A simple template rootkit, which can easily be built upon
Go to file
sw1tchbl4d3 af361d3170 Add KiB and MiB macros
These allow for easy to read allocation of bigger memory chunks.
2022-03-21 18:23:37 +01:00
examples First commit 2022-02-19 14:44:57 +01:00
src Add KiB and MiB macros 2022-03-21 18:23:37 +01:00
.gitignore First commit 2022-02-19 14:44:57 +01:00
LICENSE First commit 2022-02-19 14:44:57 +01:00
README.md Add instructions on installing kernel headers 2022-02-19 16:59:39 +01:00



This is supposed to be a simple template rootkit, which can easily be built upon.

It allows for syscall hooking with ftrace, has hiding functionality, and has many kernel functions translated to more userspace-like C functions in src/stdlib.h.


First, make sure you have installed the header libraries for your kernel.

On debian-like systems: apt-get install linux-headers-$(uname -r)

On arch-like systems: pacman -S linux-headers / pacman -S linux-zen-headers etc

After you've edited some of the files, or copied one of the examples (e.g. cp examples/hooks_kill_backdoor.h src/hooks.h), you can make and insert the rootkit like so:

cd src
sudo insmod rk.ko

# To remove
sudo rmmod rk
make clean

Keep in mind that if you hid the rootkit with hide_module() that rmmod will not find it, you'll have to somehow signal to the rootkit to unhide itself with show_module().

If you somehow get into that situation, and the unhide doesnt work, or the kernel module crashed on rmmod or similar, a restart should do the trick.

A tip of mine is to always monitor dmesg on insert / remove with dmesg -w.