Reference: dl.packetstormsecurity.net/papers/unix/bsdkern.htm
-
Retriever:
- Module
- A character device that communicates with controller
- TODO:
- Implement character device to store received command
- TODO:
- A character device that communicates with controller
- Application
- Executioner
- Userland application to execute the command received by the Retriever module
- Executioner
- Module
-
Harvester:
- Module
- A character deveice module that gathers victim's information (log, stats, etc)
- TODO:
- Implement character device to store info
- TODO:
- A character deveice module that gathers victim's information (log, stats, etc)
- Application
- Inquisitor
- Userland application to report information gathered by the Harvester module
- Inquisitor
- Module
-
Protector:
- Module
- A system call module that protects the rootkit
- TODO:
- Hide modules from kldstat
- Prevent modules from being unloaded
- Hide processes
- Prevent processes from getting killed
- Prevent connections from being closed
- TODO:
- A system call module that protects the rootkit
- Application
- Module
-
System Call Service
-
Hooking
- Immutability
- unlink hook
- rmdir hook
- rename hook
- chmod hook
- chown hook
- chflags hook
- utimes hook
- truncate hook
- Invisibility
- open hook
- chdir hook
- getdirentries hook
- stat hook
- lstat hook
- Immutability
-
Kernel / User Space Transition
-
Character Device
-
ICMP Injection (Direct Commanding Control)
-
TODO: HTTP Reverse Command Fetching