A simple implementation of a kernel-level rootkit. Includes the functionality to intercept some system calls, as well as the functionality to change the rights of a certain process. The method of intercepting system calls is implemented based on the method described in the https://xcellerator.github.io/ .
- Interception of systemcalls using Ftrace
- Intercepted syscalls:
- Getdents
- Getdents64
- Read
- Mkdir
- Readdir
- Privilege Escalation for process by his pid
- Communication with the driver is implemented through channels:
- Procfs
- Chardev
- IOCTL code
- Tested at kernel 3.x - 4.x, 5.x not tested
- Functional:
- Hide/Unhide Process
- Hide/Unhide Network port
- Hide/Unhide Kernel module
- Hide/Unhide File
- Change process credentials ( Privilege escalation to root )
LKM located in LKM directory. This directory contains 2 folder: src and build. Build folder contains Makefile for building LKM module. Src directory contains full source code of rootkit with main file named as rk_main.c
UM located in LKM directory and has same folder structure as LKM folder.
Use make utility for build LKM and UM. After install ko file using insmod utility.
The project was created for informational and educational purposes. The author does not bear consequences for the use of this project for illegal purposes.