{"id":13550666,"url":"https://github.com/milabs/awesome-linux-rootkits","last_synced_at":"2025-09-27T07:31:38.023Z","repository":{"id":34280179,"uuid":"139235277","full_name":"milabs/awesome-linux-rootkits","owner":"milabs","description":"awesome-linux-rootkits","archived":false,"fork":false,"pushed_at":"2023-01-27T18:40:05.000Z","size":90,"stargazers_count":1602,"open_issues_count":1,"forks_count":232,"subscribers_count":58,"default_branch":"master","last_synced_at":"2024-05-18T17:13:59.550Z","etag":null,"topics":["awesome","awesome-list","linux","linux-kernel","lkm-rootkit","rootkit"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/milabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-06-30T09:08:39.000Z","updated_at":"2024-05-16T17:02:37.000Z","dependencies_parsed_at":"2023-02-15T11:46:01.102Z","dependency_job_id":null,"html_url":"https://github.com/milabs/awesome-linux-rootkits","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/milabs%2Fawesome-linux-rootkits","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/milabs%2Fawesome-linux-rootkits/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/milabs%2Fawesome-linux-rootkits/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/milabs%2Fawesome-linux-rootkits/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/milabs","download_url":"https://codeload.github.com/milabs/awesome-linux-rootkits/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234410188,"owners_count":18828154,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["awesome","awesome-list","linux","linux-kernel","lkm-rootkit","rootkit"],"created_at":"2024-08-01T12:01:35.951Z","updated_at":"2025-09-27T07:31:37.992Z","avatar_url":"https://github.com/milabs.png","language":null,"readme":"# `awesome-linux-rootkits` [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)\n\n## :key: feature table\n\nEnvironment:\n - CPU architecture\n - Kernel/User mode (or mixed)\n\nCore capabilities:\n - Persistency\n - Management interface\n - Altering system (library) behavior\n\nStealth capabilities:\n - Detection evasion\n - System logs cleaning (filtering)\n\nHiding stuff capabilities:\n - Hiding of files and directories\n - Hiding (tampering) of file contents\n - Hiding of processes and process trees\n - Hiding of network connections and activity\n - Hiding of process accounting information (like CPU usage)\n\nAdditional functions:\n - Keylogger\n - Backdoor/shell\n - Gaining priveleges\n\n## :see_no_evil: user mode rootkits\n\n- https://github.com/mempodippy/vlany\n\n  Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)\n\n- https://github.com/unix-thrust/beurk\n\n  BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.\n\n- https://github.com/chokepoint/azazel\n\n  Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit.\n\n- https://github.com/chokepoint/Jynx2\n\n  JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit.\n\n- https://github.com/chokepoint/jynxkit\n\n  JynxKit is an LD_PRELOAD userland rootkit for Linux systems with reverse connection SSL backdoor\n\n- https://github.com/NexusBots/Umbreon-Rootkit\n\n  LD_PRELOAD based\n\n- https://github.com/ChristianPapathanasiou/apache-rootkit\n\n  A malicious Apache module with rootkit functionality\n\n## :hear_no_evil: kernel mode rootkits\n\n- https://github.com/ait-aecid/caraxes/\n\n  Academic Linux Kernel Module rootkit, from Linux 6.2 up tested until Linux 6.11 - may work with even newer versions.\n\n  Features only hiding of files/directories and processes.\n\n- https://github.com/jermeyyy/rooty\n\n  Academic project of Linux rootkit made for Bachelor Engineering Thesis.\n\n- https://github.com/trailofbits/krf\n\n  A kernelspace randomized syscall faulter for Linux 4.15+\n\n- https://github.com/f0rb1dd3n/Reptile :zap: [details](details/reptile.md) :zap:\n\n  Reptile is a LKM rootkit written for evil purposes that runs on Linux kernel 2.6.x/3.x/4.x\n\n- https://github.com/QuokkaLight/rkduck :zap: [details](details/rkduck.md) :zap:\n\n  rkduck - Rootkit for Linux v4\n\n- https://github.com/croemheld/lkm-rootkit\n\n  A LKM rootkit for most newer kernel versions.\n\n- https://github.com/mncoppola/suterusu\n\n  An LKM rootkit targeting Linux 2.6.x/3.x on x86, and ARM\n\n- https://github.com/romeroperezabel/ARP-RootKit\n\n  An open source rootkit for the Linux Kernel to develop new ways of infection/detection.\n\n- https://github.com/nurupo/rootkit\n\n  Linux rootkit for Ubuntu 16.04 and 10.04 (Linux Kernels 4.4.0 and 2.6.32), both i386 and amd64\n\n- https://github.com/m0nad/Diamorphine\n\n  LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x (x86 and x86_64)\n\n- https://github.com/ivyl/rootkit\n\n  Sample Rootkit for Linux\n\n- https://github.com/deb0ch/toorkit\n\n  A simple useless rootkit for the linux kernel\n\n- https://github.com/vrasneur/randkit\n\n  Random number rootkit for the Linux kernel\n\n- https://github.com/Eterna1/puszek-rootkit\n\n  Yet another LKM rootkit for Linux. It hooks syscall table.\n\n- https://github.com/trimpsyw/adore-ng\n\n  linux rootkit adapted for 2.6 and 3.x\n\n- https://github.com/bones-codes/the_colonel\n\n  An experimental linux kernel module (rootkit) with a keylogger and built-in IRC bot\n\n- https://github.com/David-Reguera-Garcia-Dreg/enyelkm\n\n  LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry.\n\n- https://github.com/falk3n/subversive\n\n  x86_64 linux rootkit using debug registers\n\n- https://github.com/jiayy/lkm-rootkit\n\n  An lkm rootkit support x86/64,arm,mips\n\n- https://github.com/a7vinx/liinux\n\n  A linux rootkit works on kernel 4.0.X or higher\n\n- https://github.com/hanj4096/wukong\n\n  Wukong: a LKM rootkit for Linux kernel 2.6.x, 3.x and 4.x\n\n- https://github.com/varshapaidi/Kernel_Rootkit\n\n  Linux Kernel Rootkit - To hide modules and ssh service\n\n- https://github.com/kacheo/KernelRootkit\n\n  Linux kernel rootkit to hide certain files and processes.\n\n- https://github.com/dsmatter/brootus\n\n  bROOTus is a Linux kernel rootkit that comes as a single LKM (Loadable Kernel Module) and it is totally restricted to kernel 2.6.32.\n\n- https://github.com/jarun/keysniffer\n\n  A Linux kernel module to grab keys pressed in the keyboard.\n\n- https://github.com/PinkP4nther/Sutekh\n\n  An example rootkit that gives a userland process root permissions (x86, 4.x)\n\n- https://github.com/En14c/LilyOfTheValley\n\n  LilyOfTheValley is a simple LKM linux kernel rootkit for v4.x that works on (x86 and x86_64)\n\n- https://github.com/NoviceLive/research-rootkit\n\n  This is LibZeroEvil \u0026 the Research Rootkit project, in which there are step-by-step, experiment-based courses that help to get you started and keep your hands dirty with offensive or defensive development in the Linux kernel (LibZeroEvil).\n\n- https://github.com/NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit :zap: [writeup](https://github.com/NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit/blob/master/osom.pdf) :zap:\n\n  Out of Sight, Out of Mind is a study and implementation of Linux rootkit methods. In addition a new covert network channel using additional Domain Name System (DNS) is implemented.\n  \n- https://github.com/h3xduck/Umbra\n \n  An experimental LKM rootkit for v4.x/5.x kernels which opens a backdoor that can be used to get a reverse shell remotely.\n\n- https://github.com/kris-nova/boopkit\n\n  Linux backdoor, rootkit, and eBPF bypass tools. Remote command execution over raw TCP.\n\n- https://github.com/milabs/kopycat\n\n  KOPYCAT - Linux Kernel module-less implant (backdoor).\n  \n- https://github.com/h3xduck/TripleCross\n \n  A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.\n\n- https://github.com/carloslack/KoviD\n\n Linux 4.18+ rootkit with multiple reverse backdoors, task management, CPU usage hiding, stealth techniques, ELF infection and evasion from anti-rooktiks based on eBPF.\n\n- https://github.com/reveng007/reveng_rtkit\n\n  Linux Loadable Kernel Module (LKM) based rootkit capable of hiding itself, processes/implants, rmmod proof, has ability to bypass infamous rkhunter antirootkit.\n\n## :speak_no_evil: related stuff\n\n- https://github.com/landhb/DrawBridge\n\n  A layer 4 Single Packet Authentication (SPA) Module, used to conceal TCP ports on public facing machines and add an extra layer of security.\n\n- https://github.com/gianlucaborello/libprocesshider\n\n  Hide a process under Linux using the ld preloader\n\n- https://github.com/spiderpig1297/kprochide\n\n  LKM for hiding processes from the userland. The module is able to hide multiple processes and is able to dynamically receive new processes to hide.\n\n- https://github.com/spiderpig1297/kfile-over-icmp\n\n  kfile-over-icmp is a loadable kernel module for stealth sending of files over ICMP communication.\n\n- https://github.com/spiderpig1297/kunkillable\n\n  LKM (loadable kernel module) that makes userland processes unkillable.\n\n- https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html\n\n  Heroin, an LKM based rootkit, and many more LKM based rootkit techniques (it's backdated, but posses powerful knowledge).\n\n## Contributing\n\n[Please refer the guidelines at contributing.md for details](CONTRIBUTING.md)\n","funding_links":[],"categories":["Others","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","Others (1002)","Security \u0026 Hacking","Technologies"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmilabs%2Fawesome-linux-rootkits","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmilabs%2Fawesome-linux-rootkits","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmilabs%2Fawesome-linux-rootkits/lists"}