{"id":15004681,"url":"https://github.com/reveng007/reveng_rtkit","last_synced_at":"2025-04-09T11:11:36.003Z","repository":{"id":46661843,"uuid":"462661938","full_name":"reveng007/reveng_rtkit","owner":"reveng007","description":"Linux Loadable Kernel Module (LKM) based rootkit (ring-0), capable of hiding itself, processes/implants, rmmod proof, has ability to bypass infamous rkhunter  antirootkit.","archived":false,"fork":false,"pushed_at":"2023-09-22T06:05:25.000Z","size":7261,"stargazers_count":248,"open_issues_count":10,"forks_count":54,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-04-02T09:06:41.046Z","etag":null,"topics":["antirootkit-bypass","backdoor","c","hacking-tool","hacktoberfest","kernel-mode-rootkit","linux","linux-device-driver","linux-kernel","linux-kernel-module","malware","post-exploitation-toolkit","redteam","redteam-tools","ring0","rkhunter-antirootkit","security","security-tools"],"latest_commit_sha":null,"homepage":"https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/reveng007.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-23T09:15:35.000Z","updated_at":"2025-03-30T18:14:42.000Z","dependencies_parsed_at":"2024-12-25T09:11:30.424Z","dependency_job_id":"50c7832c-bc1a-4d17-a05a-6aa0764f3da8","html_url":"https://github.com/reveng007/reveng_rtkit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reveng007%2Freveng_rtkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reveng007%2Freveng_rtkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reveng007%2Freveng_rtkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reveng007%2Freveng_rtkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/reveng007","download_url":"https://codeload.github.com/reveng007/reveng_rtkit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248027411,"owners_count":21035594,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antirootkit-bypass","backdoor","c","hacking-tool","hacktoberfest","kernel-mode-rootkit","linux","linux-device-driver","linux-kernel","linux-kernel-module","malware","post-exploitation-toolkit","redteam","redteam-tools","ring0","rkhunter-antirootkit","security","security-tools"],"created_at":"2024-09-24T19:01:00.966Z","updated_at":"2025-04-09T11:11:35.981Z","avatar_url":"https://github.com/reveng007.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# reveng_rtkit\n\u003cp align=\"center\"\u003e\n    \u003cimg alt=\"Language\" src=\"https://img.shields.io/badge/Language-C-green\" /\u003e\n    \u003cimg alt=\"Compiled with\" src=\"https://img.shields.io/badge/Compiled%20with-gcc-blue\" /\u003e\n    \u003cimg alt=\"Tested on\" src=\"https://img.shields.io/badge/Tested%20on-Ubuntu%2021.04%20(Hirsute%20Hippo)%20x86__64%20and%20Kernel%205.11.0--49--generic-yellow\" /\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n\u003c!--    \n\t\u003cimg alt=\"Category\" src=\"https://img.shields.io/badge/Category-Post%20Exploitation%2F%20Persistence%2F%20Stealth-red\" /\u003e \n--\u003e\n    \u003cimg alt=\"Category\" src=\"https://img.shields.io/badge/Category-Post%20Exploitation%2F%20Stealth-red\" /\u003e\n    \u003cimg alt=\"License\" src=\"https://img.shields.io/badge/License-MIT-yellow.svg\" /\u003e\n\u003c/p\u003e\n\n***`reveng_rtkit`*** is a Linux Loadable Kernel module (aka LKM) based rootkit targeting Linux Kernel: 5.11.0-49-generic as it was only tested on it till now.\n\n---\n\u003e :no_entry_sign: [Disclaimer]: Use of this project is for **Educational/ Testing purposes only**. Using it on **unauthorised machines** is **strictly forbidden**. If somebody is found to use it for **illegal/ malicious intent**, author of the repo will **not** be held responsible.\n---\n\n### reveng_rtkit mechanism:\n\n![](https://github.com/reveng007/reveng_rtkit/blob/main/reveng_rtkit_mechanism.jpeg?raw=true)\n\n### \u003cins\u003eRootkit features\u003c/ins\u003e:\n\n| Sl. no. | Name | Features |\n| ------- | ------- | -------- | \n| 1. | Finding Syscall Table address | By creating custom kallsyms_lookup_name function to get \u003cins\u003eaddress\u003c/ins\u003e of `sys_call_table` symbol from kernel memory. |\n| 2. | Function Hooking | Get the \u003cins\u003eaddress\u003c/ins\u003e of the `syscall` from `sys_call_table` to get them hooked, then `modify CR0 register` to \u003cins\u003eremove write protect bit\u003c/ins\u003e and then modify/edit the `sys_call_table` and then again \u003cins\u003eapplying write protection to kernel memory\u003c/ins\u003e. |\n| 3. | Hide Rootkit | Hides itself by deleting itself(or entry) from responsible linked list. |\n| 4. | Hide Processes/implants | Done in same way, as mentioned above in Sl. no. 2. |\n| 5. | Unable to rmmod rootkit module | Using kernel function called `try_module_get()` makes impossible for admins to remove our rootkit. |\n| 6. | Interactive Control | Implementing an IOCTL which manages the features of the rootkit and allows the user to send it commands. |\n| 7. | Bypassing | Can bypass infamous [rkhunter](https://wiki.archlinux.org/title/Rkhunter) antirootkit |\n\n### Let's see what functions will be called during loading the rootkit:\n\n| Defined within Filename | Functions | function name in rootkit.c | Working | Effectivity of remove_rootkit() | Mode of access | \n| ----------------------- | --------- | -------------------------- | ------- | ----------------------------------------------------- | -- | \n| hide_show_helper.h | proc_lsmod_hide_rootkit() | hide_rootkit() | Hides rootkit from _\"/proc/modules\"_ file, _\"/proc/kallsyms\"_ file and \"lsmod\" command. | No effectivity | ./client_usermode | \n| hide_show_helper.h | sys_module_hide_rootkit() | hide_rootkit() | Hides rootkit from  \"/sys/module/\u003cTHIS_MODULE\u003e/\" directory. | No effectivity | ./client_usermode | \n| hide_show_helper.h | proc_lsmod_show_rootkit() | show_rootkit() | Reveals our rootkit in _\"/proc/modules\"_ file, _\"/proc/kallsyms\"_ file and \"lsmod\" command. | Will work effectively | ./client_usermode | \n| hide_show_helper.h | sys_module_show_rootkit() | show_rootkit() | Reveals our rootkit in \"/sys/module/\u003cTHIS_MODULE\u003e/\" directory. | _ | ./client_usermode |\n| rootkit.c | tidy() | tidy() | In this function we do some clean up. If we don't do this, there will be some errors during unloading the rootkit using `rmmod`. | _ | _ |\n| rootkit.c | protect_rootkit() | protect_rootkit() | This is very simple function which just makes impossible to unload the rootkit by \"rmmod rootkit\" command even if it is visible. However it is still possible to unload by \"rmmod -f rootkit\" if kernel was compiled with support for forced unloading modules. \u0026nbsp; link: [sysprog21.github.io](https://sysprog21.github.io/lkmpg/#building-modules-for-a-precompiled-kernel) | _ | ./client_usermode | \n| rootkit.c | remove_rootkit() | remove_rootkit() | Making rootkit removable from kernel using rmmod | _ | ./client_usermode |\n| hook_syscall_helper.h | hacked_kill() | rootkit_init() and rootkit_exit(void) | Process/Implant Hiding | _ | cmd prompt: kill -31 \\\u003cpid\u003e |\n| hook_syscall_helper.h | hacked_kill() | rootkit_init() and rootkit_exit(void) | getting rootshell | _ | cmd prompt: kill -64 \\\u003cany pid\u003e |\n\n### NOTE:\n\u003e **Function tidy(), sys_module_hide_rootkit() and sys_module_show_rootkit() are not used in code. They were commented out. The reason behind that will be discussed in details in my blog post.**\n\n### How to use it:\n1. Clone the repo\n```\n$ git clone https://github.com/reveng007/reveng_rtkit.git\n```\n2. Enter the directory\n```\n$ cd reveng_rtkit/\n```\n3. Now, we have 2 directories: kernel_src and user_src.\n- user_src:\nContains `usermode client code` to interact with our rootkit module (once it it loaded into the kernel) via the registered Character Device file.\n- kernel_src:\nContains `kernelmode rootkit: reveng_rtkit` which will be responsible for the whole mayhem :wink:.\n\n```\n$ cd kernel_src/\n$ make\n$ sudo insmod reveng_rtkit.ko\n```\n![kernel_rootkit](https://user-images.githubusercontent.com/61424547/161190087-eace0284-50ae-48e7-b9a9-d3dbf255837b.png)\n\n4. To interract with the kernel rootkit. Open another terminal\n```\n$ cd reveng_rtkit/user_src/\n```\n5. compile and run the code\n```\n$ gcc client_usermode.c -o client_usermode\n$ sudo ./client_usermode\n```\n#### NOTE: Be sure to run the code with root priv., because we are interracting with device driver, which is a part of the Linux kernel.\n\n![client_mode](https://user-images.githubusercontent.com/61424547/155754834-13bf9ee5-0bdd-4d30-af88-71a26a92dee8.png)\n\n6. Another method to interract with it is via kill syscall interception:\n- To hide process/implant:\n```\n$ kill -31 \u003cpid\u003e\n```\n![Screenshot from 2022-02-25 20-40-46](https://user-images.githubusercontent.com/61424547/155739121-b609d517-0b4f-4afc-a2db-b4ce7f331b17.png)\n\n- To get root shell (_without providing a password_):\n```\n$ kill -64 \u003cany pid\u003e\n```\n![Screenshot from 2022-02-25 20-45-45](https://user-images.githubusercontent.com/61424547/155755082-d6ced40f-e0b0-47a3-8029-4f26b322df29.png)\n\n#### NOTE:\n\u003e  This rootkit is capable of providing rootshell to only bash and sh shell, not others. Although, it is possible for other shells as well but with some tricks. We can use system() C function alike function in Linux Kernel programming, so that we 1st trigger a bash/sh shell then offer rootshell to the attacker. I  have'nt got that type of kernel function till now, but as soon as I get it, I will add it up. If anybody viewing this know about this, or interested to contribute, are most welcome to make a pull request.\n\n- To remove this rootkit module: 1stly make module visible via `show` command using client_usermode file as reveng_rtkit while loading hides itself from being revealed (also change to `remove` mode, if you have made rootkit module to `protect` mode previously).\n```\nreveng007@ubuntoo ~/D/k/B/L/x/1/g/kernel_src\u003e sudo ../user_src/client_usermode\n[sudo] password for reveng007: \n\n\n[+] Created by @reveng007(Soumyanil)\n\n\n|+++++++++++++++++++ Available commands ++++++++++++++++++|\n\nhide\t\t: Command to hide rootkit \n\t\t=\u003e In this mode, in no way this rootkit be removable\n\nshow\t\t: Command to unhide rootkit \n\t\t=\u003e In this mode, rootkit_protect and rootkit_remove will work effectively\n\nprotect\t\t: Command to make rootkit unremovable (even if it can be seen in usermode)\n\nremove\t\t: Command to make rootkit removable\n\nkill -31 \u003cpid\u003e\t: Command to hide/unhide running process. Applicable in normal shell prompt.\n\t\t=\u003e write: `process` in the below prompt to close without any error\n\nkill -64 \u003cany pid\u003e\t: Command to get rootshell. Applicable in normal shell prompt.\n\t\t=\u003e write: `root` in the below prompt to close without any error\n\n\n[+] Driver file opened\n[?] Enter the Value to send: show\n[+] Written Value to Device file\n[*] Reading Value from Device file: Value present in Device: show\n\n[+] Device file closed\nreveng007@ubuntoo ~/D/k/B/L/x/1/g/kernel_src\u003e sudo ../user_src/client_usermode\n\n\n[+] Created by @reveng007(Soumyanil)\n\n\n|+++++++++++++++++++ Available commands ++++++++++++++++++|\n\nhide\t\t: Command to hide rootkit \n\t\t=\u003e In this mode, in no way this rootkit be removable\n\nshow\t\t: Command to unhide rootkit \n\t\t=\u003e In this mode, rootkit_protect and rootkit_remove will work effectively\n\nprotect\t\t: Command to make rootkit unremovable (even if it can be seen in usermode)\n\nremove\t\t: Command to make rootkit removable\n\nkill -31 \u003cpid\u003e\t: Command to hide/unhide running process. Applicable in normal shell prompt.\n\t\t=\u003e write: `process` in the below prompt to close without any error\n\nkill -64 \u003cany pid\u003e\t: Command to get rootshell. Applicable in normal shell prompt.\n\t\t=\u003e write: `root` in the below prompt to close without any error\n\n\n[+] Driver file opened\n[?] Enter the Value to send: remove\n[+] Written Value to Device file\n[*] Reading Value from Device file: Value present in Device: remove\n\n[+] Device file closed\n```\n### Bypassing ***rkhunter*** antirootkit:\n\nHere is the log file, that was generated:\n\n[![asciicast](https://asciinema.org/a/488606.svg)](https://asciinema.org/a/488606)\n\n- Only one warning is present:\n1. /usr/bin/lwp-request : [stackexchange](https://unix.stackexchange.com/questions/373718/rkhunter-gives-me-a-warning-for-usr-bin-lwp-request-what-should-i-do-debi)\nSo, this is not a threat! cool!\n\n### Update:\nToday, I found out this ***Warning***.\n\n![rootkit_warning](https://user-images.githubusercontent.com/61424547/200777350-10af0a77-efcc-4fff-9ba4-0580197045b5.png)\n\nThen searched for other options of ***rkhunter*** to get more informations about this \"**warning**\", that which exact processes are actually causing this warning (`suspicious (large) shared memory segments`). Found out this:\n\n![rootkit_warning_reasons](https://user-images.githubusercontent.com/61424547/200780076-dca793ac-b047-427c-8e3d-a6f3b55b4e51.png)\n\nWe can see it is telling us, `configured size allowed: 1.0MB`, i.e. those processes which takes more than 1MB gets flagged. But main point is our rootkit is not getting flagged :) (More like False-Positive thing).\n\nThere are several links related to this:\n1. [serverfault](https://serverfault.com/questions/697865/rkhunter-suspicious-shared-memory-segments)\n2. [linuxquestions](https://www.linuxquestions.org/questions/linux-security-4/rkhunter-gives-warnings-about-large-shared-memory-segments-and-a-few-strange-files-4175649554/)\n\n\n### To-Do list :man_mechanic::\n- Hiding process files completely. Our hidden process file can be accessed to open/read. If someone does, `ls \u003cfilename\u003e`, they can easily open them.\n- Successfully able to hide and reveal our LKM module from `/sys/module/` directory using sycall interception, in order to decieve usermode programs [issue #6](https://github.com/reveng007/reveng_rtkit/issues/6).\n- Adding system() C function alike function in Linux Kernel programming, in order to open a new bash/sh prompt [issue #1](https://github.com/reveng007/reveng_rtkit/issues/1).\n- Adding Linux Kernel Sockets [issue #2](https://github.com/reveng007/reveng_rtkit/issues/2).\n- Surviving system reboot [issue #5](https://github.com/reveng007/reveng_rtkit/issues/5).\n- Breaking `kernel_src/reveng_rtkit.c` [issue #8](https://github.com/reveng007/reveng_rtkit/issues/8).\n- Adding Capabilty to `bypass SELinux enabled Linux System` [issue #9](https://github.com/reveng007/reveng_rtkit/issues/12).\n- Bypassing `chkrootkit antirootkit` [issue #4](https://github.com/reveng007/reveng_rtkit/issues/4).\n    - Getting detected by `chkrootkit antirootkit` till now, under `chkproc section`: [chkproc.c](https://github.com/Magentron/chkrootkit/blob/master/chkproc.c)\n\u0026nbsp;\n\u0026nbsp;\n![Screenshot from 2022-02-26 09-33-19](https://user-images.githubusercontent.com/61424547/155828253-812b8d7a-7326-4b57-9956-1fcaa92ec319.png)\n\n### Limitations:\n- This LKM based rootkit can only be used in those Linux OSs, which don't have these two protections:\n\t1. Secure Boot\n\t2. Adding a grub parameter to \"`/etc/default/grub`\" file.\nThis thing was pointed out to me by [Artem Baranov](https://www.linkedin.com/in/artem-baranov-86163135) and this [link](https://blog.delouw.ch/2017/04/18/signing-linux-kernel-kodules-and-enforce-to-load-only-signed-modules/) was shared to me, on my linkedin post, by [Victor Sergeev](https://ae.linkedin.com/in/victor-sergeev/), for further research.\n\n#### Detailed Blog article on ***reveng_rtkit*** LKM rootkit, is available [now](https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html), where I have explained how I created this LKM rootkit step by step.\n\n\u003e If you(viewers) have spotted anything erronious or something which should be made correct, haven't documented correctly or haven't credited someone's work properly, please don't hesitate to reach out to me via those social media handles listed at the end of this file.\n\n### Honourable Mentions:\n- [kurogai/100-redteam-project](https://github.com/kurogai/100-redteam-projects#honorable-mentions)\n- [milabs/awesome-linux-rootkits](https://github.com/milabs/awesome-linux-rootkits#speak_no_evil-related-stuff)\n- Selected by BSides St Pete, Florida to be presented - [link](https://drive.google.com/file/d/19Jv-Ju-6tVjO2OD1uyKkYC7hxXhWemcY/view).\n- Selected by BSides Prishtina, Kosovo to be presented - [link](https://drive.google.com/file/d/1Z0bljsYvX8nr4BbOQi6N0XdtfsCIYP_B/view?usp=share_link).\n- BlackHat, USA - [twitter-thread](https://twitter.com/reveng007/status/1594670602870173696)\n\n### Resources that helped me:\n1.  This project is heavily inspired by [Heroin](https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html#A-b) by  Runar Jensen (didn't get any of his social media handle ;( ) and [Diamorphine](https://github.com/m0nad/Diamorphine/) by [@m0nadlabs](https://twitter.com/m0nadlabs) open source LKM rootkit projects. Especially, the `Syscall interception mechanism section` was totally taken from [Diamorphine](https://github.com/m0nad/Diamorphine/) repo by [@m0nadlabs](https://twitter.com/m0nadlabs).\n2. https://github.com/pentesteracademy/linux-rootkits-red-blue-teams\n3. Rootkit features: https://github.com/R3x/linux-rootkits\n4. Excellent resource for grabbing lkm rootkit concepts: https://jm33.me/tag/lkm.html\n5. Simple LKM rootkit: https://theswissbay.ch/pdf/Whitepaper/Writing%20a%20simple%20rootkit%20for%20Linux%20-%20Ormi.pdf\n6. IOCTL: https://github.com/Embetronicx/Tutorials/tree/master/Linux/Device_Driver/IOCTL\n7. https://infosecwriteups.com/linux-kernel-module-rootkit-syscall-table-hijacking-8f1bc0bd099c\n8. LKM HACKING: https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html\n9. Hide Files and Processes:\\\ni. https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html#II.2.1.\u003c/br\u003e\nii. https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html#II.5.\u003c/br\u003e\niii. https://jm33.me/linux-rootkit-for-fun-and-profit-0x02-lkm-hide-filesprocs.html\n10. Get Rootshell: https://xcellerator.github.io/posts/linux_rootkits_03/\n11. kobject: https://www.win.tue.nl/~aeb/linux/lk/lk-13.html\n12. https://sysprog21.github.io/lkmpg/\n13. https://ish-ar.io/kprobes-in-a-nutshell/\n14. Editing cr0 register: https://hadfiabdelmoumene.medium.com/change-value-of-wp-bit-in-cr0-when-cr0-is-panned-45a12c7e8411\n15. https://www.researchgate.net/publication/240376985_UNIX_and_Linux_based_Rootkits_Techniques_and_Countermeasures\n\n## Slides from my talk on [BSides Singapore](https://bsidessg.org/)\n1. PPT: [PPT Version](https://github.com/reveng007/reveng_rtkit/blob/main/reveng_rtkit%20-BSides%20Singapore.pptx)\n2. PDF: [pdf Version](https://github.com/reveng007/reveng_rtkit/blob/main/reveng_rtkit%20-BSides%20Singapore.pptx.pdf)\n\n### Author: @reveng007 (Soumyanil Biswas)\n---\n[![](https://img.shields.io/badge/Twitter-@reveng007-1DA1F2?style=flat-square\u0026logo=twitter\u0026logoColor=white)](https://twitter.com/reveng007)\n[![](https://img.shields.io/badge/LinkedIn-@SoumyanilBiswas-0077B5?style=flat-square\u0026logo=linkedin\u0026logoColor=white)](https://www.linkedin.com/in/soumyanil-biswas/)\n[![](https://img.shields.io/badge/Github-@reveng007-0077B5?style=flat-square\u0026logo=github\u0026logoColor=black)](https://github.com/reveng007/)\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freveng007%2Freveng_rtkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Freveng007%2Freveng_rtkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freveng007%2Freveng_rtkit/lists"}