simple_rootkit

A simple LKM kernel space rootkit for < v5.7 linux with multiple functions.

Warning: due to the unexport of kallsyms_lookup functions from the kernel introduced in v5.7, this rootkit will NOT work on this version onwards.

How to build and run the LKM

1. Clone the repository to a local folder.
2. cd into src/
3. Run make in order to build the module.
4. Watch the kernel logging with dmesg -w in order to see printk messages in real time.
5. Insert the module with sudo insmod rootkit.ko and specify parameters:
   pid - process id to hide.
   file_name - file name to hide.
6. Remove the module with sudo rmmod rootkit.

How to hide a chosen pid:

1. When inserting the module, pass the chosen pid as a parameter to the insmod function, like this:
   sudo insmod rookit.ko pid=6375, to hide pid 6375.

How to hide a chosen file name:

1. When inserting the module, pass the chosen file name as a parameter to the insmod function, like this:
   sudo insmod rookit.ko file_name=foobar, to hide files with the name "foobar".

How to read the user's keystrokes:

1. Read from /dev/rootkit file, for example, with cat /dev/rootkit.

How to spawn a root shell as a normal user once the rootkit has loaded:

1. Execute the get_root program (in get_root folder) or anything similar which write "please_give_me_root" to /dev/rootkit and spawns a shell.
2. Execute the id program to make sure you are root.
3. Enjoy unlimited capabilities!

Currently planned features:

• keylogging.
• providing root access from inside the machine.
• process hiding from ps
• file hiding from ls.

Minor TODO list:

• Automate the mknod process.

---

Built and tested on a 18.04 ubuntu machine (kernel version 5.4.0).