admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 15:23:07 +08:00
Code Issues Packages Projects Releases Wiki Activity
207 Commits 1 Branch 1 Tag
6bada1844e1c68e7d0ec4d6322940c1f023e4eea
Commit Graph

207 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
h3xduck
b182ac1eeb Added new TC module, updates to the exec hooking system and the userland module 2022-02-20 16:50:15 -05:00
h3xduck
1ec4ed8486 Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper 2022-02-19 11:57:32 -05:00
h3xduck
8e97624326 Improved the pricvesc module which used sudo, now correctly working when the user already has sudo with password capabilities. Now the rootkit userspace helper is correctly launching with root permissions 2022-02-19 11:08:56 -05:00
h3xduck
130364e6ab Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted 2022-02-18 09:08:54 -05:00
h3xduck
0e022a8385 Completed execution of arbitrary commands sent from the backdoor client 2022-02-18 04:06:18 -05:00
h3xduck
b68e01c057 Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00
h3xduck
9a47a2b15a Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00
h3xduck
431a019931 Updated my RawTCPLib library with newest version supporting sniffing for payloads. Also new data in preparation for complete RCE module 2022-02-16 19:38:39 -05:00
h3xduck
2ae705f037 Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor 2022-02-14 20:08:30 -05:00
h3xduck
edbaf09c06 Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00
h3xduck
044c85f3ff Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00
h3xduck
05baa8fb8a Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00
h3xduck
41ef733520 Completed faking that an user is in the sudoers file. Now user 'test' can use sudo without being there 2022-02-05 14:10:12 -05:00
h3xduck
643783004a Added new hooks and updated map fields to support new sudo module. 2022-02-05 13:49:20 -05:00
h3xduck
2b50d376a6 Updated function and configurator manager names to the used hook. 2022-01-26 13:04:23 -05:00
Marcos S. Bajo
9b366810b5 Merge pull request #18 from h3xduck/output_modifier 
Basic user memory manipulation + Control over rootkit modules and probes + Basic communication system
 2022-01-16 13:36:12 +01:00
h3xduck
e10f5183b3 Updated readme with new PoC 2022-01-16 07:03:07 -05:00
h3xduck
3832d99af1 Updated file names and directory structure to the new multi-modules rootkit 2022-01-16 06:56:54 -05:00
h3xduck
fc0d30f06f Completed output modification of sys_read. Created a simple PoC 2022-01-16 06:45:45 -05:00
h3xduck
99e9fd4277 FS module now can overwrite the buffer of read syscalls, effectively modifying what is returned as a result. Small PoC included now which modifies any first char in a string to 'O'. Use under discretion, may crash some programs, not enough checks implemented yet. 2022-01-15 16:16:30 -05:00
h3xduck
945e2f2def Added new probe to read the previously extracted params and overwrite user memory. Still now fully working, just a backup 2022-01-14 22:05:08 -05:00
h3xduck
106f141c7e Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00
h3xduck
193d9ec28f Fixed the whole header setup, now correctly using the kernel headers instead of normal development ones. Ready to go on with original plan of file system hooking 2022-01-06 13:31:52 -05:00
h3xduck
4882ce790c [BUILD FAILING] Checkpoint for backup, added new hook for file system, tweaked makefile for real kernel header files inclusion, still not working. Commiting for periodic backup 2022-01-05 20:34:53 -05:00
h3xduck
f8774ac9cf [BUILD IS FAILING] Added file system hooks and other improvements. Uploading because of needing to backup 2022-01-04 20:09:59 -05:00
h3xduck
74873dbca5 Completed configuration module which enables to change the running ebpf modules in the rootkit at runtime. Minor changes and updated code structure 2022-01-04 13:26:13 -05:00
h3xduck
40da6b300b Capability of attaching/detaching as many times as we want is finished. Now rootkit is fully cusotmizable from the userland (and thus remotely throught the backdoor) 2022-01-02 16:02:23 -05:00
h3xduck
adaf909781 Completed detachment of probes, enabling to attach and detach at will. Work needs to be done with xdp tho 2022-01-02 06:28:45 -05:00
h3xduck
d18b0aa23c Further improvements in the rootkit configuration by the user 2021-12-31 12:02:35 -05:00
h3xduck
0863566292 Included a global config struct for controlling which hooks and functions of the rootkit should be active. Still work to be done in the bpf side 2021-12-31 09:54:47 -05:00
h3xduck
d9a70f866c Modularized the ebpf program loading and attaching. 2021-12-30 21:09:26 -05:00
h3xduck
19a11da18f Modularized the communication buffers 2021-12-30 12:48:45 -05:00
h3xduck
d5478ed7a0 Added more communication utils between userspace and kernel: 
* Included maps and kernel ring buffer communication
* Extended the ebpf structure to include more modules
* New utils in both user and kernelspace
* Other changes
* This update precedes a great effort on researching and learning and linux kernel tracing and studing ebpfkit from defcon. More functionalities should come rather quickly now.
 2021-12-29 14:44:09 -05:00
h3xduck
510fc89de0 FIltering the found filepaths now fully working. We can now detect opened file descriptors of all processes 2021-12-24 10:22:23 -05:00
h3xduck
be9cc95daa Adapted makefile for user includes and new source files 2021-12-24 06:59:30 -05:00
h3xduck
745ec4e395 Updated project structure, and added new list for the next incoming feature. 2021-12-21 20:08:49 -05:00
Marcos S. Bajo
1b2bc34826 Fix typo 2021-11-28 02:01:56 +01:00
Marcos S. Bajo
c1939dca2b Update README.md 2021-11-28 02:01:32 +01:00
Marcos S. Bajo
3b2fbc3aa4 Merge pull request #9 from h3xduck/playzone 
First eBPF codebase, W+R access to incoming traffic and included PoC
 2021-11-28 01:53:03 +01:00
h3xduck
2999a090b7 Fixed the client, now the payload shrinking is fully working, also the bug previously found seems to be nothing but an error of mine. Ready to merge! 2021-11-27 19:08:38 -05:00
h3xduck
a1119894cd Made it work with an arbitrary length payload. Generalization with constants.h, now the PoC can be used for any shrinking/enlarging value. Discovered a very curious bug 2021-11-27 17:01:10 -05:00
h3xduck
a440326653 Arbitrary payload modification fully works now. Absolutely ridicous the time it took me (2 days) to realize I was computing the ip checksum with the old checksum values, which made it not to work. Finally can keep going 2021-11-27 14:10:43 -05:00
h3xduck
ca23880fd4 Arbitrary payload expansion is now working. IP checksum recomputation needs a revision, it is always 0... 2021-11-25 20:30:15 -05:00
h3xduck
253c302695 Payload increased length now being correctly recognized, but still cannot write to it yet. 2021-11-25 06:36:32 -05:00
h3xduck
442f955cf5 Added module which arbitrarily increases the size of the packet we received. Needs some tweaking to allow for modification of the header and payload fields yet, but the space allocation is already there. Also, multiple improvements overall 2021-11-24 20:41:07 -05:00
h3xduck
74cc7ff9e5 Further refactored code and dealt with the verifier issues with string comparisons 2021-11-24 12:17:31 -05:00
h3xduck
0568d5192d Finished externalizing helper functions 2021-11-24 10:50:30 -05:00
h3xduck
72fddcac62 Finished adapting the code to tcp packets (+ researched a lot about xdp and ebpf, we should be OK with xdps, found a lot of ideas) 2021-11-23 19:55:44 -05:00
h3xduck
516e98748c Finished adapting the client. Cleaned the user code and added getopt. The filter fully works now. Next step: return data to userspace via a map. 2021-11-22 20:02:47 -05:00
h3xduck
b04200526c Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00