Environment:
- CPU architecture
- Kernel/User mode (or mixed)
Core capabilities:
- Persistency
- Management interface
- Altering system (library) behavior
Stealth capabilities:
- Detection evasion
- System logs cleaning (filtering)
Hiding stuff capabilities:
- Hiding of files and directories
- Hiding (tampering) of file contents
- Hiding of processes and process trees
- Hiding of network connections and activity
- Hiding of process accounting information (like CPU usage)
Additional functions:
- Keylogger
- Backdoor/shell
- Gaining priveleges
-
https://github.com/mempodippy/vlany
Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)
-
https://github.com/unix-thrust/beurk
BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.
-
https://github.com/chokepoint/azazel
Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit.
-
https://github.com/chokepoint/Jynx2
JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit.
-
https://github.com/chokepoint/jynxkit
JynxKit is an LD_PRELOAD userland rootkit for Linux systems with reverse connection SSL backdoor
-
https://github.com/NexusBots/Umbreon-Rootkit
LD_PRELOAD based
-
https://github.com/ChristianPapathanasiou/apache-rootkit
A malicious Apache module with rootkit functionality
-
https://github.com/jermeyyy/rooty
Academic project of Linux rootkit made for Bachelor Engineering Thesis.
-
https://github.com/trailofbits/krf
A kernelspace randomized syscall faulter for Linux 4.15+
-
https://github.com/f0rb1dd3n/Reptile ⚡ details ⚡
Reptile is a LKM rootkit written for evil purposes that runs on Linux kernel 2.6.x/3.x/4.x
-
https://github.com/QuokkaLight/rkduck ⚡ details ⚡
rkduck - Rootkit for Linux v4
-
https://github.com/croemheld/lkm-rootkit
A LKM rootkit for most newer kernel versions.
-
https://github.com/mncoppola/suterusu
An LKM rootkit targeting Linux 2.6.x/3.x on x86, and ARM
-
https://github.com/romeroperezabel/ARP-RootKit
An open source rootkit for the Linux Kernel to develop new ways of infection/detection.
-
https://github.com/nurupo/rootkit
Linux rootkit for Ubuntu 16.04 and 10.04 (Linux Kernels 4.4.0 and 2.6.32), both i386 and amd64
-
https://github.com/m0nad/Diamorphine
LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x (x86 and x86_64)
-
https://github.com/ivyl/rootkit
Sample Rootkit for Linux
-
https://github.com/deb0ch/toorkit
A simple useless rootkit for the linux kernel
-
https://github.com/vrasneur/randkit
Random number rootkit for the Linux kernel
-
https://github.com/Eterna1/puszek-rootkit
Yet another LKM rootkit for Linux. It hooks syscall table.
-
https://github.com/trimpsyw/adore-ng
linux rootkit adapted for 2.6 and 3.x
-
https://github.com/bones-codes/the_colonel
An experimental linux kernel module (rootkit) with a keylogger and built-in IRC bot
-
https://github.com/David-Reguera-Garcia-Dreg/enyelkm
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry.
-
https://github.com/falk3n/subversive
x86_64 linux rootkit using debug registers
-
https://github.com/jiayy/lkm-rootkit
An lkm rootkit support x86/64,arm,mips
-
https://github.com/a7vinx/liinux
A linux rootkit works on kernel 4.0.X or higher
-
https://github.com/hanj4096/wukong
Wukong: a LKM rootkit for Linux kernel 2.6.x, 3.x and 4.x
-
https://github.com/varshapaidi/Kernel_Rootkit
Linux Kernel Rootkit - To hide modules and ssh service
-
https://github.com/kacheo/KernelRootkit
Linux kernel rootkit to hide certain files and processes.
-
https://github.com/dsmatter/brootus
bROOTus is a Linux kernel rootkit that comes as a single LKM (Loadable Kernel Module) and it is totally restricted to kernel 2.6.32.
-
https://github.com/jarun/keysniffer
A Linux kernel module to grab keys pressed in the keyboard.
-
https://github.com/PinkP4nther/Sutekh
An example rootkit that gives a userland process root permissions (x86, 4.x)
-
https://github.com/En14c/LilyOfTheValley
LilyOfTheValley is a simple LKM linux kernel rootkit for v4.x that works on (x86 and x86_64)
-
https://github.com/NoviceLive/research-rootkit
This is LibZeroEvil & the Research Rootkit project, in which there are step-by-step, experiment-based courses that help to get you started and keep your hands dirty with offensive or defensive development in the Linux kernel (LibZeroEvil).
-
https://github.com/NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit ⚡ writeup ⚡
Out of Sight, Out of Mind is a study and implementation of Linux rootkit methods. In addition a new covert network channel using additional Domain Name System (DNS) is implemented.
-
https://github.com/h3xduck/Umbra
An experimental LKM rootkit for v4.x/5.x kernels which opens a backdoor that can be used to get a reverse shell remotely.
-
https://github.com/kris-nova/boopkit
Linux backdoor, rootkit, and eBPF bypass tools. Remote command execution over raw TCP.
-
https://github.com/milabs/kopycat
KOPYCAT - Linux Kernel module-less implant (backdoor).
-
https://github.com/h3xduck/TripleCross
A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
Linux 4.18+ rootkit with multiple reverse backdoors, task management, CPU usage hiding, stealth techniques, ELF infection and evasion from anti-rooktiks based on eBPF.
-
https://github.com/reveng007/reveng_rtkit
Linux Loadable Kernel Module (LKM) based rootkit capable of hiding itself, processes/implants, rmmod proof, has ability to bypass infamous rkhunter antirootkit.
-
https://github.com/landhb/DrawBridge
A layer 4 Single Packet Authentication (SPA) Module, used to conceal TCP ports on public facing machines and add an extra layer of security.
-
https://github.com/gianlucaborello/libprocesshider
Hide a process under Linux using the ld preloader
-
https://github.com/spiderpig1297/kprochide
LKM for hiding processes from the userland. The module is able to hide multiple processes and is able to dynamically receive new processes to hide.
-
https://github.com/spiderpig1297/kfile-over-icmp
kfile-over-icmp is a loadable kernel module for stealth sending of files over ICMP communication.
-
https://github.com/spiderpig1297/kunkillable
LKM (loadable kernel module) that makes userland processes unkillable.
-
https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html
Heroin, an LKM based rootkit, and many more LKM based rootkit techniques (it's backdated, but posses powerful knowledge).