{"id":13685894,"url":"https://github.com/carloslack/KoviD","last_synced_at":"2025-05-01T04:32:48.362Z","repository":{"id":38050443,"uuid":"476709450","full_name":"carloslack/KoviD","owner":"carloslack","description":"Red-Team Linux kernel rootkit","archived":false,"fork":false,"pushed_at":"2025-04-22T08:48:09.000Z","size":28128,"stargazers_count":349,"open_issues_count":5,"forks_count":59,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-04-22T09:56:13.644Z","etag":null,"topics":["assembly","backdoor","bpf","bpf-maps","c","cmake","firewall-bypass","for-educational-purposes-only","kernel","linux","llvm","module","red-team","rootkit","rust","ssh","tasks","tty","ubuntu","x64"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/carloslack.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-04-01T12:21:35.000Z","updated_at":"2025-04-22T09:42:52.000Z","dependencies_parsed_at":"2023-02-12T13:00:53.716Z","dependency_job_id":"5a2a2194-2bc5-4a83-b941-17ed18f50a20","html_url":"https://github.com/carloslack/KoviD","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carloslack%2FKoviD","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carloslack%2FKoviD/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carloslack%2FKoviD/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carloslack%2FKoviD/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/carloslack","download_url":"https://codeload.github.com/carloslack/KoviD/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251824782,"owners_count":21649934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["assembly","backdoor","bpf","bpf-maps","c","cmake","firewall-bypass","for-educational-purposes-only","kernel","linux","llvm","module","red-team","rootkit","rust","ssh","tasks","tty","ubuntu","x64"],"created_at":"2024-08-02T14:00:58.646Z","updated_at":"2025-05-01T04:32:48.348Z","avatar_url":"https://github.com/carloslack.png","language":"C","funding_links":[],"categories":["Awesome Repositories"],"sub_categories":["ELF VX technology"],"readme":"![KoviD Logo](./docs/images/logo/kvlogo.jpeg)\n\n## 1 - About\n\n    KoviD is a Loadable Kernel Module (LKM) designed for\n    Linux Kernel version 5 and later. Key features include:\n\n    Self-hiding from SysFS.\n    Provides reverse shell backdoors.\n    Conceals processes from the proc file system.\n    Handles child processes, newly created processes.\n    Hides KauditD logs, syslogs, user presence.\n    Conceals CPU usage for all hidden tasks.\n    Grants root privileges.\n    Hides files and directories.\n    Explore Demos repository.\n\nWatch [KoviD Demos](https://github.com/carloslack/kv-demos/tree/master)\n\nRead [Phrack magazine](http://phrack.org/issues/71/12.html#article) where g1inko works on some challenges posed by `KoviD`\n\n### 1.1 Mostly tested against\n\n    6.x EXPERIMENTAL: Linux 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC x86_64 x86_64 x86_64 GNU/Linux\n    gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0\n\n    5.x: Ubuntu 22.04.1 LTS\n    Linux hash-virtual-machine 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC\n    UTC 2 x86_64 x86_64 x86_64 GNU/Linux\n\n    5.x: Linux Standard-PC-Q35-ICH9-2009 5.15.0-43-generic #46-Ubuntu\n    SMP x86_64 x86_64 x86_64 GNU/Linux\n\n    5.x: Ubuntu 22.04 LTS\n    Linux 5.15.0-43-generic #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux\n    gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0\n\n    5.x: Ubuntu 20.10\n    Linux ubuntu 5.8.0-55-generic #62-Ubuntu SMP Tue Jun 1 08:21:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux\n    gcc (Ubuntu 10.3.0-1ubuntu1~20.10) 10.3.0\n\n    5.x: Ubuntu 18.04.5 LTS\n    Linux ubuntu 5.4.0-89-generic #100~18.04.1-Ubuntu SMP Wed Sep 29 10:59:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux\n    gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0\n\n    4.x: Debian GNU/Linux 10\n    Linux debian10teste 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux\n    gcc (Debian 8.3.0-6) 8.3.0\n\n    4.x: CentOS Linux release 8.3.2011\n    4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux\n    gcc (GCC) 8.3.1 20191121 (Red Hat 8.3.1-5)\n\n\n## 2 - Features\n\n### 2.1 Hide itself (module)\n\n    KoviD hides itself, making it challenging to detect. It customizes kernel\n    code to evade anti-rootkit detectors and disappears\n    from /sys/module listings.\n\n### 2.2 Hide files and directories\n\n    KoviD hides files and directories effectively by hijacking filldir and\n    filldir64 kernel functions, significantly simplifying the process.\n\n### 2.3 Function and syscall hijacking: Ftrace\n\n    KoviD leverages Ftrace, a legitimate method for\n    function and syscall hijacking in Kernel v5+.\n    This approach offers greater stability compared\n    to traditional hooking techniques.\n\n### 2.4 Backdoors\n\n    KoviD incorporates popular and reliable methods for backdooring systems,\n    such as port-knocking with custom packets.\n    These open connections to Netcat, OpenSSL, and Socat sessions.\n\n### 2.5 Firewall Evasion\n\n    KoviD sends magic packets and establishes reverse shell connections.\n    These packets trigger netfilter hooks and instruct KoviD to create a\n    reverse shell connection. These outgoing packets bypass iptables rules,\n    ensuring effective evasion.\n\n### 2.6 Tasks\n\n    Hiding processes is a crucial feature, giving KoviD the\n    ability to run undetected. It provides full support for\n    children processes, ensuring that no hanging processes are left behind.\n\n### 2.7 Logs\n\n    KoviD's hidden tasks result in missing logs, making it\n    even more challenging for administrators to detect its\n    presence. It eliminates logs generated by userland tools\n    like w, lsmod, ps, who, ls.\n\n### 2.8 TCP/UDP logs\n\n    KoviD hides network connections and manipulates network logs\n    to maintain stealth for back-doors. Libpcap+recvmsg.\n\t(ss, tcpdump, netstat...)\n\n### 2.9 r00t\n\n    Gain root privileges easily with kill -SIGCONT 666.\n\n### 2.10 CPU - hiding/mining\n\n    KoviD hides CPU consumption, making its processes invisible\n    as heavy consumers. However, be cautious not to max out the CPU,\n    as this can lead to unusual usage patterns.\n\n### 2.11 Persistence\n\n    KoviD offers persistence via Volundr. It can infect executables,\n    like SSHD, to ensure KoviD loads on reboot. You can also use your\n    preferred tool, Volundr use here is just a suggestion.\n\n### 2.12 Base address\n\n    KoviD allows for the retrieval of base addresses of other executables\n    without needing to open /proc/\u003cpid\u003e/maps.\n\n### 2.13 BPF\n\n    KoviD can evade few anti-rootkit tools that rely on BPF\n    (Berkeley Packet Filter) for detecting rootkits.\n\n    Tested against:\n        https://github.com/pathtofile/bpf-hookdetect.git\n\n### 2.14 Tainted\n\n    $ sudo insmod ./kovid.ko\n    $ cat /proc/sys/kernel/tainted\n    0\n\n## 3 - Usage\n\n    Before compiling and loading KoviD, edit the Makefile to choose a unique\n    name for /proc/\u003cname\u003e. Compile and load KoviD using sudo insmod kovid.\n    Ensure the chosen name for /proc/\u003cname\u003e is not easily predictable.\n\n### 3.1 /proc/\u003cname\u003e interface\n\n    To enable the /proc/mytest interface, use the command:\n    $ kill -SIGCONT 31337.\n    The interface will disable itself after 120 seconds and can be\n    reactivated using the same command.\n\n### 3.2 Command retcode\n\n\tSome commands can return a status code.\n\tEnable status code:\n\t\t$ echo output-enable \u003e/proc/mytest\n\t\t$ cat /proc/mytest\n\t\t1\n\t\t$ echo output-disable \u003e/proc/mytest\n\t\t$ cat /proc/mytest\n\t\t0\n\n\t\t0 disabled\n\t\t1 enabled\n\n\tCommand example after output-enable:\n\t\t$ echo hide-lkm \u003e/proc/mytest\n\t\t$ cat /proc/mytest\n\t\t0\n\n### 3.3 Tasks\n\n    You can hide/unhide processes using the /proc/mytest interface.\n    For example, to hide a task, run: $ echo 14886 \u003e/proc/mytest.\n    If a task is a backdoor that needs tcp hiding, run:\n        $ echo hide-task-backdoor=\u003cpid\u003e \u003e/proc/mytest\n    Unhiding is the same as for regular tasks:\n        $ echo \"\u003cPID\u003e\" \u003e/proc/mytest\n\n### 3.4 Hide module\n\n    To hide the KoviD module, use the command: `$ echo hide-lkm \u003e/proc/mytest`.\n    In release mode, the module is hidden by default,\n    and a key can be displayed by running `$ cat /proc/mytest`.\n\n### 3.5 Hide/unhide/list files and directories\n\n    To hide a file or directory, use:\n    $ echo hide-file=/tmp/README.txt \u003e/proc/mytest\n    To unhide, use:\n    $ echo unhide-file=README.txt \u003e/proc/mytest\n    You can list hidden files\n    and directory names with:\n    $ echo list-hidden-file \u003e/proc/mytest.\n\n### 3.6 SSH/FTP TTY sniffer\n\n    KoviD can snoop SSH sessions via tty keystrokes and steal passwords\n    and commands effectively.\n\n### 3.7 Backdoors\n\n    For instructions, run 'scripts/bdclient.sh' and a help list is displayed.\n\n## 4 - Bugs\n\n    As with any software, KoviD may have bugs.\n    If you encounter issues or oopses, please report them in detail for\n    potential fixes. Test KoviD extensively, preferably in a VM that\n    mimics the target environment.\n\n    Disclaimer: The use of KoviD in a real target is discouraged\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcarloslack%2FKoviD","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcarloslack%2FKoviD","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcarloslack%2FKoviD/lists"}