41 Commits

Author	SHA1	Message	Date
h3xduck	ccd518287a	Added new deployer for preparing final files, messed up with the phantom shell, sometimes gives errors, but I don't think we can do much, the shared maps together with multi-hooks on network has some unexpected behaviours	2022-05-16 16:33:12 -04:00
h3xduck	757a480de9	Completed work on deployer, previous to cron persistence	2022-05-16 12:52:25 -04:00
h3xduck	82fa056955	Added hide directory capabilities for the rootkit	2022-05-16 11:24:59 -04:00
h3xduck	4044d7994c	Added sys_openat for the injection module, fully working!	2022-05-16 08:02:38 -04:00
h3xduck	78b3132687	Updated some files for eveything to work now that it is all together. Execve hijacker and clients in particular	2022-05-15 20:47:58 -04:00
h3xduck	57f3edd8fa	Fixed bug in client getting local ip	2022-05-15 19:09:04 -04:00
h3xduck	6e76e1ed1a	Solved an error in client ip config	2022-05-15 18:08:14 -04:00
h3xduck	ce3b267d01	Fixed phantom shell, added ips for all types of backdoor triggers so that we can use different interfaces	2022-05-15 16:45:47 -04:00
h3xduck	d509f20974	Completed command passing for phantom shell	2022-05-15 14:44:16 -04:00
h3xduck	ad4f9b2504	Completed phantom shell protocol, added new checksum correctors	2022-05-11 20:27:52 -04:00
h3xduck	28ed530aea	Completed the TC Hook and payload enlargment and substitution mechanisms. Only the packet recognition on the client side remains to work	2022-05-11 17:31:38 -04:00
h3xduck	567d8d706c	Further completed the phantom shell routine and added more checks in TC, still not finished, payload rewriting remains, but the rest is fully ready	2022-05-10 23:04:19 -04:00
h3xduck	f2c3624e8b	Added test on tc clasiffier, added pinned maps, and obtaining the fd from other maps in order to synchronize between programs	2022-05-10 19:09:52 -04:00
h3xduck	4211d0b5d5	Updated all components with phantom shell	2022-05-09 22:06:29 -04:00
h3xduck	5320f35d01	Added new hidden payload stream mode, now triggered using the source port. Fully integrated already, can select between that and seqnum in client. Both launch live encrypted shell via v3 backdoor	2022-05-09 20:16:13 -04:00
h3xduck	ff0f34c6a4	Included new library version with support for tcp src port paylaod injection	2022-05-09 18:57:23 -04:00
h3xduck	ff2868846f	Fixed a big bug in previous client terminals, also made the new multi-triggered backdoor to work completely and connect to encrypted session	2022-05-09 17:48:02 -04:00
h3xduck	073e1d3129	Completed new backdoor packet stream parsing for V3 backdoor using hidden payloads in TCP and IP header positions	2022-05-09 16:36:39 -04:00
h3xduck	5746ac5efb	Added new hidden packets, commands and rest of structure to activate and deactivate hooks from the backdoor	2022-05-07 19:16:33 -04:00
h3xduck	ce7d36371d	Finished encrypted interactive shell and encrypted protocol implementation, V2 rootkit now fully functional	2022-05-07 17:55:27 -04:00
h3xduck	f6a4c1daa0	Finished execve hijacking, added new last checks and discovered why sometimes it fails. New detached process at the userspace. Other fixes	2022-05-07 10:36:46 -04:00
h3xduck	cceca23478	Completed message sharing, starting with protocol now	2022-05-05 22:14:28 -04:00
h3xduck	213e30ba3b	Fixed keys of trigger packet V1, added sample servers, fixed client bug	2022-05-05 17:52:58 -04:00
h3xduck	0553ad777f	Completed message passing of commands to userspace via ebpf ringbuffer	2022-05-05 13:22:47 -04:00
h3xduck	2deebf1b9e	Added V1 command sending via secret trigger on backdoor	2022-05-05 12:59:02 -04:00
h3xduck	ead4a4ca68	Completed checks for V1 trigger	2022-05-04 08:54:21 -04:00
h3xduck	073a911f74	Included new version of custom lib. Added checks for backdoor triggering	2022-05-04 04:40:25 -04:00
h3xduck	8be536fb6f	Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug.	2022-04-14 13:24:43 -04:00
h3xduck	7157729334	Added forked routine to execve_hijack. Improved argv modification and made it work. Working now.	2022-04-13 08:57:33 -04:00
h3xduck	805fa760cf	Corrected issues of opening directories without permission in execve helper	2022-02-24 19:53:11 -05:00
h3xduck	b182ac1eeb	Added new TC module, updates to the exec hooking system and the userland module	2022-02-20 16:50:15 -05:00
h3xduck	1ec4ed8486	Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper	2022-02-19 11:57:32 -05:00
h3xduck	8e97624326	Improved the pricvesc module which used sudo, now correctly working when the user already has sudo with password capabilities. Now the rootkit userspace helper is correctly launching with root permissions	2022-02-19 11:08:56 -05:00
h3xduck	130364e6ab	Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted	2022-02-18 09:08:54 -05:00
h3xduck	2ae705f037	Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor	2022-02-14 20:08:30 -05:00
h3xduck	edbaf09c06	Completed execve hijacking, as with special error cases that arise and that are documented in the code.	2022-02-14 17:45:07 -05:00
h3xduck	044c85f3ff	Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done	2022-02-06 14:15:57 -05:00
h3xduck	41ef733520	Completed faking that an user is in the sudoers file. Now user 'test' can use sudo without being there	2022-02-05 14:10:12 -05:00
h3xduck	643783004a	Added new hooks and updated map fields to support new sudo module.	2022-02-05 13:49:20 -05:00
h3xduck	2b50d376a6	Updated function and configurator manager names to the used hook.	2022-01-26 13:04:23 -05:00
h3xduck	3832d99af1	Updated file names and directory structure to the new multi-modules rootkit	2022-01-16 06:56:54 -05:00