English 中文
The directory structure of this repository might change drastically without any notifications.
Experiment 1: hello
Hello World! kernel module.
Experiment 2: sys_call_table
Get sys_call_table's address by brute-force memory searching starting from PAGE_OFFSET.
Experiment 3: write_protection
Disable or enable Write Protection via CR0 register.
Roundup Experiment 1: fsmon
A primitive file monitor based on system call hooking.
Hooked functions:
open,unlink,unlinkat.Roundup Experiment 2: psmon
A primitive process monitor via system call hooking.
Hooked functions:
execve.Notice
I have seen reports that the method used in this experiment would not work normally due to inconsistent ABI of
stub_execve, which requires further investigation.
Roundup Experiment 3: fshid
A primitive file-hiding demonstration using system call hooking.
Hooked functions:
getdents,getdents64.Hidden files:
032416_525.mp4.Notice
There is no hooking logic in
getdents64since I have not triggered it yet.
Experiment 1: root
Providing a root backdoor.
Experiment 2: komon
Preventing modules from initializing and functioning by substituting their init and exit functions when
MODULE_STATE_COMINGis notified to module notifiers.Experiment 3: fshid
Hiding files by hooking
filldir.Experiment 4: pshid
Hiding processes by hiding entries under
/proc.Experiment 5: pthid
Hiding ports by filtering contents in
/proc/net/tcpand the like by hooking theshowfunction of theirseq_fileinterfaces.Experiment 6: kohid
Hiding modules by hiding entries in
/sys/moduleand filtering contents of/proc/modulesby hooking itsshowfunction.This experiment combines the techniques demonstrated in
Experiment 4: pshidandExperiment 5: pthid.
-
An LKM rootkit targeting Linux 2.6/3.x on x86(_64), and ARM.
-
Sample Rootkit for Linux
-
Lightweight rootkit implemented by bash shell scripts v0.10.