h3xduck
|
ccd518287a
|
Added new deployer for preparing final files, messed up with the phantom shell, sometimes gives errors, but I don't think we can do much, the shared maps together with multi-hooks on network has some unexpected behaviours
|
2022-05-16 16:33:12 -04:00 |
|
h3xduck
|
757a480de9
|
Completed work on deployer, previous to cron persistence
|
2022-05-16 12:52:25 -04:00 |
|
h3xduck
|
82fa056955
|
Added hide directory capabilities for the rootkit
|
2022-05-16 11:24:59 -04:00 |
|
h3xduck
|
4044d7994c
|
Added sys_openat for the injection module, fully working!
|
2022-05-16 08:02:38 -04:00 |
|
h3xduck
|
abc501d4be
|
Merge branch 'develop'
|
2022-05-15 20:49:09 -04:00 |
|
h3xduck
|
78b3132687
|
Updated some files for eveything to work now that it is all together. Execve hijacker and clients in particular
|
2022-05-15 20:47:58 -04:00 |
|
h3xduck
|
4a292f0f7a
|
Merged master and develop, now all changes together. Fully tested and working.
|
2022-05-15 20:46:35 -04:00 |
|
h3xduck
|
57f3edd8fa
|
Fixed bug in client getting local ip
|
2022-05-15 19:09:04 -04:00 |
|
h3xduck
|
6e76e1ed1a
|
Solved an error in client ip config
|
2022-05-15 18:08:14 -04:00 |
|
h3xduck
|
ce3b267d01
|
Fixed phantom shell, added ips for all types of backdoor triggers so that we can use different interfaces
|
2022-05-15 16:45:47 -04:00 |
|
h3xduck
|
e6cbe7c24a
|
Updated client to work with multiple network interfaces
|
2022-05-15 15:15:43 -04:00 |
|
h3xduck
|
d509f20974
|
Completed command passing for phantom shell
|
2022-05-15 14:44:16 -04:00 |
|
h3xduck
|
ad4f9b2504
|
Completed phantom shell protocol, added new checksum correctors
|
2022-05-11 20:27:52 -04:00 |
|
h3xduck
|
28ed530aea
|
Completed the TC Hook and payload enlargment and substitution mechanisms. Only the packet recognition on the client side remains to work
|
2022-05-11 17:31:38 -04:00 |
|
h3xduck
|
567d8d706c
|
Further completed the phantom shell routine and added more checks in TC, still not finished, payload rewriting remains, but the rest is fully ready
|
2022-05-10 23:04:19 -04:00 |
|
h3xduck
|
f2c3624e8b
|
Added test on tc clasiffier, added pinned maps, and obtaining the fd from other maps in order to synchronize between programs
|
2022-05-10 19:09:52 -04:00 |
|
h3xduck
|
4211d0b5d5
|
Updated all components with phantom shell
|
2022-05-09 22:06:29 -04:00 |
|
h3xduck
|
5320f35d01
|
Added new hidden payload stream mode, now triggered using the source port. Fully integrated already, can select between that and seqnum in client. Both launch live encrypted shell via v3 backdoor
|
2022-05-09 20:16:13 -04:00 |
|
h3xduck
|
ff0f34c6a4
|
Included new library version with support for tcp src port paylaod injection
|
2022-05-09 18:57:23 -04:00 |
|
h3xduck
|
ff2868846f
|
Fixed a big bug in previous client terminals, also made the new multi-triggered backdoor to work completely and connect to encrypted session
|
2022-05-09 17:48:02 -04:00 |
|
h3xduck
|
073e1d3129
|
Completed new backdoor packet stream parsing for V3 backdoor using hidden payloads in TCP and IP header positions
|
2022-05-09 16:36:39 -04:00 |
|
h3xduck
|
ba19537ec1
|
Added new packet stream payload mode in client for V3 backdoor
|
2022-05-07 20:45:02 -04:00 |
|
h3xduck
|
5746ac5efb
|
Added new hidden packets, commands and rest of structure to activate and deactivate hooks from the backdoor
|
2022-05-07 19:16:33 -04:00 |
|
h3xduck
|
ce7d36371d
|
Finished encrypted interactive shell and encrypted protocol implementation, V2 rootkit now fully functional
|
2022-05-07 17:55:27 -04:00 |
|
h3xduck
|
f6a4c1daa0
|
Finished execve hijacking, added new last checks and discovered why sometimes it fails. New detached process at the userspace. Other fixes
|
2022-05-07 10:36:46 -04:00 |
|
h3xduck
|
cceca23478
|
Completed message sharing, starting with protocol now
|
2022-05-05 22:14:28 -04:00 |
|
h3xduck
|
213e30ba3b
|
Fixed keys of trigger packet V1, added sample servers, fixed client bug
|
2022-05-05 17:52:58 -04:00 |
|
h3xduck
|
0553ad777f
|
Completed message passing of commands to userspace via ebpf ringbuffer
|
2022-05-05 13:22:47 -04:00 |
|
h3xduck
|
2deebf1b9e
|
Added V1 command sending via secret trigger on backdoor
|
2022-05-05 12:59:02 -04:00 |
|
h3xduck
|
ead4a4ca68
|
Completed checks for V1 trigger
|
2022-05-04 08:54:21 -04:00 |
|
h3xduck
|
073a911f74
|
Included new version of custom lib. Added checks for backdoor triggering
|
2022-05-04 04:40:25 -04:00 |
|
h3xduck
|
aca4cc4cfb
|
Adding gitignore
|
2022-04-27 22:03:17 -04:00 |
|
h3xduck
|
a9fd1441b1
|
Merge branch 'master' of https://github.com/h3xduck/TFG
|
2022-04-27 21:59:59 -04:00 |
|
h3xduck
|
dccea69119
|
Updating documentation, preparing document with sections and comments
|
2022-04-27 21:59:56 -04:00 |
|
h3xduck
|
25ef3acc5a
|
Updating doc, adding makefile and preparing document
|
2022-04-27 21:56:37 -04:00 |
|
Marcos S. Bajo
|
f5897ae00d
|
Merge pull request #26 from h3xduck/injection
Library injection + sudo bypass + initial version of C2
|
2022-04-27 23:59:56 +02:00 |
|
Juan Tapiador
|
701950669f
|
implant trigger (hive)
|
2022-04-19 16:24:36 +02:00 |
|
h3xduck
|
8be536fb6f
|
Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug.
|
2022-04-14 13:24:43 -04:00 |
|
h3xduck
|
a9f0ae17f7
|
Completed client payload generation
|
2022-04-14 09:49:08 -04:00 |
|
h3xduck
|
e8abc7415a
|
Advancements on payload recognition. Now proceeding to build protocol
|
2022-04-14 07:54:21 -04:00 |
|
h3xduck
|
43ccb6cd3d
|
Added packet parsing and bound checking
|
2022-04-13 20:46:06 -04:00 |
|
h3xduck
|
c3bffb6f84
|
Completed packet parsing at tc hook
|
2022-04-13 16:56:17 -04:00 |
|
h3xduck
|
7157729334
|
Added forked routine to execve_hijack. Improved argv modification and made it work. Working now.
|
2022-04-13 08:57:33 -04:00 |
|
h3xduck
|
e881502ffa
|
Now control flow is redirected back to the syscall after running the shared library constructor instead of skipping it
|
2022-04-09 14:17:09 -04:00 |
|
h3xduck
|
036585371c
|
Added pdf with temporary documentation
|
2022-04-08 05:30:43 -04:00 |
|
h3xduck
|
621e42e2e8
|
Changed shellcode to include backup of registers and stuck. Now prevents stack smashing detection via the stack canaries
|
2022-04-07 19:47:53 -04:00 |
|
h3xduck
|
be5605db5f
|
Introduced shellcode and finished code cave writing and injection. RELRO working
|
2022-04-07 11:54:24 -04:00 |
|
h3xduck
|
3455b80010
|
Merge branch 'injection' of https://github.com/h3xduck/TFG into injection. Messed up with branches, clearing up
|
2022-04-07 07:14:54 -04:00 |
|
h3xduck
|
3438f5846f
|
Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated
|
2022-04-07 07:11:28 -04:00 |
|
h3xduck
|
f4b88668b8
|
Finished GOT section identification and writing, added parsing of /proc/<pid>/maps
|
2022-04-07 07:10:00 -04:00 |
|