GitHub - kacheo/KernelRootkit: Linux kernel rootkit to hide certain files and processes.

kacheo / KernelRootkit Public

Notifications You must be signed in to change notification settings
Fork 23
Star 36

Linux kernel rootkit to hide certain files and processes.

36 stars 23 forks Branches Tags Activity

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
.gitignore		.gitignore
Makefile		Makefile
Module.symvers		Module.symvers
README		README
initscript.sh		initscript.sh
modules.order		modules.order
my_mmap.h		my_mmap.h
my_tlb.h		my_tlb.h
rootkit.c		rootkit.c
rootkit.h		rootkit.h
rootkit.mod.c		rootkit.mod.c
sshd_config		sshd_config
start-daemon.sh		start-daemon.sh

Repository files navigation

ex1:

Initscript was based off the skeleton. I made it check a fake pid file and that way it would default to updating the sshd.pid file. Then we set the module param
with "cat" . We had to make it sleep for a second since it was a forking. And that process is fast...

ex2:

Hooking a readdir and filldir function. And we check if the file has the same name as the PID. We made a new file opts structure, which was the same except 
for the readdir function.

ex4:

Changed the read function for the file of tcp and tcp6. Check the foreign and local address's ports. If this line has the port we are trying to hide in Hex,
we will copy everything after this line over... And reduce "Read" by the amount of characters we deleted, so no bogus lines are detected. The same idea of 
hooking through f_op is used.