3xduck
|
2deebf1b9e
|
Added V1 command sending via secret trigger on backdoor
|
2022-05-05 12:59:02 -04:00 |
|
h3xduck
|
ead4a4ca68
|
Completed checks for V1 trigger
|
2022-05-04 08:54:21 -04:00 |
|
h3xduck
|
073a911f74
|
Included new version of custom lib. Added checks for backdoor triggering
|
2022-05-04 04:40:25 -04:00 |
|
h3xduck
|
aca4cc4cfb
|
Adding gitignore
|
2022-04-27 22:03:17 -04:00 |
|
h3xduck
|
a9fd1441b1
|
Merge branch 'master' of https://github.com/h3xduck/TFG
|
2022-04-27 21:59:59 -04:00 |
|
h3xduck
|
dccea69119
|
Updating documentation, preparing document with sections and comments
|
2022-04-27 21:59:56 -04:00 |
|
h3xduck
|
25ef3acc5a
|
Updating doc, adding makefile and preparing document
|
2022-04-27 21:56:37 -04:00 |
|
Marcos S. Bajo
|
f5897ae00d
|
Merge pull request #26 from h3xduck/injection
Library injection + sudo bypass + initial version of C2
|
2022-04-27 23:59:56 +02:00 |
|
Juan Tapiador
|
701950669f
|
implant trigger (hive)
|
2022-04-19 16:24:36 +02:00 |
|
h3xduck
|
8be536fb6f
|
Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug.
|
2022-04-14 13:24:43 -04:00 |
|
h3xduck
|
a9f0ae17f7
|
Completed client payload generation
|
2022-04-14 09:49:08 -04:00 |
|
h3xduck
|
e8abc7415a
|
Advancements on payload recognition. Now proceeding to build protocol
|
2022-04-14 07:54:21 -04:00 |
|
h3xduck
|
43ccb6cd3d
|
Added packet parsing and bound checking
|
2022-04-13 20:46:06 -04:00 |
|
h3xduck
|
c3bffb6f84
|
Completed packet parsing at tc hook
|
2022-04-13 16:56:17 -04:00 |
|
h3xduck
|
7157729334
|
Added forked routine to execve_hijack. Improved argv modification and made it work. Working now.
|
2022-04-13 08:57:33 -04:00 |
|
h3xduck
|
e881502ffa
|
Now control flow is redirected back to the syscall after running the shared library constructor instead of skipping it
|
2022-04-09 14:17:09 -04:00 |
|
h3xduck
|
036585371c
|
Added pdf with temporary documentation
|
2022-04-08 05:30:43 -04:00 |
|
h3xduck
|
621e42e2e8
|
Changed shellcode to include backup of registers and stuck. Now prevents stack smashing detection via the stack canaries
|
2022-04-07 19:47:53 -04:00 |
|
h3xduck
|
be5605db5f
|
Introduced shellcode and finished code cave writing and injection. RELRO working
|
2022-04-07 11:54:24 -04:00 |
|
h3xduck
|
3455b80010
|
Merge branch 'injection' of https://github.com/h3xduck/TFG into injection. Messed up with branches, clearing up
|
2022-04-07 07:14:54 -04:00 |
|
h3xduck
|
3438f5846f
|
Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated
|
2022-04-07 07:11:28 -04:00 |
|
h3xduck
|
f4b88668b8
|
Finished GOT section identification and writing, added parsing of /proc/<pid>/maps
|
2022-04-07 07:10:00 -04:00 |
|
h3xduck
|
e6ddb3373e
|
Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated
|
2022-04-05 20:21:59 -04:00 |
|
h3xduck
|
96cfda8c1f
|
Finished RELRO adaptation.
|
2022-04-04 18:04:34 -04:00 |
|
h3xduck
|
748062f464
|
Adapted memory analysis to larger memory addresses inside the virtual address space. Solved bugs and others, adapting code for RELRO.
|
2022-04-04 17:07:45 -04:00 |
|
h3xduck
|
8f28c3a883
|
Updated helpers and added resources to help with lib injection
|
2022-03-24 15:40:05 -04:00 |
|
h3xduck
|
9dff5e71dc
|
Included offset and extraction of interesting functions
|
2022-03-17 21:41:40 -04:00 |
|
h3xduck
|
0fbcb8bdf7
|
Fixed probe not probing correct syscall entry
|
2022-03-17 19:36:25 -04:00 |
|
h3xduck
|
fcf43ff180
|
Finished extraction of return address from the stack, and libc syscall adress
|
2022-03-17 19:32:32 -04:00 |
|
h3xduck
|
9647972531
|
Finished extraction of stack return address
|
2022-03-17 13:18:19 -04:00 |
|
h3xduck
|
671e2d671d
|
Added extraction of original jump instruction and opcodes
|
2022-03-15 18:36:59 -04:00 |
|
h3xduck
|
0c88d5baa9
|
Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack.
|
2022-03-03 05:53:51 -05:00 |
|
h3xduck
|
e64839f080
|
Added new libc symbols extraction
|
2022-03-02 19:00:50 -05:00 |
|
h3xduck
|
805fa760cf
|
Corrected issues of opening directories without permission in execve helper
|
2022-02-24 19:53:11 -05:00 |
|