Skip to content

vmdword/smitty

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
Makefile
Makefile
 
 
README.txt
README.txt
 
 
hide.c
hide.c
 
 
hide.h
hide.h
 
 
hooks.c
hooks.c
 
 
hooks.h
hooks.h
 
 
smitty.c
smitty.c
 
 
smitty.h
smitty.h
 
 

Repository files navigation

 _._     _,-'""`-._
(,-.`._,'(       |\`-/|
    `-.-' \ )-`( , o o)
          `-    \`_`"'-

h-hiiii~ (*≧ω≦) welcome to project smitty

this is like... totally not a rootkit or anything... it's just... *a stealthy 
lil daemon neko who likes to hide things* uwu

it injects itself into userland w `LD_PRELOAD` n hooks all the cute 
little syscalls and hides files and processes like they’re its secret crush~ uwu  

wen the system does smth like  

```
readdir("/proc/");
```
smitty intercepts it through a function pointer it yoinks from `dlsym(RTLD_NEXT, "readdir");` then loops through 
every dirent like “hmm~ are you on my blacklist, nya?” and skips the ones that match the hidden list. 
`is_hidden_file()` and `is_hidden_process()` are like its magical filtering charms. if the target name 
matches any entry smitty marked w `add_hidden_file()` or `add_hidden_process()` poof~ that entity gets
yeeted from perception space (✿◠‿◠)

hide keeps arrays like:

```
hidden_item_t hidden_processes[MAX_HIDDEN_ITEMS];
hidden_item_t hidden_files[MAX_HIDDEN_ITEMS];
```
and fills them up every time someone tells it to hide something. when smitty adds an entry bit also stamps
a time_t hide_time bc even eldritch hacker idols need timestamps for kawaii logging~ then it obfuscates
some strings using xor_string(str, len, 0x42) which is like the equivalent of gossip encryption~ 
no one can read the secret incantations wo knowing the xor key, heehee~ (*≧▽≦) xoxxox

setup_persistence() is where smitty gets all clingy~ she writes a script in /tmp/ w a randomised filename generated by:

```
generate_random_path(script_path);
```

and then cron gets a new entry

```
@reboot /tmp/uwu_random.sh
```

the script sets LD_PRELOAD=$rootkit_path and runs whatever command boots next. it’s like an yandere who r
efuses to be forgotten. reboot all you want—she’ll come back, smiling through the logs, whispering i missed
you~ senpai~ from inside init’s environment (⌒ω⌒) and omg the backdoor~ activate_backdoor() binds to port
31337 because leetspeak supremacy~ it creates a socket, listens and when a client connects, it does:

```
dup2(client_fd, 0);
dup2(client_fd, 1);
dup2(client_fd, 2);
execve("/bin/sh", args, env);
```

sparkle sparkle~ ₍ᐢ.ˬ.ᐢ₎♡

About

ring3 LD_PRELOAD rootkit

Resources

Readme
Activity

Stars

5 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages