• Stars
    star
    231
  • Rank 173,434 (Top 4 %)
  • Language
    C
  • License
    MIT License
  • Created almost 3 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Linux Loadable Kernel Module (LKM) based rootkit (ring-0), capable of hiding itself, processes/implants, rmmod proof, has ability to bypass infamous rkhunter antirootkit.

reveng_rtkit

Language Compiled with Tested on

Category License

reveng_rtkit is a Linux Loadable Kernel module (aka LKM) based rootkit targeting Linux Kernel: 5.11.0-49-generic as it was only tested on it till now.


🚫 [Disclaimer]: Use of this project is for Educational/ Testing purposes only. Using it on unauthorised machines is strictly forbidden. If somebody is found to use it for illegal/ malicious intent, author of the repo will not be held responsible.


reveng_rtkit mechanism:

Rootkit features:

Sl. no. Name Features
1. Finding Syscall Table address By creating custom kallsyms_lookup_name function to get address of sys_call_table symbol from kernel memory.
2. Function Hooking Get the address of the syscall from sys_call_table to get them hooked, then modify CR0 register to remove write protect bit and then modify/edit the sys_call_table and then again applying write protection to kernel memory.
3. Hide Rootkit Hides itself by deleting itself(or entry) from responsible linked list.
4. Hide Processes/implants Done in same way, as mentioned above in Sl. no. 2.
5. Unable to rmmod rootkit module Using kernel function called try_module_get() makes impossible for admins to remove our rootkit.
6. Interactive Control Implementing an IOCTL which manages the features of the rootkit and allows the user to send it commands.
7. Bypassing Can bypass infamous rkhunter antirootkit

Let's see what functions will be called during loading the rootkit:

Defined within Filename Functions function name in rootkit.c Working Effectivity of remove_rootkit() Mode of access
hide_show_helper.h proc_lsmod_hide_rootkit() hide_rootkit() Hides rootkit from "/proc/modules" file, "/proc/kallsyms" file and "lsmod" command. No effectivity ./client_usermode
hide_show_helper.h sys_module_hide_rootkit() hide_rootkit() Hides rootkit from "/sys/module/<THIS_MODULE>/" directory. No effectivity ./client_usermode
hide_show_helper.h proc_lsmod_show_rootkit() show_rootkit() Reveals our rootkit in "/proc/modules" file, "/proc/kallsyms" file and "lsmod" command. Will work effectively ./client_usermode
hide_show_helper.h sys_module_show_rootkit() show_rootkit() Reveals our rootkit in "/sys/module/<THIS_MODULE>/" directory. _ ./client_usermode
rootkit.c tidy() tidy() In this function we do some clean up. If we don't do this, there will be some errors during unloading the rootkit using rmmod. _ _
rootkit.c protect_rootkit() protect_rootkit() This is very simple function which just makes impossible to unload the rootkit by "rmmod rootkit" command even if it is visible. However it is still possible to unload by "rmmod -f rootkit" if kernel was compiled with support for forced unloading modules. Β  link: sysprog21.github.io _ ./client_usermode
rootkit.c remove_rootkit() remove_rootkit() Making rootkit removable from kernel using rmmod _ ./client_usermode
hook_syscall_helper.h hacked_kill() rootkit_init() and rootkit_exit(void) Process/Implant Hiding _ cmd prompt: kill -31 <pid>
hook_syscall_helper.h hacked_kill() rootkit_init() and rootkit_exit(void) getting rootshell _ cmd prompt: kill -64 <any pid>

NOTE:

Function tidy(), sys_module_hide_rootkit() and sys_module_show_rootkit() are not used in code. They were commented out. The reason behind that will be discussed in details in my blog post.

How to use it:

  1. Clone the repo
$ git clone https://github.com/reveng007/reveng_rtkit.git
  1. Enter the directory
$ cd reveng_rtkit/
  1. Now, we have 2 directories: kernel_src and user_src.
  • user_src: Contains usermode client code to interact with our rootkit module (once it it loaded into the kernel) via the registered Character Device file.
  • kernel_src: Contains kernelmode rootkit: reveng_rtkit which will be responsible for the whole mayhem πŸ˜‰.
$ cd kernel_src/
$ make
$ sudo insmod reveng_rtkit.ko

kernel_rootkit

  1. To interract with the kernel rootkit. Open another terminal
$ cd reveng_rtkit/user_src/
  1. compile and run the code
$ gcc client_usermode.c -o client_usermode
$ sudo ./client_usermode

NOTE: Be sure to run the code with root priv., because we are interracting with device driver, which is a part of the Linux kernel.

client_mode

  1. Another method to interract with it is via kill syscall interception:
  • To hide process/implant:
$ kill -31 <pid>

Screenshot from 2022-02-25 20-40-46

  • To get root shell (without providing a password):
$ kill -64 <any pid>

Screenshot from 2022-02-25 20-45-45

NOTE:

This rootkit is capable of providing rootshell to only bash and sh shell, not others. Although, it is possible for other shells as well but with some tricks. We can use system() C function alike function in Linux Kernel programming, so that we 1st trigger a bash/sh shell then offer rootshell to the attacker. I have'nt got that type of kernel function till now, but as soon as I get it, I will add it up. If anybody viewing this know about this, or interested to contribute, are most welcome to make a pull request.

  • To remove this rootkit module: 1stly make module visible via show command using client_usermode file as reveng_rtkit while loading hides itself from being revealed (also change to remove mode, if you have made rootkit module to protect mode previously).
reveng007@ubuntoo ~/D/k/B/L/x/1/g/kernel_src> sudo ../user_src/client_usermode
[sudo] password for reveng007: 


[+] Created by @reveng007(Soumyanil)


|+++++++++++++++++++ Available commands ++++++++++++++++++|

hide		: Command to hide rootkit 
		=> In this mode, in no way this rootkit be removable

show		: Command to unhide rootkit 
		=> In this mode, rootkit_protect and rootkit_remove will work effectively

protect		: Command to make rootkit unremovable (even if it can be seen in usermode)

remove		: Command to make rootkit removable

kill -31 <pid>	: Command to hide/unhide running process. Applicable in normal shell prompt.
		=> write: `process` in the below prompt to close without any error

kill -64 <any pid>	: Command to get rootshell. Applicable in normal shell prompt.
		=> write: `root` in the below prompt to close without any error


[+] Driver file opened
[?] Enter the Value to send: show
[+] Written Value to Device file
[*] Reading Value from Device file: Value present in Device: show

[+] Device file closed
reveng007@ubuntoo ~/D/k/B/L/x/1/g/kernel_src> sudo ../user_src/client_usermode


[+] Created by @reveng007(Soumyanil)


|+++++++++++++++++++ Available commands ++++++++++++++++++|

hide		: Command to hide rootkit 
		=> In this mode, in no way this rootkit be removable

show		: Command to unhide rootkit 
		=> In this mode, rootkit_protect and rootkit_remove will work effectively

protect		: Command to make rootkit unremovable (even if it can be seen in usermode)

remove		: Command to make rootkit removable

kill -31 <pid>	: Command to hide/unhide running process. Applicable in normal shell prompt.
		=> write: `process` in the below prompt to close without any error

kill -64 <any pid>	: Command to get rootshell. Applicable in normal shell prompt.
		=> write: `root` in the below prompt to close without any error


[+] Driver file opened
[?] Enter the Value to send: remove
[+] Written Value to Device file
[*] Reading Value from Device file: Value present in Device: remove

[+] Device file closed

Bypassing rkhunter antirootkit:

Here is the log file, that was generated:

asciicast

  • Only one warning is present:
  1. /usr/bin/lwp-request : stackexchange So, this is not a threat! cool!

Update:

Today, I found out this Warning.

rootkit_warning

Then searched for other options of rkhunter to get more informations about this "warning", that which exact processes are actually causing this warning (suspicious (large) shared memory segments). Found out this:

rootkit_warning_reasons

We can see it is telling us, configured size allowed: 1.0MB, i.e. those processes which takes more than 1MB gets flagged. But main point is our rootkit is not getting flagged :) (More like False-Positive thing).

There are several links related to this:

  1. serverfault
  2. linuxquestions

To-Do list πŸ‘¨β€πŸ”§:

  • Hiding process files completely. Our hidden process file can be accessed to open/read. If someone does, ls <filename>, they can easily open them.
  • Successfully able to hide and reveal our LKM module from /sys/module/ directory using sycall interception, in order to decieve usermode programs issue #6.
  • Adding system() C function alike function in Linux Kernel programming, in order to open a new bash/sh prompt issue #1.
  • Adding Linux Kernel Sockets issue #2.
  • Surviving system reboot issue #5.
  • Breaking kernel_src/reveng_rtkit.c issue #8.
  • Adding Capabilty to bypass SELinux enabled Linux System issue #9.
  • Bypassing chkrootkit antirootkit issue #4.
    • Getting detected by chkrootkit antirootkit till now, under chkproc section: chkproc.c Β  Β  Screenshot from 2022-02-26 09-33-19

Limitations:

  • This LKM based rootkit can only be used in those Linux OSs, which don't have these two protections:
    1. Secure Boot
    2. Adding a grub parameter to "/etc/default/grub" file. This thing was pointed out to me by Artem Baranov and this link was shared to me, on my linkedin post, by Victor Sergeev, for further research.

Detailed Blog article on reveng_rtkit LKM rootkit, is available now, where I have explained how I created this LKM rootkit step by step.

If you(viewers) have spotted anything erronious or something which should be made correct, haven't documented correctly or haven't credited someone's work properly, please don't hesitate to reach out to me via those social media handles listed at the end of this file.

Honourable Mentions:

Resources that helped me:

  1. This project is heavily inspired by Heroin by Runar Jensen (didn't get any of his social media handle ;( ) and Diamorphine by @m0nadlabs open source LKM rootkit projects. Especially, the Syscall interception mechanism section was totally taken from Diamorphine repo by @m0nadlabs.
  2. https://github.com/pentesteracademy/linux-rootkits-red-blue-teams
  3. Rootkit features: https://github.com/R3x/linux-rootkits
  4. Excellent resource for grabbing lkm rootkit concepts: https://jm33.me/tag/lkm.html
  5. Simple LKM rootkit: https://theswissbay.ch/pdf/Whitepaper/Writing%20a%20simple%20rootkit%20for%20Linux%20-%20Ormi.pdf
  6. IOCTL: https://github.com/Embetronicx/Tutorials/tree/master/Linux/Device_Driver/IOCTL
  7. https://infosecwriteups.com/linux-kernel-module-rootkit-syscall-table-hijacking-8f1bc0bd099c
  8. LKM HACKING: https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html
  9. Hide Files and Processes:
    i. https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html#II.2.1.
    ii. https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html#II.5.
    iii. https://jm33.me/linux-rootkit-for-fun-and-profit-0x02-lkm-hide-filesprocs.html
  10. Get Rootshell: https://xcellerator.github.io/posts/linux_rootkits_03/
  11. kobject: https://www.win.tue.nl/~aeb/linux/lk/lk-13.html
  12. https://sysprog21.github.io/lkmpg/
  13. https://ish-ar.io/kprobes-in-a-nutshell/
  14. Editing cr0 register: https://hadfiabdelmoumene.medium.com/change-value-of-wp-bit-in-cr0-when-cr0-is-panned-45a12c7e8411
  15. https://www.researchgate.net/publication/240376985_UNIX_and_Linux_based_Rootkits_Techniques_and_Countermeasures

Author: @reveng007 (Soumyanil Biswas)


More Repositories

1

DarkWidow

Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing
C
532
star
2

SharpGmailC2

Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol
C#
256
star
3

Learning-EDR-and-EDR_Evasion

I will be uploading all the codes which I created with the help either opensource projects or blogs. This is a step by step EDR learning path for me.
C++
254
star
4

ReflectiveNtdll

A Dropper POC with a focus on aiding in EDR evasion, NTDLL Unhooking followed by loading ntdll in-memory, which is present as shellcode (using pe2shc by @hasherezade). Payload encryption via SystemFucntion033 NtApi and No new thread via Fiber
C
163
star
5

CheckHooks-n-load

A Windows stager-cum-PELoader focusing Dynamic EDR Evasion, as well as FUD till now (24/02/23), when Operator wants to Know the the Underlying functions Hooks and then craft Implant based on the previous condition.
C++
97
star
6

AMSI-patches-learned-till-now

I have documented all of the AMSI patches that I learned till now
C++
66
star
7

C2_Server

C2 server to connect to a victim machine via reverse shell
Python
49
star
8

DareDevil

Stealthy Loader-cum-dropper/stage-1/stager targeting Windows10
C#
37
star
9

reveng_loader

C# loader capable of running stage-1 from remote url, file path as well as file share
C#
14
star
10

ETW_patches_from_userMode_learned_till_now

ETW patches from userMode learned till now
C++
9
star
11

Executable_Files

Database for custom made as well as publicly available stage-2 or beacons or stageless payloads, used by loaders/stage-1/stagers, or for further usage of C2 as well
PowerShell
9
star
12

GDB-Cheat-Sheet

8
star
13

VulnCon-WorkShop-Slides

VulnCon WorkShop - Maldev Workshop : Offensive TradeCraft - Syscalls to Stack Spoofing
5
star
14

RemoveFalsePositives

Just a small python script which spits out unsigned char representation for Hooked Underlying Ntapis (Which are False Positives) , for c/cpp Usage
Python
2
star
15

TryHackMe

THM Walkthroughs
PowerShell
2
star
16

HTB

Shell
1
star
17

SSH_Bruter

Bruteforces ssh creds.
Python
1
star
18

Simple_Port_Scanner

Scans Single port as well as Multiple Ports
Python
1
star
19

C-for-Everyone-Programming-Fundamentals

All the topics and concepts of C programming that I have learned so far. The things covered in this repo are all beginner-friendly.
C
1
star
20

reveng007

1
star
21

reveng007.github.io

1
star