A collection of programs for controlling subprocesses on Linux and related operating systems.
Each module is available as a stand-alone binary, which will either fork
and execve
, or apply its mitigation and execve
directly to the next in the chain.
Each module is also available as a library, which can be compiled into a larger, monolithic binary.
apt-get -y install make gcc libpcre3-dev libcap-dev libpcap-dev libseccomp-dev
You can use clang
or gcc
.
make
make CC=clang-3.5
You can also build a specific project.
cd src/chroot
make
Just specify the name of the target. You must have an appropriate compiler toolchain installed.
make CROSS_COMPILE=aarch64-linux-gnu
make CROSS_COMPILE=arm-linux-gnueabihf
Requires bats
.
make test
The modules are designed to be included in a larger project, or chained directly. For example:
$ ./blacklist/blacklist \
./pcap/pcap foo.pcap \
./alarm/alarm 10 \
./got_nobind/got_nobind \
./malloc/malloc \
./no_network/no_network \
./randenv/randenv \
./rlimit_cpu/rlimit_cpu 5 \
./rlimit_fsize/rlimit_fsize 0 \
./rlimit_nproc/rlimit_nproc 0 \
./segv/segv MYSEGV \
./setpgid/setpgid \
./setsid/setsid \
/usr/bin/env LD_PRELOAD="$PWD/ldfuck/ldfuck.so $PWD/no_execve/no_execve.so" \
/bin/sh
Here's a short descrption of each module. To build a module, just run make
in its directory.
alarm
- Kills the process and all of its children with SIGALRM
after a period of timeblacklist
- Blocks connections from blacklisted IP/IPv6 address ranges, by inspecting getpeername
on stdin, stdout, stderr.chroot
- Does what it says on the tin.delay
- Adds in a time delay after every proxied read
or write
devctf
- Hooks calls to open
to catch open("/dev/ctf",...)
and returns a pre-determined file descriptor. This allows access to /dev/ctf
from within a chroot.got_bind
- Forces the GOT to bind immediatelygot_nobind
- Prevents the GOT from binding, which prevents ASLR defeats by leaking the GOTinotify_child
- Watches only its own child process, and inspects its file table (via SIGSTOP
and /proc/.../fd
) to see if any handles are open.inotify
- Watches for events on a specific file, and kills all children (in a new process group) on an event.ldfuck
- Fucks with internal linker structures which are used to leak function addresses over-the-wire.malloc
- Sets environment variables understood by glibc and eglibc, which cause malloc
ed memory to be initialized to a pattern, and free
ed memory to be overwritten with a pattern. Useful for heap leaks/UAFs.no_execve
- Hooks all exec*
and related (system
, popen
) function calls via the PLT. Also disables execve
via seccomp-bpf.no_network
- Uses seccomp
to prevent most socket-related syscalls.noparent
- Performs a double-fork before execve
ing so that, in the child process, getppid()
will return 1
(pid of init
) so that kill(SIGTERM, getppid())
shellcode is useless.onepath
- Allows execve
calls, but checks /proc/self/exe
in the new process to see if it is a specific, permitted path.openfile
- Opens a specific file on a specific file descriptor.pcap
- Captures all stdin/stdout/stderr to a pcap file, with accurate address information gathered from getpeername
.proxy
- Communications forwarding template and hook library. Ideally suited to only performing a single copy of stdin/stdout/stderr instead of multiple copies between various consumers.randenv
- Adds a random-length environment variable to the environment, which should modify offsets on the stack.regex
- I/O filtering based on regular expressionsrlimit_cpu
- Adds CPU time limits to all subprocessesrlimit_fsize
- Adds limits on the size of file which may be createdrlimit_nproc
- Effectively prevents child processes from fork
ing.segv
- Installs a SIGSEGV
handler library, which will dump stack traces to a file. Requires libSegFault.so
from libsegfault
.setpgid
- Spawns the child in a new process group. All of its descendants can be easily killed with kill(SIGTERM, -pid)
.setsid
- Spawns the child in a new session.signal
- Masks off all signals. May interfere with segv
and alarm
modules.unbuffer
- Effectively disables libc buffering of stdout in the child by creating a pseudo-terminal (PTY) as its stdout (instead of a pipe).unsocket
- Turns all send
and recv
calls, which only work on sockets, into write
and read
calls, which work just fine on sockets, files, or pipes.