forked from 3intermute/linux_syscall_hook
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtodo.txt
More file actions
48 lines (29 loc) · 1.42 KB
/
todo.txt
File metadata and controls
48 lines (29 loc) · 1.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
okay lets make this shit happen
first things first
dropper: repurpose a linux kernel exploit POC
rk: hide from process list and prevent process from being killed
start and hide ssh server as persistent backdoor
hide itself from kernel log and module list
ransomware itself
- discord based c2
finally, some sort of obfuscation it does not have to be too complicated
- need to write some sort of packer for arm
remember arm is weird so sudo -s works but sudo doesnt
// https://nskernel.gitbook.io/kernel-play-guide/accessing-the-non-exported-in-modules
since ``kallsyms_lookup_name`` isnt exported anymore and ``kprobe`` is detected by AVs, this could be adapted to a pretty cool method to resolve non exported kernel symbols without disabling KASLR
https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/
implement r0memdump into rk
as well as container escapes
prefix: __arm64_
// long unsigned int (**)(const char *) tmp = kallsyms_lookup_name_;
// tmp = (long unsigned int (*)(const char *)) kp.addr;
// kallsyms_lookup_name_ = (long unsigned int (*)(const char *)) kp.addr;
// hook = kmalloc(sizeof(ftrace_hook), GFP_KERNEL);
// if (!hook) {
// return -ENOENT;
// }
// hook = {"sys_kill", hook_kill, &orig_kill, NULL, {NULL, NULL, NULL}};
kill pids that fuck with the kernel LOL !
disable insmod and unload all other kernel modules
hook pte_offset_map
reorganize code to stop it all from being in headers my GOD