-
Notifications
You must be signed in to change notification settings - Fork 9
kevinkoo001/rootkit
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
/********************************************************** Last Updated: Nov 16, 2014 CSE509 System Security 2014 Fall @CS SBU Written By: Hyungjoon Koo (hykoo@cs.stonybrook.edu) Yaohui Chen (yaohchen@cs.stonybrook.edu) ***********************************************************/ A. The Rootkit Framework Platform Tested at ubuntu linux 12.04 LTS kernel 3.2.0-29-generic Should be working 3.x kernel version with an appropriate syscall table addr Module name kcr.ko Koo-Chen-Rootkit Kernel Cracking Rootkit Directory structure src/kcr.c : Define main function Does device registration Hijack linux system call table src/dev.c : Misc device operations read, write, open, etc src/helpers.c: Define helper functions src/HJ_x.c: Functions related to hijacking a ¡°x¡± system call All hijackings follow the same patterns i.e HJ_ls.c, HJ_ps.c, HJ_read.c, etc. src/backdoor.c Allows a backdoor when having a specific seteuid headers/dev.h headers/helpers.h headers/HJ_ls.h Describe headers to the corresponding source code headers/all.h: Describe common <linux/*> or <asm/*> headers Include all src/*.c files just for convenience :) headers/config.h: Include all.h, and global variables and macros B. Features (http://securitee.org/teaching/cse509/files/projects/project1.html) Required implementation Hide specific files and directories from showing up when a user does "ls" and similar commands Hide defined prefixes (i.e hide_, bad_, ) Support dynamically changed prefixes Modify the /etc/passwd and /etc/shadow file to add a backdoor account while returning the original contents of the files (pre-attack) when a normal user requests to see the file (sys_read) Hides processes from the process table when a user does a "ps" Additional implementation Key logging (Not yet) Either saving keystrokes to local file or sending it out to remote site Backdoor Allowing a normal program to have a root privilege Hide the connections (Not yet) Opening/listening ports i.e netstat Hide the rootkit module itself i.e lsmod C. Usage $ make && sudo insmod kcr.ko
About
This project has been done with Chen as part of system security course at SBU CS.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published