Kali Linux

Chain-Reactor : An Open Source Framework For Composing Executables

Chain Reactor is an open-source tool for testing detection and response coverage on Linux machines. The tool generates executables that simulate sequences of actions like process creation and network connection. Chain Reactor assumes no prior engineering experience; the tool consumes JSON, so customizing its behavior is as simple as editing a file.

Install musl

Chain Reactor requires musl, which is an implementation of the C standard libary. To install musl on Debian-like operating systems, run the following from the command line:

sudo apt install musl-tools

To install musl from the RPM package manager:

sudo yum install musl-tools

To build musl from source:

git clone git://git.musl-libc.org/musl
cd musl && ./configure && sudo make install

Install Chain Reactor

To install Chain Reactor, run the following from the command line:

git clone https://github.com/redcanaryco/chain-reactor.git
cd chain-reactor && make

Run a simple reaction

Test your build by creating and executing a simple reaction. Open a text editor and save the following file as reaction.json:

{
“name”: “simple_reaction”,
“atoms”: [
“HIDDEN-PROCESS-EXEC”
]
}

Reactions are made of objectives called “atoms.” This file defines a reaction—simple_reaction—comprising a single atom called HIDDEN-PROCESS-EXEC.

Next, we need to define HIDDEN-PROCESS-EXEC. Save the following file as atoms.json:

[
{
“name” : “HIDDEN-PROCESS-EXEC”,
“execve” : [ “mkdir”, “-p”, “/tmp/.hidden” ],
“copy” : [ “/proc/self/exe”, “/tmp/.hidden/.chain_reactor_hidden” ],
“execveat” : [ “/tmp/.hidden/.chain_reactor_hidden”, “exit” ],
“remove” : [ “/tmp/.hidden” ]
}
]

Atoms are made of actions called “quarks.” The atoms.json file defines HIDDEN-PROCESS-EXEC as a sequence of four quarks:

  • Use the execve system call to create a hidden directory.
  • Copy the current Chain Reactor process to the hidden directory.
  • Use the execveat system call to execute the hidden Chain Reactor binary and exit without doing anything else.
  • Delete the hidden directory.

To build the reaction executable, run the following from the command line:

python3 compose_reaction atoms.json reaction.json simple-reaction

You can run the output file as you would any other executable:

+ymmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmy+
:dmmhsssssssssssssssssssssssssssssssssssssssshmmd/
dmm++mmm
mmm: :+oss+: :mmm
mmm: :oyyyyyyyys/ :mmm
mmm: .:oyyyyyyyyys::mmm mmm: -syyyyyyyyyyo: :mmm
mmm: -yyyyyyyyyyyyy+. :mmm
mmm: .syyyyyyyyyyyyyy/:mmm mmm:oyyyyyyyyyyyyyyys. :mmm
mmm: :yyyyyyyyyyyyyyyys- :mmm
mmm: +yyyyyyyyyyyyyyyyy: :mmm mmm:oyyyyyyyyyyyyyyyyy- :mmm
mmm: /yyyyyyyyyyyyyyyys- :mmm mmm: ./yyyyyyyyyyyyyyys /mmm mmm:/yysyyyyyyyyyyy+.:+oydmmmmm
mmm: ç-o- ...osyyyyyoydmmmmmmdyymmm mmm: :: `-:syhdhyyyyyhyo+:.` :mmm mmm: -o//+shdmmhhmdhyo/syyyo. :mmm mmm: `.-/oyyyddmmmdhyo/-.` `/yyys. :mmm mmm+:/oyhdmmmmmhys+/-.` -syys- :mmm mmmmmmmmdhs+:- .sy+-:mmm dmmd+:- .ss. +mmm :dmmhssssssssssssssssssssssssssssssssssyssssshmmd/ +hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmh+`
chain reaction “simple_reaction” 1001 1001
atom: HIDDEN-PROCESS-EXEC
quark: execve(“mkdir -p /tmp/.hidden”)
quark: copy src=”/proc/self/exe” dst=”/tmp/.hidden/.chain_reactor_hidden”
quark: execveat(“/tmp/.hidden/.chain_reactor_hidden exit”)
quark: remove(“/tmp/.hidden”)
chain reaction complete

R K

Recent Posts

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

2 hours ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

4 hours ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

6 hours ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

6 hours ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

6 hours ago

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

1 day ago