[+] Add support for input of (filenames & pids to hide as well as Updated NFHook)

[loneicewolf]

Hi @nisay759

I made some changes to your rootkits, which will allow input of file or dir names, to be hidden, the path to operate in, and the pid to be hidden.

• I also updated NFhook (described below)

Feel free to point out any problems or issues.

Have a great day!

Over n out! //Will.

[loneicewolf]

Update: I updated nfhook too, as it didn't work with the latest kernel.

[loneicewolf]

Also, just have to give you my appreciation:

Thanks for making these rootkit collection public. These are so elegant, so compact, and YET it achieves MARVELOUS things; such as the file hiding with just a few lines of code, really. Respect. This is what I call serious coding. :)

A+

This is WHAT I would advise anyone using as a "base" template; for learning(no not about rootkits only) but the kernel; and so on. And your blog; just marvelous.

Keep it going!
//wishes form sweden.

[nisay759]

Hello @loneicewolf !

Thanks for your contribution.

As stated in the README, these rootkits are meant to stay in the state of "dummy examples" as they are only provided for educational purposes. Hosting ready-to-use weaponized rootkits was never the idea behind this repo.

You mentionned that nfhook didn't work on the latest kernel, can you provide the version on which you tested it ? It's been a long time since I worked on this, but I was thinking of making different branches in this repo and adapt the example rootkits to the different versions of the Linux kernel.

Cheers !

[loneicewolf]

Hi again, @nisay759 !

final edit

• I updated the below reply (provided kernel version)
• and I edit this reply (by using Dropdown's) tell me if there is any problem expanding and ill edit it without; (this is to try to make it easier to follow, as my (text) writing is not greatest.)

Expand: First things first

As stated in the README, these rootkits are meant to stay in the state of "dummy examples" as they are only provided for educational purposes.

Yes; which is also a reason I think it's incredible how compact(but still working) they are. And yes I fully understand the "dummy" examples; (poc like) ; and so on.

Expand: The 'idea behind this repo'

Especially this:

Hosting ready-to-use weaponized rootkits was never the idea behind this repo.

Is another reason why I thank you tremendously :)

Expand: NFHOOK

Regarding the NFHOOK:

You mentionned that nfhook didn't work on the latest kernel, can you provide the version on which you tested it ?

Yes; will be on it immediately! :) Thanks for pointing this out; I do not know how I could forget such a detail - such as providing the kernel version.

but I was thinking of making different branches in this repo and adapt the example rootkits to the different versions of the Linux kernel.

Expand: Summary

But; yes - as a summary:
I am now setting up a test system and will be trying the rootkits (non updated and updated (the nfhook, and also, the other fhide and phide))

thanks for replying so quickly , as well!

---

Over n out;
//will.

[loneicewolf]

Update:

Hi @nisay759 !

Sorry for the (long) delay; Now I am here; and below is (hopefully readable) the kernel version, and some other info:

I made Dropdowns because this post became well, longer than I expected. if there is problematic expanding them - please point it out; Regards.

I am using a Virtual Machine (trough Qemu), and this is the OS details (I include more than just kernel version, to make it easier)

Expand: VM

• ⚠️ (I removed some output for readability)

• iso used to install it debian-11.6.0-amd64-netinst.iso

general info

$  uname ; uname --all  ; uname -r  ;  cat /etc/{issue*,os-release*}

Linux
Linux vmdebian 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
5.10.0-21-amd64
Debian GNU/Linux 11 \n \l

Debian GNU/Linux 11
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Only kernel specific info

$ uname --kernel-name 
Linux

$ uname --kernel-release 
5.10.0-21-amd64

$ uname --kernel-version 
#1 SMP Debian 5.10.162-1 (2023-01-21)

---

the 2 errors

make command

/tmp/linux-rootkits/nfhook$ make

    make -C /lib/modules/5.10.0-21-amd64/build/ \
    M=/tmp/linux-rootkits/nfhook modules
    make[1]: Entering directory '/usr/src/linux-headers-5.10.0-21-amd64'
      CC [M]  /tmp/linux-rootkits/nfhook/nfhook.o
    /tmp/linux-rootkits/nfhook/nfhook.c: In function ‘rk_hook’:
    /tmp/linux-rootkits/nfhook/nfhook.c:38:2: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
       38 |  struct iphdr *ip_header = ip_hdr(skb);
          |  ^~~~~~
    /tmp/linux-rootkits/nfhook/nfhook.c:44:2: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
       44 |  struct udphdr *udp_header = udp_hdr(skb);
          |  ^~~~~~
    /tmp/linux-rootkits/nfhook/nfhook.c: In function ‘erk_init’:
    /tmp/linux-rootkits/nfhook/nfhook.c:76:2: error: implicit declaration of function ‘nf_register_hook’; did you mean ‘nf_register_net_hook’? [-Werror=implicit-function-declaration]
       76 |  nf_register_hook(&rk_pre_routing);
          |  ^~~~~~~~~~~~~~~~
          |  nf_register_net_hook
    /tmp/linux-rootkits/nfhook/nfhook.c: In function ‘erk_exit’:
    /tmp/linux-rootkits/nfhook/nfhook.c:83:2: error: implicit declaration of function ‘nf_unregister_hook’; did you mean ‘nf_unregister_net_hook’? [-Werror=implicit-function-declaration]
       83 |  nf_unregister_hook(&rk_pre_routing);
          |  ^~~~~~~~~~~~~~~~~~
          |  nf_unregister_net_hook
    cc1: some warnings being treated as errors
    make[3]: *** [/usr/src/linux-headers-5.10.0-21-common/scripts/Makefile.build:291: /tmp/linux-rootkits/nfhook/nfhook.o] Error 1
    make[2]: *** [/usr/src/linux-headers-5.10.0-21-common/Makefile:1861: /tmp/linux-rootkits/nfhook] Error 2
    make[1]: *** [/usr/src/linux-headers-5.10.0-21-common/Makefile:185: __sub-make] Error 2
    make[1]: Leaving directory '/usr/src/linux-headers-5.10.0-21-amd64'
    make: *** [Makefile:4: all] Error 2

After the change

make clean
  make -C /lib/modules/5.10.0-21-amd64/build/ \
  M=/tmp/linux-rootkits/nfhook clean
  make[1]: Entering directory '/usr/src/linux-headers-5.10.0-21-amd64'
  make[1]: Leaving directory '/usr/src/linux-headers-5.10.0-21-amd64'

make
  make -C /lib/modules/5.10.0-21-amd64/build/ \
  M=/tmp/linux-rootkits/nfhook modules
  make[1]: Entering directory '/usr/src/linux-headers-5.10.0-21-amd64'
    CC [M]  /tmp/linux-rootkits/nfhook/nfhook.o
  /tmp/linux-rootkits/nfhook/nfhook.c: In function ‘rk_hook’:
  /tmp/linux-rootkits/nfhook/nfhook.c:38:2: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
     38 |  struct iphdr *ip_header = ip_hdr(skb);
        |  ^~~~~~
  /tmp/linux-rootkits/nfhook/nfhook.c:44:2: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
     44 |  struct udphdr *udp_header = udp_hdr(skb);
        |  ^~~~~~
    MODPOST /tmp/linux-rootkits/nfhook/Module.symvers
    CC [M]  /tmp/linux-rootkits/nfhook/nfhook.mod.o
    LD [M]  /tmp/linux-rootkits/nfhook/nfhook.ko
  make[1]: Leaving directory '/usr/src/linux-headers-5.10.0-21-amd64'

Expand: Real System

And, as a final sanity check I downloaded the (torvalds/linux) from github; (git cloned it); and , on my real system I grepped for the nf_register_hook and nf_unregister_hook and found nothing:

Downloads/linux-master $grep -ri --text "nf_register_hook"
Downloads/linux-master $grep -ri --text "nf_unregister_hook"

But grepping for the (change I made):

Downloads/linux-master $grep -ri --text "nf_register_net_hook"
Downloads/linux-master $grep -ri --text "nf_unregister_net_hook"
(... some output is shown... )

and also, if it would be easier for you - I could split my pull requests to separate parts; e.g

• the nfhook change
• the module param change
• (...)

Have a great day! :)