Every technique used in this rootkit can be found from internet, I am NOT responsible for any damage you might cause using my code

what to expect

i plan to write a rootkit that runs in both kernel and user space, in which case it:

• requires root when using LKM features
• no LKM part if no root
• non-root mode supports all basic features of the agent, including data exfiltration

our rootkit has the following parts:

1. the LKM, providing APIs to do tasks like:

   • get root
   • hide file/dir
   • hide process
   • hide tcp connection
   • hide from pcap (tcpdump/wireshark, etc)
   • since we are using netfilter, why not capture/steal some traffic
   • in the meanwhile, all core files/dirs are protected and invisible to victim

2. user space agent, interact with LKM when it can. this agent provides:

   • data harvesting
   • dropbox/gdrive for data exfiltration
   • command and control infrastructure, polling from C2 every x (random int) min. enable port-knocking bind shell access if feasible
   • C2 communication is encapsulated in TLS
   • detection of weak passwords/RCEs in LAN, self-replicate to infect more targets when possible

3. C2 server, run by the attacker, which:

   • serves shell scripts to be downloaded and executed by the agents
   • tells who is who according to the identifier in agents' GET request
   • provides LPE exploits for agents
   • compile LKM for agents

4. bootstrap script:

   • collect target info on first infection, sends back to C2
   • get persistence by tampering bashrc, vimrc or anything else that we have permission to write
   • get LPE exploit and compiled LKM from C2, run exploit to gain root, then insmod
   • make LKM persistent
   • inject into initramfs
   • inject into some lib

why

why not?

yea its a pretty big project, and i certainly am a newbie to kernel hacking.

but i learn

consider this a study project, you might find it useful when its done

feel free to roll out your own rootkit, and be careful when using it