A collection of programs for controlling subprocesses on Linux and related operating systems.
Each module is available as a stand-alone binary, which will either fork and execve, or apply its mitigation and execve directly to the next in the chain.
Each module is also available as a library, which can be compiled into a larger, monolithic binary.
apt-get -y install make gcc libpcre3-dev libcap-dev libpcap-dev libseccomp-devYou can use clang or gcc.
make
make CC=clang-3.5You can also build a specific project.
cd src/chroot
makeJust specify the name of the target. You must have an appropriate compiler toolchain installed.
make CROSS_COMPILE=aarch64-linux-gnu
make CROSS_COMPILE=arm-linux-gnueabihfRequires bats.
make testThe modules are designed to be included in a larger project, or chained directly. For example:
$ ./blacklist/blacklist \
./pcap/pcap foo.pcap \
./alarm/alarm 10 \
./got_nobind/got_nobind \
./malloc/malloc \
./no_network/no_network \
./randenv/randenv \
./rlimit_cpu/rlimit_cpu 5 \
./rlimit_fsize/rlimit_fsize 0 \
./rlimit_nproc/rlimit_nproc 0 \
./segv/segv MYSEGV \
./setpgid/setpgid \
./setsid/setsid \
/usr/bin/env LD_PRELOAD="$PWD/ldfuck/ldfuck.so $PWD/no_execve/no_execve.so" \
/bin/shHere's a short descrption of each module. To build a module, just run make in its directory.
alarm - Kills the process and all of its children with SIGALRM after a period of timeblacklist - Blocks connections from blacklisted IP/IPv6 address ranges, by inspecting getpeername on stdin, stdout, stderr.chroot - Does what it says on the tin.delay - Adds in a time delay after every proxied read or writedevctf - Hooks calls to open to catch open("/dev/ctf",...) and returns a pre-determined file descriptor. This allows access to /dev/ctf from within a chroot.got_bind - Forces the GOT to bind immediatelygot_nobind - Prevents the GOT from binding, which prevents ASLR defeats by leaking the GOTinotify_child - Watches only its own child process, and inspects its file table (via SIGSTOP and /proc/.../fd) to see if any handles are open.inotify - Watches for events on a specific file, and kills all children (in a new process group) on an event.ldfuck - Fucks with internal linker structures which are used to leak function addresses over-the-wire.malloc - Sets environment variables understood by glibc and eglibc, which cause malloced memory to be initialized to a pattern, and freeed memory to be overwritten with a pattern. Useful for heap leaks/UAFs.no_execve - Hooks all exec* and related (system, popen) function calls via the PLT. Also disables execve via seccomp-bpf.no_network - Uses seccomp to prevent most socket-related syscalls.noparent - Performs a double-fork before execveing so that, in the child process, getppid() will return 1 (pid of init) so that kill(SIGTERM, getppid()) shellcode is useless.onepath - Allows execve calls, but checks /proc/self/exe in the new process to see if it is a specific, permitted path.openfile - Opens a specific file on a specific file descriptor.pcap - Captures all stdin/stdout/stderr to a pcap file, with accurate address information gathered from getpeername.proxy - Communications forwarding template and hook library. Ideally suited to only performing a single copy of stdin/stdout/stderr instead of multiple copies between various consumers.randenv - Adds a random-length environment variable to the environment, which should modify offsets on the stack.regex - I/O filtering based on regular expressionsrlimit_cpu - Adds CPU time limits to all subprocessesrlimit_fsize - Adds limits on the size of file which may be createdrlimit_nproc - Effectively prevents child processes from forking.segv - Installs a SIGSEGV handler library, which will dump stack traces to a file. Requires libSegFault.so from libsegfault.setpgid - Spawns the child in a new process group. All of its descendants can be easily killed with kill(SIGTERM, -pid).setsid - Spawns the child in a new session.signal - Masks off all signals. May interfere with segv and alarm modules.unbuffer - Effectively disables libc buffering of stdout in the child by creating a pseudo-terminal (PTY) as its stdout (instead of a pipe).unsocket - Turns all send and recv calls, which only work on sockets, into write and read calls, which work just fine on sockets, files, or pipes.