{"id":23105757,"url":"https://github.com/vkobel/linux-syscall-hook-rootkit","last_synced_at":"2025-08-28T02:41:11.172Z","repository":{"id":69824896,"uuid":"258459144","full_name":"vkobel/linux-syscall-hook-rootkit","owner":"vkobel","description":"Simple kernel module that hooks the `execve` syscall and waits for `date` to be executed with the `backd00r` argument followed by a PID number, elevating it to root credentials.","archived":false,"fork":false,"pushed_at":"2020-04-24T09:26:36.000Z","size":20,"stargazers_count":24,"open_issues_count":0,"forks_count":4,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-08-16T16:46:06.039Z","etag":null,"topics":["fun","hook","kernel-module","linux-kernel","rootkit","syscall"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vkobel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-04-24T08:56:44.000Z","updated_at":"2025-05-19T20:12:36.000Z","dependencies_parsed_at":null,"dependency_job_id":"526b3c29-7309-4fe5-8cf9-07c7e8d9b6a9","html_url":"https://github.com/vkobel/linux-syscall-hook-rootkit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/vkobel/linux-syscall-hook-rootkit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vkobel%2Flinux-syscall-hook-rootkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vkobel%2Flinux-syscall-hook-rootkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vkobel%2Flinux-syscall-hook-rootkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vkobel%2Flinux-syscall-hook-rootkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vkobel","download_url":"https://codeload.github.com/vkobel/linux-syscall-hook-rootkit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vkobel%2Flinux-syscall-hook-rootkit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272424190,"owners_count":24932893,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-28T02:00:10.768Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fun","hook","kernel-module","linux-kernel","rootkit","syscall"],"created_at":"2024-12-17T00:54:27.741Z","updated_at":"2025-08-28T02:41:11.166Z","avatar_url":"https://github.com/vkobel.png","language":"C","readme":"# Syscall hook rootkit for the Linux Kernel\nThis is a fun example of what can be done using Linux kernel modules.\n\nIt hooks the `execve` syscall and waits for `date` to be executed with the `backd00r` argument followed by a PID number to elevate to root credentials.\n\nTested with kernel 5.6.6.\n\n## Requirements\n- Linux Kernel (tested with 5.6).\n- `CONFIG_KALLSYMS_ALL=y` flag should be enabled to access the syscall table.\n- Kernel modules enables and signature not enforced (default).\n- No LSM enabled, typically Lockdown's integrity mode disables kernel modules.\n\n## Usage\nOnce the module is installed, as a regular user:\n`\u003e date backd00r [PID]`\n\n## Example\nAs root:\n```sh\n\u003e insmod syscall_hook_rootkit.ko\n[   13.668245] syscall_hook_rootkit: loading out-of-tree module taints kernel.\n[   13.669009] syscall_hook_rootkit: module verification failed: signature and/or required key missing - tainting kl\n[   13.674155] All lights are green...\n```\n\nAs a regular user (`$$` returns the current process' PID):\n```sh\n\u003e id\nuid=1000(bob) gid=1000(bob) groups=1000(bob)\n\n\u003e date backd00r $$\n[  17.343304] SECRET: making PID 1341 root!\ndate: extra operand '1341'\nTry 'date --help' for more information.\n\n\u003e id \nuid=0(root) gid=0(root) groups=0(root),1000(bob)\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvkobel%2Flinux-syscall-hook-rootkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvkobel%2Flinux-syscall-hook-rootkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvkobel%2Flinux-syscall-hook-rootkit/lists"}