The Colonel

Demo | Installation | Usage | Documentation | Resources

Colonel is an experimental linux kernel module (rootkit) and keylogger. Remote communication is handled through the included IRC bot. The Colonel is able to:

• log keyboard input
• grant root privileges
• hide files
• hide processes

## Installation Installation and removal are accomplished via shell scripts. The Colonel should only be run in a virtual machine. _Note: server, channel and nickname should be set in [irc/col_bot](../master/irc/col_bot#L36-L39) prior to installation. Keylogging is not available on Vagrant._

1. git clone https://github.com/bones-code/colonel.git
2. cd /colonel
3. Create a python virtual environment and activate it.
4. pip install requirements
5. Run the ./install command.
6. To remove, run ./uninstall from /colonel.

Requirements:

• Linux 'vanilla' Kernel >= 2.6.29 – tested up to 3.2

## Usage #### Local

To pass commands use the included program: ./rtcmd <command> or echo: echo -n <command> >> /proc/colonel
To see available commands: ./rtcmd help or cat /proc/colonel

Note: Custom /proc file will not be visible on content listing of /proc.

Remote

If in channel, preface all commands with bot nickname and :, i.e. bot-nickname: <command>.
In private messages or DCC sessions, commands should be passed without prefix.
Use help to see the available bot and root commands: bot-nickname: help

## Documentation [Rootkit](#rootkit) | [Keylogger](#keylogger) | [IRC Bot](#irc)

The following is an overview of the three main components of the Colonel.

TODO: Add diagram.

#### Rootkit The rootkit is an experimental linux kernel module written in C.

Upon installation, the rootkit, along with any properly prefixed files, is hidden. A custom /proc entry is also created and subsequently hidden. Communication with the rootkit is accomplished by passing commands to the custom /proc entry. The custom /proc entry also displays accepted methods of passing commands, rootkit commands, and current rootkit status. You will also find accepted methods of passing commands outlined in Usage.

The rootkit hides itself by deleting its placement within the kobject, and kernel modules listings. Prior to deletion, the rootkit stores its placement within each list. This enables the rootkit to 'show' itself on command by reinserting its entry into the listings. The hiding of the custom /proc entry, processes, and files is accomplished by the modification of page memory attributes and passing in customized functions that target the /proc and file system directory listings.

The process ids (PIDs) are stored within an array that is referenced by new_proc_readdir whenever a process related command is sent. If the PID is found within the array, it is not returned. This method of hiding leaves process related commands intact, i.e. ls, ps, lsof, netstat, kill. Both the custom /proc entry and files are hidden by name and prefix.

Uninstalling the Colonel restores all modified functions, deletes the custom /proc entry, and reveals any hidden PIDs and files.

In researching the rootkit build, I focused my efforts on module programming, and other linux rootkits – specifically Ormi's tutorial on Writing a Simple Linux Rootkit.

Since my modifications are fairly lightweight, and the implementation fairly straightforward, most of my personal involvement was in commenting to ensure that I understood what was occurring.

#### Keylogger The keylogger is a user space C daemon.

Once installed, the keylogger creates the required directory and logs, dynamically finds the keyboard /dev/input/event file †, and begins listening to the custom /proc entry that was created by the rootkit. When the appropriate command is passed to the custom /proc entry, keylogging is activated.

Since the created directory is prefixed appropriately, it is hidden by the rootkit. Keycodes and their values are captured from the keyboard /dev/input/event file and written to /opt/__col_log/evlog.txt (keylog). The keylogger also logs its activity, as well as any errors, to /opt/__col_log/log.txt. The rootkit also automatically hides the keylogger PID.

Keylog translation is currently handled by the custom Python translation module accessed remotely via the IRC bot or locally through the rtcmd command-line program. The translation is done using custom keymaps built using the linux/input.h file.

On removal of the Colonel, the custom logs and directory are deleted.

† This feature is untested.

Building the keylogger was fairly straightforward. In researching the keylogger build, I focused on keyboard input, and daemons.

#### IRC Bot The IRC bot is a user space Python daemon based on the Python IRC framework.

Once installed, the bot connects to the specified channel and begins listening for commands. The bot PID is automatically hidden by the rootkit upon installation. Commands can be passed through channel traffic, private messages, and DCC sessions. Accepted commands are outlined in Usage.

Commands that are not bot-specific are written to the custom rootkit /proc entry. Once the command is processed, the updated rootkit status is displayed.

The IRC bot is killed on the removal of the Colonel. It can also be killed by passing the die command via IRC.

Since I used the Python IRC framework to construct the bot, most of my time was spent familiarizing myself with bot specific features of the framework.

## Resources * [The Linux Kernel Module Programming Guide](http://www.tldp.org/LDP/lkmpg/2.6/html/) * [Linux Daemon Writing HOWTO](http://www.netzmafia.de/skripten/unix/linux-daemon-howto.html) * [irc 8.5.1](https://pypi.python.org/pypi/irc)