mirror of
https://github.com/milabs/awesome-linux-rootkits.git
synced 2024-10-01 06:35:44 -04:00
3.3 KiB
3.3 KiB
Reptile kernel rootkit details
https://github.com/f0rb1dd3n/Reptile
- not able to tamper file contents while reading byte-by-byte (❗)
- not able to hide all threads and children of hidden (parent) process (❗)
Environment
- x86, x86_64
- Linux kernel 2.6.x/3.x/4.x
Persistency
Boot-time module loading using OS-specific startup files:
- /etc/modules (debian/ubuntu)
- /etc/rc.modules (redhat/centos/fedora)
https://github.com/linux-rootkits/Reptile/blob/master/setup.sh#L296
Detection evasion
Rootkit is trying to evade from detection by:
- hiding files by name
- tampering contents of startup files while reading
- hiding kernel module by unlinking from
modules-list
Management interface
Implemented via kill(2) by hooking sys_call_table[__NR_kill] entry:
Supported commands are:
- hiding/unhiding processes
- hiding/unhiding rootkit's module
- enabling/disabling of tampering file content function
- gaining root priveleges to calling process
Altering system behaviour
Hooking of system calls by patching syscall-handlers in sys_call_table[]:
- to write to read-only page
CR0/WPtechnique used (x86-only) - netfilter hook (
NF_IP_PRI_FIRST)
Hiding (tampering) of file contents
Filtering of file content while reading:
- hook
sys_call_table[__NR_read]
Hiding of files and directories
Filtering of directory entries:
- hook
sys_call_table[__NR_getdents] - hook
sys_call_table[__NR_getdents64]
Hiding of processes and process trees
Filtering PID-like numeric entries while listing /proc:
- getdents/getdents64 hook used
- hidden tasks are marked using
task->flags(bit0x10000000)
Backdoor/shell
Reverse shell spawning by port-knocking-like technique:
- magic packet with token used (
ICMP/UDP/TCP) - spawning root-shell connection to remote host