/linux-rootkits

A collection of Linux kernel rootkits found across the internet taken and put together

Primary LanguageC

linux-rootkits

A collection of Linux kernel rootkits found across the internet taken and put together, with a short report on how they work. The README's in each folder contain the report about the rootkit sample.

Table of Contents

Rootkits

Name Short Description link to orignal repo
Puszek rootkit which can log requests and prevent itself from being rmmod'd Eternal's repo
Reptile A highly configurable and sophisticated rootkit which can give root privs to users and a backdoor f0rb1dd3n's repo
Khook (Not a rootkit) but an engine that can be used to hook functions, also mentioned here since it's used by rootkits to hook functions milabs's repo
rkduck A rootkit which can hide files and record key strokes, also is configurable after installation QuokkaLight's repo

If you plan to download the latest version of these rootkits please download them from their original repo, as it would be the latest version.

Features Descriptions

Name Short Description Rootkits links to code samples
Finding Syscall Table address (1) Search memory for the pointer table! using a address of syscall function (eg. close) as reference Puszek and rkduck In Puszek and in rkduck
Function Hooking (1) Get the address of the function to be hooked and then Modify CR0 to remove write protect bit and then add a jump instruction to a stub Khook and Reptile (uses Khook) in Khook and detailed explanation
Function Hooking (2) Get the address of the function to be hooked and then map the page as readable and replace it with a jumo to the new function rkduck in rkduck
Syscall Table Hooking (1) Modify CR0 to remove write protect bit and change syscall table Puszek In Puszek
Syscall Table Hooking (2) Get the page where the Syscall table is mapped, and set that page as writeable and then modify it Puszek In Puszek
Syscall Table Hooking (3) Hook the syscall functions by using the Function Hooking(1) Technique Reptile (uses Khook) In Reptile
Hide Rootkit Hook open syscall and modify the contents of the files (/proc/modules) which contain the name of the rooktit Puszek In Puszek
Interactive Control Implementing an IOCTL which manages the features of the rootkit and allows the user to send it commands Reptile In Reptile
Unable to rmmod module Hook open syscall and make it not possible to open the rootkit module Puszek In Puszek
Hide Process (1) Hook kernel functions copy_creds and exit_creds to add/remove a flag on the task_struct for a process being invisible. Hook next_tgid function which is responsible for the /proc/PID entries and make the process invisible. Reptile Reptile - next_tgid and cred functions
Backdoor Access Hook ip_recv function in the kernel and parse the packets for a specific string in the payload section Reptile In Reptile
Hide Files (1) Hook new_sys_getdents and new_sys_getdents64 syscalls and modify it's result to hide files matching a specified prefix Puszek In Puszek
Hide Files (2) Hook kernel functions filldir and co to remove files with a specified prefix Reptile in Reptile
File Content Tampering (1) Hook kernel function vfs_read where all data between specific tags will be removed before sending back to the user Reptile In Reptile
Intercept Http Requests and Leak Data (1) Hook send_to syscall and the tcp data sent is checked for presence of headers. This is then searchd for presence of passwords etc Puszek In Puszek
Hide Network Connections Hide TCP and UDP connections by hooking into the functions tcp4_seq_show and udp4_seq_show filtering based on the IP Reptile In Reptile
Avoiding kernel auditing Hook the audit_alloc function in the kernel and clear the TIF_SYSCALL_AUDIT flag which defines wherter the process is audited Reptile In Reptile

Test Environment

All rootkits are tested in a fresh Ubuntu 16.04 VM where uname -a returns Linux r3x-VirtualBox 4.15.0-112-generic #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Disclaimer

The rootkits were written by their respective authors and the code belongs to them. This is just an attempt to preserve rootkits with a report on how they work and the OS they were tested on.

If your rootkit is present here and you wish it to be removed please contact me at siddharth.muralee[AT]gmail[DOT]com