mirror of
https://github.com/milabs/awesome-linux-rootkits.git
synced 2024-10-01 06:35:44 -04:00
3.3 KiB
3.3 KiB
rkduck rootkit details
https://github.com/QuokkaLight/rkduck
Environment
- x86, x86_64
- Linux kernel 4.x
- Debian/Ubuntu, RHEL/CentOS/Fedora
Persistency
Boot-time module loading using OS-specific startup files:
- /etc/modules (debian/ubuntu)
- /etc/rc.modules (redhat/centos/fedora)
Rootkit module runs forever.sh
helper script at the moment of module unloading:
Detection evasion
Rootkit is trying to evade from detection by:
- hiding rootkit files by name
Management interface
Implemented via in-kernel netlink
server (NETLINK_USER
) :
Supported commands are:
- hiding/unhiding files
- hiding/unhiding processes
Altering system behaviour
Hooking of system calls by patching syscall-handlers in sys_call_table[]
:
- hook
sys_call_table[__NR_write]
(disabled) - hook
file->f_op->iterate
for/
and/proc
dentries - netfilter
NF_INET_PRE_ROUTING/NF_IP_PRI_FIRST
hook used for catchingICMP
packets
Hiding of files and directories
Filtering of directory entries:
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L323 (vfs_hide_file)
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L346 (vfs_unhide_file)
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L97 (vfs_hijacked_iterate)
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L59 (vfs_hijacked_filldir)
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L157 (vfs_hijacked_proc_iterate)
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L78 (vfs_hijacked_proc_filldir)
Hiding of processes and process trees
Filtering PID-like numeric entries while listing /proc
:
- based on hiding of files capabilty (vfs_hide_file)
Keylogger
Keylogger is implemented using register_keyboard_notifier()
:
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/keylogger.c#L204
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/keylogger.c#L72 (keylogger_notify)
Logged keystrokes are saved in file which periodically being sent to remote hos using scp
:
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/keylogger.c#L181 (keylogger_init)
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/keylogger.c#L64 (writing to the file...)
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/keylogger.c#L32 (sending with
scp
)
Backdoor
...