You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+19-10Lines changed: 19 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,11 @@
1
1
# erebos
2
-
Fractionated Cavity Loader for Linux LKMs
2
+
Fractionated Loader for Linux LKMs
3
3
4
4
## How does it work
5
-
Erebos will consist of a server and a client (the loader itself).
6
-
The basic concept of the loader is that the server will stage encrypted blobs of data which the loader will download in a random order, decrypt them and assemble the original object.
7
-
Finally it will load it to the running kernel.
5
+
Erebos consists of a server and a client (the loader itself).
6
+
The basic concept of erebos, is that the server will stage encrypted blobs of the loaded kernel module object file which the loader will download in a random order, decrypt and assemble them into the original LKM. Finally it will load it to the running kernel.
7
+
8
+
As opposed to the fractionated cavity loader for windows executables presented in [VXUG Black Mass I 2022](https://samples.vx-underground.org/Papers/Other/VXUG%20Zines/2022-11-13%20-%20Black%20Mass%20Halloween%202022.pdf), the loader avoids touching the disk by working with the data in memory.
8
9
9
10
## Usage
10
11
**Server**:
@@ -19,8 +20,8 @@ $ python main.py --output out
19
20
The server is accountable for the preparation and staging of the LKM we want to load.
20
21
It:
21
22
1. takes as an input the object file of our LKM
22
-
2. splits it into chunks of a set size (ex. 1024 bytes)
23
-
3. encrypts each chunk with a predefined key (ex. AES-256)
23
+
2. splits it into chunks of a set size
24
+
3. encrypts each chunk with a predefined key
24
25
4. assigns important metadata to each chunk that will allow the loader to assemble the object file correctly* (see [ordering the chunks](#ordering-the-chunks))
25
26
5. writes each chunk to a file
26
27
6. stages the different files via HTTP
@@ -34,10 +35,18 @@ The header should also have a fixed length, to be easily extracted from the rest
34
35
35
36
**But what?**
36
37
There isn't really a specific answer to that but hey, here's an idea:
37
-
Each header will contain:
38
-
- 4 magic bytes*, to ensure we are actually dealing with a header
38
+
```
39
+
-[ Fraction Header ]-
40
+
.-----------------------.
41
+
| uint32_t magic bytes |
42
+
| uint32_t index |
43
+
| char iv[16] |
44
+
| uint32_t crc |
45
+
'-----------------------'
46
+
```
47
+
- 4 magic bytes, to ensure we are actually dealing with a header
39
48
- the index of the chunk
40
49
- the IV (initialization vector) the chunk was encrypted with
41
-
- a CRC32 checksum/hash of the header and the encrypted data
50
+
- a CRC32 checksum of the header **and** the encrypted data
42
51
43
-
\* Why use 3 when with 4 you get 0xdeadbeef ;)
52
+
Leaves us with a 28-byte header containing precious information.
0 commit comments