Skip to content
Haxmas-2017 LD_PRELOAD rootkit in Golang
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Coalkit is an attempt at a Proof-of-Concept for a penetration testing oriented userspace rootkit by hooking bind() and eventually accept() system calls. See the relevent blog post (link pending). Initially written in Go, but that is subject to change anytime, mostly because this issue causes prevention of boot time loading of the Go library in


WARNING!!!: Do not use this except for learning, it is extremely unstable, untested, and incomplete. This should be considered a "tech preview" for the longer term project, it contains very little of the big wanted features.


  • Edit to match the expected configuration
  • Compile and generate keypairs: make
  • Run the victim process with the shared object being loaded: LD_PRELOAD=./coalkit python3 -m http.server
  • The process should run as normal and a new bind shell running the mutually authenticated keys with the NoiseSocket protocol backing it. Access it with the client shell program: ./coal -i id-srv -k id-cli

An example of a fully hooked process with debugging enabled can be seen below: coal example


You can’t perform that action at this time.