Skip to content

SimonSungm/rootkit

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Porting

Porting the module to higher version of Linux kernel, tested on Ubuntu 18.04, Linux kernel 5.0.

For lower kernel version (e.g. 4.15), change /usr/src/linux-headers-4.15.0-91-generic/include/linux/fs.h , remove the const before dir_context actor.

This module can be removed by rmmod -f rt.

Sample Rootkit for Linux

About

This is sample rootkit implementation for Linux. It is able to hide processes, files and grants root privileges. It also have stealth mode (enabled by default) that prevents it from detecting.

Usage

Just compile module (included Makefile does this against current kernel) and load it. There will be hidden file in /proc called rtkit. It's not visible when listing content of proc directory.

Just cat /proc/rtkit to see available commands. You can use attached program to give orders or use echo -n (don't forget -n, there should be no tailing new line).

Examples: echo -n thf >> /proc/rtkit ./rtcmd.py hp1337

To gain root you should give "My Pen Is Long" command (popculture reference, without spaces, small letters) and then fork some shell from writing process. rtcmd.py does that for you if second parameter is specified. tools/rtcmd.py mypenislong /bin/bash

Notes

This code should run on Linux version 2.6.29 and higher, since before that lookup_address symbol wasn't exported. Were tested against 3.1.0, 3.1.5 and 3.1.6 and is fully working (both x86 and x86_64).

Paper describing details of implementation (in polish) is available.

License

Dual licensed under BSD and GPL.

Resources

http://stackoverflow.com/questions/2103315/linux-kernel-system-call-hooking-example

http://linux.die.net/lkmpg/

http://lwn.net/Kernel/LDD3/

Authors

Ivyl and t3hknr.

About

Sample Rootkit for Linux

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • TeX 64.5%
  • C 33.9%
  • Other 1.6%