English δΈζ
LibZeroEvil & the Research Rootkit project
This is LibZeroEvil & the Research Rootkit project
,
in which there are step-by-step, experiment-based courses
that help to get you started and keep your hands dirty
with offensive or defensive development in the Linux kernel,
and also guide you with demonstrative examples
through the underlying core library, LibZeroEvil
,
which attempts to be
a real-world consumable programming framework
for any evil or good kernel-land invaders or defenders.
That being said, it's just the beginning
and LibZeroEvil
is still in its infancy,
serving educational purposes mainly.
Warning
It's never recommended to perform kernel module experiments on a physical machine, unless the owner will never complain about frequent rebooting or forced halting and possible data or work loss.
You have been warned.
Guidelines on Creating New Issues or Contributing
If a course doesn't compile, or compiles but doesn't work as expected, e.g. crashing or hanging your system, feel free to create a new issue. But before that, consider the following.
Search existing issues to ensure that it won't be duplicated.
Attach detailed information of your system, e.g.,
uname --all
, and what your compiler throws on you, i.e., the error information, so that others can successfully reproduce your issue and manage to help you out.If you can't figure out which error is the most significant one, paste all of them verbatim inside Markdown triple quotes.
Remember that kernel compatibility issues are the most common ones, since the author paid virtually no attention to that. However, it's my pleasure to learn about and fix them.
Some courses are x64 only for the time being.
Information on Kernel Compatibility
Tested Kernel
My major development environment.
Kali
Linux anon 4.6.0-kali1-amd64 #1 SMP Debian 4.6.3-1kali1 (2016-07-12) x86_64 GNU/Linux
.
Compilable Kernel
That is, ./tests/makeall.sh --quiet
reports no error,
but I haven't tested the functionality.
Arch
Linux anon 4.6.4-1-ARCH #1 SMP PREEMPT Mon Jul 11 19:12:32 CEST 2016 x86_64 GNU/Linux
.Ubuntu 14.04
Linux anon 4.2.0-42-generic #49~14.04.1-Ubuntu SMP Wed Jun 29 20:22:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Known Unresolved Compatibility Issues
struct dir_context
doesn't exist on kernel version 3.10 and earlier.For example, CentOS 7,
Linux localhost.localdomain 3.10.0-327.22.2.el7.x86_64 #1 SMP Thu Jun 23 17:05:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
.
Notice on Directory Structure
The directory structure of this repository might change drastically without any notifications.
Available Courses
More courses might be designed and added here later.
sys_call_table
Course 1: Modifying / Hooking the Experiment 1:
hello
Hello World! kernel module.
Experiment 2:
sys_call_table
Get
sys_call_table
's address by brute-force memory searching starting fromPAGE_OFFSET
.Experiment 3:
write_protection
Disable or enable
Write Protection
via theCR0
register.Roundup Experiment 1: fsmon
A primitive file monitor based on system call hooking.
Hooked functions:
open
,unlink
,unlinkat
.Roundup Experiment 2: psmon
A primitive process monitor via system call hooking.
Hooked functions:
execve
.Notice
I have seen reports that the method used in this experiment would not work normally due to inconsistent ABI of
stub_execve
, which requires further investigation.
Roundup Experiment 3: fshid
A primitive file-hiding demonstration using system call hooking.
Hooked functions:
getdents
,getdents64
.Hidden files:
032416_525.mp4
.
Course 2: Implementing fundamental functionalities of rootkits
Experiment 1:
root
Providing a root backdoor.
Experiment 2:
komon
Preventing modules from initializing and functioning by substituting their init and exit functions when
MODULE_STATE_COMING
is notified to module notifiers.Experiment 3:
fshid
Hiding files by hooking
filldir
.Experiment 4:
pshid
Hiding processes by hiding entries under
/proc
.Experiment 5:
pthid
Hiding ports by filtering contents in
/proc/net/tcp
and the like by hooking theshow
function of theirseq_file
interfaces.Experiment 6:
kohid
Hiding modules by hiding entries in
/sys/module
and filtering contents of/proc/modules
by hooking itsshow
function.This experiment combines the techniques demonstrated in
Experiment 4: pshid
andExperiment 5: pthid
.
Course 3: Infecting critical kernel modules for persistence and more
Experiment 1:
elf
Providing elementary materials on ELF parsing and modifying.
This experiment implemented an essential tool, i.e.
setsym
, for following experiments, and also two trivial tools,lssec
resemblingreadelf -S
andlssym
resemblingreadelf -s
/objdump -t
.They are coded for 64-bit ELF only, but it shouldn't be difficult to adapt.
Experiment 2:
noinj
Hijacking / Hooking the init and exit function of the module with functions in the same module by modifying the symbol table.
Experiment 3:
codeinj
Injecting the adapted
fshid
(See Experiment 3 of Course 2) into a demonstrative simple module (i.e. withoutstatic __init
orstatic __exit
), and hooking / hijacking its init and exit functions by modifying the symbol table.Roundup Experiment:
real
Injecting the adapted
fshid
(See Experiment 3 of Course 2) into a real-world kernel module (i.e. withstatic __init
orstatic __exit
) by linking, and hooking / hijacking its init and exit functions by modifying the symbol table.
entry_SYSCALL_64
Course 4: Modifying / Patching the This is x64 only. However, it's not difficult to adapt.
Experiment 1: get
Getting the
sys_call_table
's address in the machine code ofentry_SYSCALL_64
by searching the identifying bytesff 14 c5
.Experiment 2: set
Patching the
sys_call_table
's address in the machine code ofentry_SYSCALL_64
with a faked but innocuous, i.e. unmodified, one.Experiment 3: rec
Recovering the
sys_call_table
's address in the machine code ofentry_SYSCALL_64
to that obtained viasys_close
-based memory searching.Roundup Experiment: ifmon
Monitoring network flow (especially
GET
&POST
) by hookingsys_sendto
using the method demonstrated in the above three experiments onentry_SYSCALL_64
.
Course 5: Inline Hooking
Experiment 1:
jmp
Patching the starting bytes of target functions with control flow redirection instructions, e.g.
PUSH RET
,JMP
orINT
, which transfer control to our function, where our tasks are performed, including restoring those bytes and invoking the victim function if necessary.
Projects Of Interests
-
An LKM rootkit targeting Linux 2.6/3.x on x86(_64), and ARM.
-
This is a linux rootkit using many of the techniques described on http://r00tkit.me.
-
Sample Rootkit for Linux.