Every technique used in this rootkit can be found from internet, I am NOT responsible for any damage you might cause using my code


what to expect

i plan to write a rootkit that runs in both kernel and user space, in which case it:

  • requires root when using LKM features
  • no LKM part if no root
  • non-root mode supports all basic features of the agent, including data exfiltration

our rootkit has the following parts:

  1. the LKM, providing APIs to do tasks like:

    • get root
    • hide file/dir
    • hide process
    • hide tcp connection
    • hide from pcap (tcpdump/wireshark, etc)
    • since we are using netfilter, why not capture/steal some traffic
    • in the meanwhile, all core files/dirs are protected and invisible to victim
  2. user space agent, interact with LKM when it can. this agent provides:

    • data harvesting
    • dropbox/gdrive for data exfiltration
    • command and control infrastructure, polling from C2 every x (random int) min. enable port-knocking bind shell access if feasible
    • C2 communication is encapsulated in TLS
    • detection of weak passwords/RCEs in LAN, self-replicate to infect more targets when possible
  3. C2 server, run by the attacker, which:

    • serves shell scripts to be downloaded and executed by the agents
    • tells who is who according to the identifier in agents' GET request
    • provides LPE exploits for agents
    • compile LKM for agents
  4. bootstrap script:

    • collect target info on first infection, sends back to C2
    • get persistence by tampering bashrc, vimrc or anything else that we have permission to write
    • get LPE exploit and compiled LKM from C2, run exploit to gain root, then insmod
    • make LKM persistent
    • inject into initramfs
    • inject into some lib


why not?

yea its a pretty big project, and i certainly am a newbie to kernel hacking.

but i learn

consider this a study project, you might find it useful when its done

feel free to roll out your own rootkit, and be careful when using it


comments powered by Disqus