KJECTOR - Linux kernel injector
Build the project using the following command:
$ git submodule update --init # first time only
$ [DEBUG=1] [PAYLOAD=<ldr|idle|idle-trap>] make
ldr is a payload which loads shared object library (default)
idle is a payload which does nothing but continues process execution
idle-trap is a payload which traps process execution (DO NOT USE IN PRODUCTION)
Once built use the following command to load the module:
$ sudo insmod kj_mod/kjector.ko
Default build injects kj_lib/libkjector.so to every ping process.
Once injected libkjector.so sends UDP datagram with a string to 127.0.0.1:6666.
To catch it run nc-like listener like follows:
$ nc -ludk 127.0.0.1 6666
- x86_64 only
- 2.6.18+ kernels
- able to inject shared object
Injection happens in sys_close syscall hanlder.
Injection is done using vm_mmap / copy_to_user / mprotect sequence.
Target process state is modifyed by changing instruction pointer register (pt_regs->ip).
KHOOK hooking engine:
Kernel mode to user mode so injection:
Education purposes. Only.
This software is licensed under the GPL.
2023