A simple template rootkit, which can easily be built upon

Go to file

sw1tchbl4d3 af361d3170 Add KiB and MiB macros These allow for easy to read allocation of bigger memory chunks.		2022-03-21 18:23:37 +01:00
examples	First commit	2022-02-19 14:44:57 +01:00
src	Add KiB and MiB macros	2022-03-21 18:23:37 +01:00
.gitignore	First commit	2022-02-19 14:44:57 +01:00
LICENSE	First commit	2022-02-19 14:44:57 +01:00
README.md	Add instructions on installing kernel headers	2022-02-19 16:59:39 +01:00

README.md

generic-linux-rootkit

This is supposed to be a simple template rootkit, which can easily be built upon.

It allows for syscall hooking with ftrace, has hiding functionality, and has many kernel functions translated to more userspace-like C functions in src/stdlib.h.

Installing

First, make sure you have installed the header libraries for your kernel.

On debian-like systems: apt-get install linux-headers-$(uname -r)

On arch-like systems: pacman -S linux-headers / pacman -S linux-zen-headers etc

After you've edited some of the files, or copied one of the examples (e.g. cp examples/hooks_kill_backdoor.h src/hooks.h), you can make and insert the rootkit like so:

cd src
make
sudo insmod rk.ko

# To remove
sudo rmmod rk
make clean

Keep in mind that if you hid the rootkit with hide_module() that rmmod will not find it, you'll have to somehow signal to the rootkit to unhide itself with show_module().

If you somehow get into that situation, and the unhide doesnt work, or the kernel module crashed on rmmod or similar, a restart should do the trick.

A tip of mine is to always monitor dmesg on insert / remove with dmesg -w.

Credits

ftrace_helper.h: https://github.com/ilammy/ftrace-hook, edited to fit as a library instead of a standalone rootkit.
https://xcellerator.github.io/posts/linux_rootkits_01/, got me into rootkits and helped me gain most of the knowledge to make this. Much of the code is inspired by the code found here.