2018-06-30 05:13:25 -04:00
|
|
|
# `awesome-linux-rootkits`
|
|
|
|
|
|
2018-06-30 05:48:34 -04:00
|
|
|
## :key: feature table
|
2018-06-30 05:13:25 -04:00
|
|
|
|
2018-06-30 15:01:40 -04:00
|
|
|
Environment:
|
2018-06-30 17:16:57 -04:00
|
|
|
- CPU architecture
|
2018-06-30 15:01:40 -04:00
|
|
|
- Kernel/User mode (or mixed)
|
|
|
|
|
|
|
|
|
|
Core capabilities:
|
|
|
|
|
- Persistency
|
2018-06-30 15:20:34 -04:00
|
|
|
- Management interface
|
2018-07-02 06:26:08 -04:00
|
|
|
- Altering system (library) behaviour
|
2018-06-30 15:14:49 -04:00
|
|
|
|
|
|
|
|
Stealth capabilities:
|
2018-06-30 15:24:42 -04:00
|
|
|
- Detection evasion
|
2018-06-30 15:14:49 -04:00
|
|
|
- System logs cleaning (filtering)
|
2018-06-30 15:01:40 -04:00
|
|
|
|
|
|
|
|
Hiding stuff capabilities:
|
|
|
|
|
- Hiding of files and directories
|
2018-07-02 06:05:05 -04:00
|
|
|
- Hiding (tampering) of file contents
|
2018-06-30 15:01:40 -04:00
|
|
|
- Hiding of processes and process trees
|
|
|
|
|
- Hiding of network connections and activity
|
|
|
|
|
- Hiding of process accounting information (like CPU usage)
|
|
|
|
|
|
|
|
|
|
Additional functions:
|
|
|
|
|
- Keylogger
|
|
|
|
|
- Backdoor/shell
|
2018-07-02 06:26:08 -04:00
|
|
|
- Gaining priveleges
|
2018-06-30 05:16:23 -04:00
|
|
|
|
2018-06-30 17:18:03 -04:00
|
|
|
## :see_no_evil: user mode rootkits
|
2018-06-30 05:16:23 -04:00
|
|
|
|
|
|
|
|
- https://github.com/mempodippy/vlany
|
|
|
|
|
|
|
|
|
|
Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)
|
2018-06-30 05:46:39 -04:00
|
|
|
|
2018-06-30 17:44:19 -04:00
|
|
|
- https://github.com/unix-thrust/beurk
|
|
|
|
|
|
|
|
|
|
BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.
|
|
|
|
|
|
2018-06-30 17:49:30 -04:00
|
|
|
- https://github.com/chokepoint/azazel
|
|
|
|
|
|
|
|
|
|
Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit.
|
|
|
|
|
|
2018-06-30 17:57:27 -04:00
|
|
|
- https://github.com/chokepoint/Jynx2
|
|
|
|
|
|
|
|
|
|
JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit.
|
2018-06-30 18:07:55 -04:00
|
|
|
|
|
|
|
|
- https://github.com/chokepoint/jynxkit
|
|
|
|
|
|
|
|
|
|
JynxKit is an LD_PRELOAD userland rootkit for Linux systems with reverse connection SSL backdoor
|
|
|
|
|
|
2018-06-30 18:06:45 -04:00
|
|
|
- https://github.com/NexusBots/Umbreon-Rootkit
|
|
|
|
|
|
|
|
|
|
LD_PRELOAD based
|
2018-06-30 17:57:27 -04:00
|
|
|
|
2018-06-30 18:23:06 -04:00
|
|
|
- https://github.com/ChristianPapathanasiou/apache-rootkit
|
|
|
|
|
|
|
|
|
|
A malicious Apache module with rootkit functionality :point_up:
|
|
|
|
|
|
2018-06-30 17:18:03 -04:00
|
|
|
## :hear_no_evil: kernel mode rootkits
|
2018-06-30 05:46:39 -04:00
|
|
|
|
2018-07-02 11:21:59 -04:00
|
|
|
- https://github.com/f0rb1dd3n/Reptile :point_right: [details](details/reptile.md)
|
2018-06-30 05:46:39 -04:00
|
|
|
|
|
|
|
|
Reptile is a LKM rootkit written for evil purposes that runs on Linux kernel 2.6.x/3.x/4.x
|
2018-06-30 17:12:39 -04:00
|
|
|
|
2018-06-30 06:09:49 -04:00
|
|
|
- https://github.com/QuokkaLight/rkduck
|
|
|
|
|
|
|
|
|
|
rkduck - Rootkit for Linux v4
|
2018-06-30 09:26:13 -04:00
|
|
|
|
2018-06-30 18:19:50 -04:00
|
|
|
- https://github.com/croemheld/lkm-rootkit
|
|
|
|
|
|
|
|
|
|
A LKM rootkit for most newer kernel versions.
|
|
|
|
|
|
2018-06-30 17:16:57 -04:00
|
|
|
- https://github.com/mncoppola/suterusu
|
|
|
|
|
|
2018-06-30 17:27:30 -04:00
|
|
|
An LKM rootkit targeting Linux 2.6.x/3.x on x86, and ARM
|
2018-06-30 18:09:43 -04:00
|
|
|
|
|
|
|
|
- https://github.com/romeroperezabel/ARP-RootKit
|
|
|
|
|
|
|
|
|
|
An open source rootkit for the Linux Kernel to develop new ways of infection/detection. :fire:
|
|
|
|
|
|
2018-06-30 17:37:59 -04:00
|
|
|
- https://github.com/nurupo/rootkit
|
|
|
|
|
|
|
|
|
|
Linux rootkit for Ubuntu 16.04 and 10.04 (Linux Kernels 4.4.0 and 2.6.32), both i386 and amd64
|
2018-06-30 17:16:57 -04:00
|
|
|
|
2018-06-30 17:18:03 -04:00
|
|
|
- https://github.com/m0nad/Diamorphine :shit:
|
2018-06-30 17:12:39 -04:00
|
|
|
|
|
|
|
|
LKM rootkit for Linux Kernels 2.6.x/3.x/4.x (x86 and x86_64)
|
2018-06-30 17:32:07 -04:00
|
|
|
|
|
|
|
|
- https://github.com/ivyl/rootkit :shit:
|
|
|
|
|
|
|
|
|
|
Sample Rootkit for Linux
|
2018-06-30 17:50:42 -04:00
|
|
|
|
|
|
|
|
- https://github.com/Eterna1/puszek-rootkit
|
|
|
|
|
|
|
|
|
|
Yet another LKM rootkit for Linux. It hooks syscall table.
|
|
|
|
|
|
2018-06-30 17:57:27 -04:00
|
|
|
- https://github.com/trimpsyw/adore-ng
|
|
|
|
|
|
|
|
|
|
linux rootkit adapted for 2.6 and 3.x
|
|
|
|
|
|
|
|
|
|
- https://github.com/bones-codes/the_colonel
|
|
|
|
|
|
|
|
|
|
An experimental linux kernel module (rootkit) with a keylogger and built-in IRC bot
|
2018-06-30 18:01:05 -04:00
|
|
|
|
|
|
|
|
- https://github.com/David-Reguera-Garcia-Dreg/enyelkm
|
|
|
|
|
|
|
|
|
|
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry.
|
2018-06-30 18:03:53 -04:00
|
|
|
|
|
|
|
|
- https://github.com/falk3n/subversive
|
|
|
|
|
|
|
|
|
|
x86_64 linux rootkit using debug registers
|
2018-06-30 18:04:47 -04:00
|
|
|
|
|
|
|
|
- https://github.com/jiayy/lkm-rootkit
|
|
|
|
|
|
|
|
|
|
An lkm rootkit support x86/64,arm,mips
|
2018-06-30 18:13:31 -04:00
|
|
|
|
|
|
|
|
- https://github.com/a7vinx/liinux
|
|
|
|
|
|
|
|
|
|
A linux rootkit works on kernel 4.0.X or higher
|
2018-06-30 18:15:25 -04:00
|
|
|
|
|
|
|
|
- https://github.com/hanj4096/wukong
|
|
|
|
|
|
|
|
|
|
Wukong: a LKM rootkit for Linux kernel 2.6.x, 3.x and 4.x
|
2018-06-30 18:16:08 -04:00
|
|
|
|
|
|
|
|
- https://github.com/varshapaidi/Kernel_Rootkit
|
|
|
|
|
|
|
|
|
|
Linux Kernel Rootkit - To hide modules and ssh service
|
2018-06-30 18:16:43 -04:00
|
|
|
|
|
|
|
|
- https://github.com/kacheo/KernelRootkit
|
|
|
|
|
|
|
|
|
|
Linux kernel rootkit to hide certain files and processes.
|
2018-06-30 18:18:10 -04:00
|
|
|
|
|
|
|
|
- https://github.com/dsmatter/brootus
|
|
|
|
|
|
|
|
|
|
bROOTus is a Linux kernel rootkit that comes as a single LKM (Loadable Kernel Module) and it is totally restricted to kernel 2.6.32.
|
2018-07-01 15:30:22 -04:00
|
|
|
|
|
|
|
|
- https://github.com/jarun/keysniffer
|
|
|
|
|
|
|
|
|
|
A Linux kernel module to grab keys pressed in the keyboard (`keylogger`).
|
2018-07-01 15:42:23 -04:00
|
|
|
|
|
|
|
|
- https://github.com/PinkP4nther/Sutekh
|
|
|
|
|
|
|
|
|
|
An example rootkit that gives a userland process root permissions (x86, 4.x)
|
2018-07-01 15:47:59 -04:00
|
|
|
|
2018-07-01 16:01:21 -04:00
|
|
|
- https://github.com/En14c/LilyOfTheValley
|
|
|
|
|
|
|
|
|
|
LilyOfTheValley is a simple LKM linux kernel rootkit for v4.x that works on (x86 and x86_64) :shit:
|
|
|
|
|
|
2018-07-01 15:47:59 -04:00
|
|
|
## :speak_no_evil: related stuff
|
|
|
|
|
|
|
|
|
|
- https://github.com/landhb/DrawBridge
|
|
|
|
|
|
|
|
|
|
A layer 4 Single Packet Authentication (SPA) Module, used to conceal TCP ports on public facing machines and add an extra layer of security.
|
