Home

Awesome

linux-rootkits

A collection of Linux kernel rootkits found across the internet taken and put together, with a short report on how they work. The README's in each folder contain the report about the rootkit sample.

Table of Contents

Rootkits

NameShort Descriptionlink to orignal repo
Puszekrootkit which can log requests and prevent itself from being rmmod'dEternal's repo
ReptileA highly configurable and sophisticated rootkit which can give root privs to users and a backdoorf0rb1dd3n's repo
Khook(Not a rootkit) but an engine that can be used to hook functions, also mentioned here since it's used by rootkits to hook functionsmilabs's repo
rkduckA rootkit which can hide files and record key strokes, also is configurable after installationQuokkaLight's repo

If you plan to download the latest version of these rootkits please download them from their original repo, as it would be the latest version.

Features Descriptions

NameShort DescriptionRootkitslinks to code samples
Finding Syscall Table address (1)Search memory for the pointer table! using a address of syscall function (eg. close) as referencePuszek and rkduckIn Puszek and in rkduck
Function Hooking (1)Get the address of the function to be hooked and then Modify CR0 to remove write protect bit and then add a jump instruction to a stubKhook and Reptile (uses Khook)in Khook and detailed explanation
Function Hooking (2)Get the address of the function to be hooked and then map the page as readable and replace it with a jumo to the new functionrkduckin rkduck
Syscall Table Hooking (1)Modify CR0 to remove write protect bit and change syscall tablePuszekIn Puszek
Syscall Table Hooking (2)Get the page where the Syscall table is mapped, and set that page as writeable and then modify itPuszekIn Puszek
Syscall Table Hooking (3)Hook the syscall functions by using the Function Hooking(1) TechniqueReptile (uses Khook)In Reptile
Hide RootkitHook open syscall and modify the contents of the files (/proc/modules) which contain the name of the rooktitPuszekIn Puszek
Interactive ControlImplementing an IOCTL which manages the features of the rootkit and allows the user to send it commandsReptileIn Reptile
Unable to rmmod moduleHook open syscall and make it not possible to open the rootkit modulePuszekIn Puszek
Hide Process (1)Hook kernel functions copy_creds and exit_creds to add/remove a flag on the task_struct for a process being invisible. Hook next_tgid function which is responsible for the /proc/PID entries and make the process invisible.ReptileReptile - next_tgid and cred functions
Backdoor AccessHook ip_recv function in the kernel and parse the packets for a specific string in the payload sectionReptileIn Reptile
Hide Files (1)Hook new_sys_getdents and new_sys_getdents64 syscalls and modify it's result to hide files matching a specified prefixPuszekIn Puszek
Hide Files (2)Hook kernel functions filldir and co to remove files with a specified prefixReptilein Reptile
File Content Tampering (1)Hook kernel function vfs_read where all data between specific tags will be removed before sending back to the userReptileIn Reptile
Intercept Http Requests and Leak Data (1)Hook send_to syscall and the tcp data sent is checked for presence of headers. This is then searchd for presence of passwords etcPuszekIn Puszek
Hide Network ConnectionsHide TCP and UDP connections by hooking into the functions tcp4_seq_show and udp4_seq_show filtering based on the IPReptileIn Reptile
Avoiding kernel auditingHook the audit_alloc function in the kernel and clear the TIF_SYSCALL_AUDIT flag which defines wherter the process is auditedReptileIn Reptile

Test Environment

All rootkits are tested in a fresh Ubuntu 16.04 VM where uname -a returns Linux r3x-VirtualBox 4.15.0-112-generic #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Disclaimer

The rootkits were written by their respective authors and the code belongs to them. This is just an attempt to preserve rootkits with a report on how they work and the OS they were tested on.

If your rootkit is present here and you wish it to be removed please contact me at siddharth.muralee[AT]gmail[DOT]com