Let's try to create a rootkit!
- Hide files by name
- Hide files whose name contains a magic string
- Hide processes by PID
- Hide the rootkit itself
- See hidden files and PIDs
- Backdoor thread to provide reverse shell as root
- Ubuntu 18.04.3: 5.4.8-050408-generic, 5.0.0-37-generic, 4.17.0-041700-generic, 4.15.0-72-generic
The rootkit hooks system calls overwriting the syscall table. This allows changing their behavior, causing getdents not to list a hidden file or a hidden entry in /proc, or causing kill to return 'process not found' when it's called on a hidden process, among others. In order to get as much consistency as possible, every syscall with a pid_t argument is hooked (if any is missing, will be added soon).
To communicate with the rootkit from userland, it creates a virtual proc file where it reads requests. A simple client is provided in client.c
There's a config file where you can enable or disable the backdoor thread, hooks, set the magic string and the proc filename, etc.
Also, a sample backdoor script and web server are included. The web server is made with Flask, it lists every active rootkit and provides a button to ask for a reverse shell. Just run nc -lvp PORT, click the button, and enjoy!
The backdoor thread of the rootkit runs the backdoor script every few seconds, which updates the web server and grants a reverse shell if requested.
- Set the IPs and ports in the server and in the backdoor script.
- Build and install in the victim:
./build.sh. This will copy the backdoor script to/tmp, build the client and the rootkit and runinsmodon it. - Hide files and PIDs with
./client. - Run the web server:
python3 server.py. You may need to install Flask before:pip install flask. - The web server should now have an entry with the data of the victim.
- Run
nc -lvp PORT, withPORTbeing theSHELL_PORTvariable set in the server. - Click the "Get Shell" button, wait a few secs.
- Enjoy the shell!