{"id":13508253,"url":"https://github.com/nurupo/rootkit","last_synced_at":"2025-04-12T18:45:26.803Z","repository":{"id":50604805,"uuid":"79993552","full_name":"nurupo/rootkit","owner":"nurupo","description":"Linux rootkit for Ubuntu 16.04 and 10.04 (Linux Kernels 4.4.0 and 2.6.32), both i386 and amd64","archived":false,"fork":false,"pushed_at":"2024-04-07T03:35:41.000Z","size":26,"stargazers_count":795,"open_issues_count":0,"forks_count":202,"subscribers_count":32,"default_branch":"master","last_synced_at":"2025-04-03T20:12:26.618Z","etag":null,"topics":["kernel-module","linux-kernel-module","linux-rootkit","rootkit"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nurupo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"nurupo","custom":["https://github.com/nurupo/donate","https://paypal.com/donate?hosted_button_id=9HJHAH5UDL3GL","https://blockstream.info/address/34qxFsZjs1ZWVBwer11gXiycpv7QHTA8q3"]}},"created_at":"2017-01-25T07:45:31.000Z","updated_at":"2025-03-30T17:32:01.000Z","dependencies_parsed_at":"2024-11-01T07:31:26.205Z","dependency_job_id":"c4f36d4a-126c-4e26-a983-334297b84596","html_url":"https://github.com/nurupo/rootkit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nurupo%2Frootkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nurupo%2Frootkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nurupo%2Frootkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nurupo%2Frootkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nurupo","download_url":"https://codeload.github.com/nurupo/rootkit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248617358,"owners_count":21134190,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kernel-module","linux-kernel-module","linux-rootkit","rootkit"],"created_at":"2024-08-01T02:00:50.410Z","updated_at":"2025-04-12T18:45:26.782Z","avatar_url":"https://github.com/nurupo.png","language":"C","readme":"# Linux Rootkit\n\nA simple Linux kernel rootkit written for fun, not evil.\n\n## Functionality\n\nThe rootkit can do the following:\n\n- Grant root privileges to a userland process\n- Hide process by PID\n- Unhide a previously hidden process by PID\n- Hide files or directories by their name\n- Unhide previously hidden files or directories\n- Hide itself\n- Unhide itself\n- Protect against being unloaded by the user\n- Disable the unload protection\n\n## Supported Platforms\n\nThe rootkit was tested to work on Linux kernels 2.6.32-38 and 4.4.0-22 as provided by Ubuntu in Ubuntu 10.04.4 LTS and Ubuntu 16.04 LTS respectively, but it should be very easy to port to kernels in-between, as well as newer ones.\n\nThere is some architecture-specific code in the rootkit which is implemented only for x86 and x86-64 architectures.\nThat's the code for finding the system call table, disabling write-protected memory and one of the two function hooking methods.\nIt should be very easy to port to a new architecture, and some of this code is not strictly necessary for the rootkit to function, e.g. the non-portable hooking method could be stripped away, though you must be a very boring person if you are willing to miss on the fun of function hooking that overwrites machine code of the target kernel function such that it calls our hook function instead.\n\nThe rootkit was tested only with 1 CPU core, so it may or may not function correctly on a multi-core system.\nIt likely won't run very well on a multi-core system as the rootkit was written expecting there to be only 1 thread executing anything at any given time, so it lacks atomic writes/reads and mutexes around list data structures.\n\n## Build\n\n### Setting Up Environment\n\nWarm up your VM of choice.\n\nGrab and install the desired Ubuntu image:\n\n| Kernel / arch |         x86         |        x86-64        |\n|:-------------:|:-------------------:|:--------------------:|\n|     2.6.32    | Ubuntu 10.04.4 i386 (694M) [[torrent]](http://old-releases.ubuntu.com/releases/10.04.0/ubuntu-10.04.4-server-i386.iso.torrent) [[iso]](http://old-releases.ubuntu.com/releases/10.04.0/ubuntu-10.04.4-server-i386.iso) | Ubuntu 10.04.4 amd64 (681M) [[torrent]](http://old-releases.ubuntu.com/releases/10.04.0/ubuntu-10.04.4-server-amd64.iso.torrent) [[iso]](http://old-releases.ubuntu.com/releases/10.04.0/ubuntu-10.04.4-server-amd64.iso) |\n|     4.4.0     | Ubuntu 16.04 i386 (647M) [[torrent]](http://old-releases.ubuntu.com/releases/16.04.0/ubuntu-16.04-server-i386.iso.torrent) [[iso]](http://old-releases.ubuntu.com/releases/16.04.0/ubuntu-16.04-server-i386.iso) |  Ubuntu 16.04 amd64 (655M) [[torrent]](http://old-releases.ubuntu.com/releases/16.04.0/ubuntu-16.04-server-amd64.iso.torrent) [[iso]](http://old-releases.ubuntu.com/releases/16.04.0/ubuntu-16.04-server-amd64.iso) |\n\nFor Ubuntu 10.04, patch the package repository address:\n\n```sh\nsed -i -re 's/([a-z]{2}\\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list\n```\n\nInstall a compiler, Linux headers and all other things required for us to build the rootkit:\n\n```sh\napt-get update\napt-get install build-essential\n```\n\nMake sure not to call `apt-get upgrade`, as it would update the kernel, when the rootkit was tested only on the pre-installed kernel version.\n\n### Actual Building\n\n```sh\nmake\n```\n\n## Use\n\nLoad rootkit:\n\n```sh\ninsmod rootkit.ko\n```\n\nUse rootkit:\n\n```sh\n$ ./client --help\nUsage: ./client [OPTION]...\n\nOptions:\n  --root-shell            Grants you root shell access.\n  --hide-pid=PID          Hides the specified PID.\n  --unhide-pid=PID        Unhides the specified PID.\n  --hide-file=FILENAME    Hides the specified FILENAME globally.\n                          Must be a filename without any path.\n  --unhide-file=FILENAME  Unhides the specified FILENAME.\n  --hide                  Hides the rootkit LKM.\n  --unhide                Unhides the rootkit LKM.\n  --help                  Print this help message.\n  --protect               Protects the rootkit from rmmod.\n  --unprotect             Disables the rmmod protection.\n```\n\nUnload rootkit:\n\n```sh\n./client --unhide\n./client --unprotect\nrmmod rootkit.ko\n```\n\n## YOU ARE OUT OF YOUR MIND TO PUBLICY RELEASE SUCH MALICIOUS CODE ONLINE, YOU ARE LITERALLY ARMING SCRIPT KIDDIES WITH NUKES!!!1\nNot really, there are many articles online on how to write a Linux rootkit with the full source code provided, not to mention the countless GitHub repositories.\n\n## References\nThe following materials were used in writing this rootkit:\n\n- [Linux kernel code](http://lxr.free-electrons.com)\n- [Linux kernel documentation](https://www.kernel.org/doc/)\n- [Linux Loadable Kernel Module HOWTO](http://www.tldp.org/HOWTO/html_single/Module-HOWTO/)\n- [WRITING A SIMPLE ROOTKIT FOR LINUX](https://web.archive.org/web/20180609141026/https://w3.cs.jmu.edu/kirkpams/550-f12/papers/linux_rootkit.pdf)\n- [Modern Linux Rootkits 101](http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html)\n- [Writing Modern Linux Rootkits 201 - VFS](http://turbochaos.blogspot.com/2013/10/writing-linux-rootkits-201-23.html)\n- [Linux Kernel Module example. Rickroll prank.](https://web.archive.org/web/20170218150045/http://maitesin.github.io/Module_prank/)\n\n## License\nThis project is licensed under [GPLv2](LICENSE).\n","funding_links":["https://github.com/sponsors/nurupo","https://github.com/nurupo/donate","https://paypal.com/donate?hosted_button_id=9HJHAH5UDL3GL","https://blockstream.info/address/34qxFsZjs1ZWVBwer11gXiycpv7QHTA8q3"],"categories":["C","Kernel Module rootkit","others"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnurupo%2Frootkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnurupo%2Frootkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnurupo%2Frootkit/lists"}