admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-21 17:23:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Commit Graph

  • 820c9f9401 Fixed some diagrams h3xduck 2022-05-23 08:47:39 -04:00
  • a27543a7a6 Completed bpf in the history section h3xduck 2022-05-23 07:08:46 -04:00
  • c29a99e03f ALmost completed cbpf explantion h3xduck 2022-05-23 06:17:21 -04:00
  • 23d6bbd3ed Continued with classic bpf explanations h3xduck 2022-05-22 19:57:47 -04:00
  • cdaed83d1a Continued with ebpf history h3xduck 2022-05-22 10:04:16 -04:00
  • 3ec9175053 Continued with the state of the art section h3xduck 2022-05-22 08:19:32 -04:00
  • d161a29020 Included some comments on next work h3xduck 2022-05-21 20:56:00 -04:00
  • 3f2b426c98 Completed the objectives section. Skipping the rest of the chapter h3xduck 2022-05-21 19:43:51 -04:00
  • 61d141bbb6 Went on with the objectives section h3xduck 2022-05-21 16:56:05 -04:00
  • b1933069ae Completed motivation h3xduck 2022-05-20 22:58:33 -04:00
  • 2065c2e131 Added partial motivation section h3xduck 2022-05-20 21:20:24 -04:00
  • 3e697dd4cf Fixed a bug where tcpport mode in the multi-packet backdoor did not work if a previous trigger using seqnum mode was made h3xduck 2022-05-18 12:45:35 -04:00
  • 104f4c0355 Added obfuscation for the persistance access using cron h3xduck 2022-05-16 17:34:21 -04:00
  • ccd518287a Added new deployer for preparing final files, messed up with the phantom shell, sometimes gives errors, but I don't think we can do much, the shared maps together with multi-hooks on network has some unexpected behaviours h3xduck 2022-05-16 16:33:12 -04:00
  • 757a480de9 Completed work on deployer, previous to cron persistence h3xduck 2022-05-16 12:52:25 -04:00
  • 82fa056955 Added hide directory capabilities for the rootkit h3xduck 2022-05-16 11:24:59 -04:00
  • 4044d7994c Added sys_openat for the injection module, fully working! h3xduck 2022-05-16 08:02:38 -04:00
  • abc501d4be Merge branch 'develop' h3xduck 2022-05-15 20:49:09 -04:00
  • 78b3132687 Updated some files for eveything to work now that it is all together. Execve hijacker and clients in particular h3xduck 2022-05-15 20:47:58 -04:00
  • 4a292f0f7a Merged master and develop, now all changes together. Fully tested and working. h3xduck 2022-05-15 20:46:35 -04:00
  • 57f3edd8fa Fixed bug in client getting local ip h3xduck 2022-05-15 19:09:04 -04:00
  • 6e76e1ed1a Solved an error in client ip config h3xduck 2022-05-15 18:08:14 -04:00
  • ce3b267d01 Fixed phantom shell, added ips for all types of backdoor triggers so that we can use different interfaces h3xduck 2022-05-15 16:45:47 -04:00
  • e6cbe7c24a Updated client to work with multiple network interfaces h3xduck 2022-05-15 15:15:43 -04:00
  • d509f20974 Completed command passing for phantom shell h3xduck 2022-05-15 14:44:16 -04:00
  • ad4f9b2504 Completed phantom shell protocol, added new checksum correctors h3xduck 2022-05-11 20:27:52 -04:00
  • 28ed530aea Completed the TC Hook and payload enlargment and substitution mechanisms. Only the packet recognition on the client side remains to work h3xduck 2022-05-11 17:31:38 -04:00
  • 567d8d706c Further completed the phantom shell routine and added more checks in TC, still not finished, payload rewriting remains, but the rest is fully ready h3xduck 2022-05-10 23:04:19 -04:00
  • f2c3624e8b Added test on tc clasiffier, added pinned maps, and obtaining the fd from other maps in order to synchronize between programs h3xduck 2022-05-10 19:09:52 -04:00
  • 4211d0b5d5 Updated all components with phantom shell h3xduck 2022-05-09 22:06:29 -04:00
  • 5320f35d01 Added new hidden payload stream mode, now triggered using the source port. Fully integrated already, can select between that and seqnum in client. Both launch live encrypted shell via v3 backdoor h3xduck 2022-05-09 20:16:13 -04:00
  • ff0f34c6a4 Included new library version with support for tcp src port paylaod injection h3xduck 2022-05-09 18:57:23 -04:00
  • ff2868846f Fixed a big bug in previous client terminals, also made the new multi-triggered backdoor to work completely and connect to encrypted session h3xduck 2022-05-09 17:48:02 -04:00
  • 073e1d3129 Completed new backdoor packet stream parsing for V3 backdoor using hidden payloads in TCP and IP header positions h3xduck 2022-05-09 16:36:39 -04:00
  • ba19537ec1 Added new packet stream payload mode in client for V3 backdoor h3xduck 2022-05-07 20:45:02 -04:00
  • 5746ac5efb Added new hidden packets, commands and rest of structure to activate and deactivate hooks from the backdoor h3xduck 2022-05-07 19:16:33 -04:00
  • ce7d36371d Finished encrypted interactive shell and encrypted protocol implementation, V2 rootkit now fully functional h3xduck 2022-05-07 17:55:27 -04:00
  • f6a4c1daa0 Finished execve hijacking, added new last checks and discovered why sometimes it fails. New detached process at the userspace. Other fixes h3xduck 2022-05-07 10:36:46 -04:00
  • cceca23478 Completed message sharing, starting with protocol now h3xduck 2022-05-05 22:14:28 -04:00
  • 213e30ba3b Fixed keys of trigger packet V1, added sample servers, fixed client bug h3xduck 2022-05-05 17:52:58 -04:00
  • 0553ad777f Completed message passing of commands to userspace via ebpf ringbuffer h3xduck 2022-05-05 13:22:47 -04:00
  • 2deebf1b9e Added V1 command sending via secret trigger on backdoor h3xduck 2022-05-05 12:59:02 -04:00
  • ead4a4ca68 Completed checks for V1 trigger h3xduck 2022-05-04 08:54:21 -04:00
  • 073a911f74 Included new version of custom lib. Added checks for backdoor triggering h3xduck 2022-05-04 04:40:25 -04:00
  • aca4cc4cfb Adding gitignore h3xduck 2022-04-27 22:03:17 -04:00
  • a9fd1441b1 Merge branch 'master' of https://github.com/h3xduck/TFG h3xduck 2022-04-27 21:59:59 -04:00
  • dccea69119 Updating documentation, preparing document with sections and comments h3xduck 2022-04-27 21:59:56 -04:00
  • 25ef3acc5a Updating doc, adding makefile and preparing document h3xduck 2022-04-27 21:56:37 -04:00
  • f5897ae00d Merge pull request #26 from h3xduck/injection Marcos S. Bajo 2022-04-27 23:59:56 +02:00
  • 701950669f implant trigger (hive) Juan Tapiador 2022-04-19 16:24:36 +02:00
  • 8be536fb6f Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug. h3xduck 2022-04-14 13:24:43 -04:00
  • a9f0ae17f7 Completed client payload generation h3xduck 2022-04-14 09:49:08 -04:00
  • e8abc7415a Advancements on payload recognition. Now proceeding to build protocol h3xduck 2022-04-14 07:54:21 -04:00
  • 43ccb6cd3d Added packet parsing and bound checking h3xduck 2022-04-13 20:46:06 -04:00
  • c3bffb6f84 Completed packet parsing at tc hook h3xduck 2022-04-13 16:56:17 -04:00
  • 7157729334 Added forked routine to execve_hijack. Improved argv modification and made it work. Working now. h3xduck 2022-04-13 08:57:33 -04:00
  • e881502ffa Now control flow is redirected back to the syscall after running the shared library constructor instead of skipping it h3xduck 2022-04-09 14:17:09 -04:00
  • 036585371c Added pdf with temporary documentation h3xduck 2022-04-08 05:30:43 -04:00
  • 621e42e2e8 Changed shellcode to include backup of registers and stuck. Now prevents stack smashing detection via the stack canaries h3xduck 2022-04-07 19:47:53 -04:00
  • be5605db5f Introduced shellcode and finished code cave writing and injection. RELRO working h3xduck 2022-04-07 11:54:24 -04:00
  • 3455b80010 Merge branch 'injection' of https://github.com/h3xduck/TFG into injection. Messed up with branches, clearing up h3xduck 2022-04-07 07:14:54 -04:00
  • 3438f5846f Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated h3xduck 2022-04-07 07:11:28 -04:00
  • f4b88668b8 Finished GOT section identification and writing, added parsing of /proc/<pid>/maps h3xduck 2022-04-07 07:10:00 -04:00
  • e6ddb3373e Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated h3xduck 2022-04-05 20:21:59 -04:00
  • 96cfda8c1f Finished RELRO adaptation. h3xduck 2022-04-04 18:04:34 -04:00
  • 748062f464 Adapted memory analysis to larger memory addresses inside the virtual address space. Solved bugs and others, adapting code for RELRO. h3xduck 2022-04-04 17:07:45 -04:00
  • 8f28c3a883 Updated helpers and added resources to help with lib injection h3xduck 2022-03-24 15:40:05 -04:00
  • 9dff5e71dc Included offset and extraction of interesting functions h3xduck 2022-03-17 21:41:40 -04:00
  • 0fbcb8bdf7 Fixed probe not probing correct syscall entry h3xduck 2022-03-17 19:36:25 -04:00
  • fcf43ff180 Finished extraction of return address from the stack, and libc syscall adress h3xduck 2022-03-17 19:32:32 -04:00
  • 9647972531 Finished extraction of stack return address h3xduck 2022-03-17 13:18:19 -04:00
  • 671e2d671d Added extraction of original jump instruction and opcodes h3xduck 2022-03-15 18:36:59 -04:00
  • 0c88d5baa9 Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack. h3xduck 2022-03-03 05:53:51 -05:00
  • e64839f080 Added new libc symbols extraction h3xduck 2022-03-02 19:00:50 -05:00
  • 805fa760cf Corrected issues of opening directories without permission in execve helper h3xduck 2022-02-24 19:53:11 -05:00
  • b182ac1eeb Added new TC module, updates to the exec hooking system and the userland module h3xduck 2022-02-20 16:50:15 -05:00
  • 1ec4ed8486 Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper h3xduck 2022-02-19 11:57:32 -05:00
  • 8e97624326 Improved the pricvesc module which used sudo, now correctly working when the user already has sudo with password capabilities. Now the rootkit userspace helper is correctly launching with root permissions h3xduck 2022-02-19 11:08:56 -05:00
  • 130364e6ab Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted h3xduck 2022-02-18 09:08:54 -05:00
  • 0e022a8385 Completed execution of arbitrary commands sent from the backdoor client h3xduck 2022-02-18 04:06:18 -05:00
  • b68e01c057 Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. h3xduck 2022-02-18 03:32:07 -05:00
  • 9a47a2b15a Completed client integration with new c&c module. h3xduck 2022-02-17 06:21:09 -05:00
  • 431a019931 Updated my RawTCPLib library with newest version supporting sniffing for payloads. Also new data in preparation for complete RCE module h3xduck 2022-02-16 19:38:39 -05:00
  • 2ae705f037 Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor h3xduck 2022-02-14 20:08:30 -05:00
  • edbaf09c06 Completed execve hijacking, as with special error cases that arise and that are documented in the code. h3xduck 2022-02-14 17:45:07 -05:00
  • 044c85f3ff Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done h3xduck 2022-02-06 14:15:57 -05:00
  • 05baa8fb8a Added new helper program to be used with the execve hijacking module h3xduck 2022-02-05 19:00:25 -05:00
  • 41ef733520 Completed faking that an user is in the sudoers file. Now user 'test' can use sudo without being there h3xduck 2022-02-05 14:10:12 -05:00
  • 643783004a Added new hooks and updated map fields to support new sudo module. h3xduck 2022-02-05 13:49:20 -05:00
  • 2b50d376a6 Updated function and configurator manager names to the used hook. h3xduck 2022-01-26 13:04:23 -05:00
  • 9b366810b5 Merge pull request #18 from h3xduck/output_modifier Marcos S. Bajo 2022-01-16 13:36:12 +01:00
  • e10f5183b3 Updated readme with new PoC h3xduck 2022-01-16 07:03:07 -05:00
  • 3832d99af1 Updated file names and directory structure to the new multi-modules rootkit h3xduck 2022-01-16 06:56:54 -05:00
  • fc0d30f06f Completed output modification of sys_read. Created a simple PoC h3xduck 2022-01-16 06:45:45 -05:00
  • 99e9fd4277 FS module now can overwrite the buffer of read syscalls, effectively modifying what is returned as a result. Small PoC included now which modifies any first char in a string to 'O'. Use under discretion, may crash some programs, not enough checks implemented yet. h3xduck 2022-01-15 16:16:30 -05:00
  • 945e2f2def Added new probe to read the previously extracted params and overwrite user memory. Still now fully working, just a backup h3xduck 2022-01-14 22:05:08 -05:00
  • 106f141c7e Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer h3xduck 2022-01-14 21:18:51 -05:00
  • 193d9ec28f Fixed the whole header setup, now correctly using the kernel headers instead of normal development ones. Ready to go on with original plan of file system hooking h3xduck 2022-01-06 13:31:52 -05:00
  • 4882ce790c [BUILD FAILING] Checkpoint for backup, added new hook for file system, tweaked makefile for real kernel header files inclusion, still not working. Commiting for periodic backup h3xduck 2022-01-05 20:34:53 -05:00
  • f8774ac9cf [BUILD IS FAILING] Added file system hooks and other improvements. Uploading because of needing to backup h3xduck 2022-01-04 20:09:59 -05:00