admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
81 Commits 1 Branch 1 Tag
aca4cc4cfb9634d481cb6b74ba0843832815aa02
Commit Graph

81 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
h3xduck
aca4cc4cfb Adding gitignore 2022-04-27 22:03:17 -04:00
h3xduck
a9fd1441b1 Merge branch 'master' of https://github.com/h3xduck/TFG 2022-04-27 21:59:59 -04:00
h3xduck
dccea69119 Updating documentation, preparing document with sections and comments 2022-04-27 21:59:56 -04:00
Marcos S. Bajo
f5897ae00d Merge pull request #26 from h3xduck/injection 
Library injection + sudo bypass + initial version of C2
 2022-04-27 23:59:56 +02:00
Juan Tapiador
701950669f implant trigger (hive) 2022-04-19 16:24:36 +02:00
h3xduck
e881502ffa Now control flow is redirected back to the syscall after running the shared library constructor instead of skipping it 2022-04-09 14:17:09 -04:00
h3xduck
036585371c Added pdf with temporary documentation 2022-04-08 05:30:43 -04:00
h3xduck
621e42e2e8 Changed shellcode to include backup of registers and stuck. Now prevents stack smashing detection via the stack canaries 2022-04-07 19:47:53 -04:00
h3xduck
be5605db5f Introduced shellcode and finished code cave writing and injection. RELRO working 2022-04-07 11:54:24 -04:00
h3xduck
3455b80010 Merge branch 'injection' of https://github.com/h3xduck/TFG into injection. Messed up with branches, clearing up 2022-04-07 07:14:54 -04:00
h3xduck
3438f5846f Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated 2022-04-07 07:11:28 -04:00
h3xduck
f4b88668b8 Finished GOT section identification and writing, added parsing of /proc/<pid>/maps 2022-04-07 07:10:00 -04:00
h3xduck
e6ddb3373e Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated 2022-04-05 20:21:59 -04:00
h3xduck
96cfda8c1f Finished RELRO adaptation. 2022-04-04 18:04:34 -04:00
h3xduck
748062f464 Adapted memory analysis to larger memory addresses inside the virtual address space. Solved bugs and others, adapting code for RELRO. 2022-04-04 17:07:45 -04:00
h3xduck
8f28c3a883 Updated helpers and added resources to help with lib injection 2022-03-24 15:40:05 -04:00
h3xduck
9dff5e71dc Included offset and extraction of interesting functions 2022-03-17 21:41:40 -04:00
h3xduck
0fbcb8bdf7 Fixed probe not probing correct syscall entry 2022-03-17 19:36:25 -04:00
h3xduck
fcf43ff180 Finished extraction of return address from the stack, and libc syscall adress 2022-03-17 19:32:32 -04:00
h3xduck
9647972531 Finished extraction of stack return address 2022-03-17 13:18:19 -04:00
h3xduck
671e2d671d Added extraction of original jump instruction and opcodes 2022-03-15 18:36:59 -04:00
h3xduck
0c88d5baa9 Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack. 2022-03-03 05:53:51 -05:00
h3xduck
e64839f080 Added new libc symbols extraction 2022-03-02 19:00:50 -05:00
h3xduck
805fa760cf Corrected issues of opening directories without permission in execve helper 2022-02-24 19:53:11 -05:00
h3xduck
b182ac1eeb Added new TC module, updates to the exec hooking system and the userland module 2022-02-20 16:50:15 -05:00
h3xduck
1ec4ed8486 Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper 2022-02-19 11:57:32 -05:00
h3xduck
8e97624326 Improved the pricvesc module which used sudo, now correctly working when the user already has sudo with password capabilities. Now the rootkit userspace helper is correctly launching with root permissions 2022-02-19 11:08:56 -05:00
h3xduck
130364e6ab Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted 2022-02-18 09:08:54 -05:00
h3xduck
0e022a8385 Completed execution of arbitrary commands sent from the backdoor client 2022-02-18 04:06:18 -05:00
h3xduck
b68e01c057 Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00
h3xduck
9a47a2b15a Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00
h3xduck
431a019931 Updated my RawTCPLib library with newest version supporting sniffing for payloads. Also new data in preparation for complete RCE module 2022-02-16 19:38:39 -05:00
h3xduck
2ae705f037 Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor 2022-02-14 20:08:30 -05:00
h3xduck
edbaf09c06 Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00
h3xduck
044c85f3ff Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00
h3xduck
05baa8fb8a Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00
h3xduck
41ef733520 Completed faking that an user is in the sudoers file. Now user 'test' can use sudo without being there 2022-02-05 14:10:12 -05:00
h3xduck
643783004a Added new hooks and updated map fields to support new sudo module. 2022-02-05 13:49:20 -05:00
h3xduck
2b50d376a6 Updated function and configurator manager names to the used hook. 2022-01-26 13:04:23 -05:00
Marcos S. Bajo
9b366810b5 Merge pull request #18 from h3xduck/output_modifier 
Basic user memory manipulation + Control over rootkit modules and probes + Basic communication system
 2022-01-16 13:36:12 +01:00
h3xduck
e10f5183b3 Updated readme with new PoC 2022-01-16 07:03:07 -05:00
h3xduck
3832d99af1 Updated file names and directory structure to the new multi-modules rootkit 2022-01-16 06:56:54 -05:00
h3xduck
fc0d30f06f Completed output modification of sys_read. Created a simple PoC 2022-01-16 06:45:45 -05:00
h3xduck
99e9fd4277 FS module now can overwrite the buffer of read syscalls, effectively modifying what is returned as a result. Small PoC included now which modifies any first char in a string to 'O'. Use under discretion, may crash some programs, not enough checks implemented yet. 2022-01-15 16:16:30 -05:00
h3xduck
945e2f2def Added new probe to read the previously extracted params and overwrite user memory. Still now fully working, just a backup 2022-01-14 22:05:08 -05:00
h3xduck
106f141c7e Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00
h3xduck
193d9ec28f Fixed the whole header setup, now correctly using the kernel headers instead of normal development ones. Ready to go on with original plan of file system hooking 2022-01-06 13:31:52 -05:00
h3xduck
4882ce790c [BUILD FAILING] Checkpoint for backup, added new hook for file system, tweaked makefile for real kernel header files inclusion, still not working. Commiting for periodic backup 2022-01-05 20:34:53 -05:00
h3xduck
f8774ac9cf [BUILD IS FAILING] Added file system hooks and other improvements. Uploading because of needing to backup 2022-01-04 20:09:59 -05:00
h3xduck
74873dbca5 Completed configuration module which enables to change the running ebpf modules in the rootkit at runtime. Minor changes and updated code structure 2022-01-04 13:26:13 -05:00