awesome-linux-rootkits icon indicating copy to clipboard operation
awesome-linux-rootkits copied to clipboard

verified publisher icon milabs

Metadata

awesome-linux-rootkits

awesome-linux-rootkits Awesome

:key: feature table

Environment:

  • CPU architecture
  • Kernel/User mode (or mixed)

Core capabilities:

  • Persistency
  • Management interface
  • Altering system (library) behavior

Stealth capabilities:

  • Detection evasion
  • System logs cleaning (filtering)

Hiding stuff capabilities:

  • Hiding of files and directories
  • Hiding (tampering) of file contents
  • Hiding of processes and process trees
  • Hiding of network connections and activity
  • Hiding of process accounting information (like CPU usage)

Additional functions:

  • Keylogger
  • Backdoor/shell
  • Gaining priveleges

:see_no_evil: user mode rootkits

  • https://github.com/mempodippy/vlany

    Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)

  • https://github.com/unix-thrust/beurk

    BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.

  • https://github.com/chokepoint/azazel

    Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit.

  • https://github.com/chokepoint/Jynx2

    JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit.

  • https://github.com/chokepoint/jynxkit

    JynxKit is an LD_PRELOAD userland rootkit for Linux systems with reverse connection SSL backdoor

  • https://github.com/NexusBots/Umbreon-Rootkit

    LD_PRELOAD based

  • https://github.com/ChristianPapathanasiou/apache-rootkit

    A malicious Apache module with rootkit functionality

:hear_no_evil: kernel mode rootkits

  • https://github.com/jermeyyy/rooty

    Academic project of Linux rootkit made for Bachelor Engineering Thesis.

  • https://github.com/trailofbits/krf

    A kernelspace randomized syscall faulter for Linux 4.15+

  • https://github.com/f0rb1dd3n/Reptile :zap: details :zap:

    Reptile is a LKM rootkit written for evil purposes that runs on Linux kernel 2.6.x/3.x/4.x

  • https://github.com/QuokkaLight/rkduck :zap: details :zap:

    rkduck - Rootkit for Linux v4

  • https://github.com/croemheld/lkm-rootkit

    A LKM rootkit for most newer kernel versions.

  • https://github.com/mncoppola/suterusu

    An LKM rootkit targeting Linux 2.6.x/3.x on x86, and ARM

  • https://github.com/romeroperezabel/ARP-RootKit

    An open source rootkit for the Linux Kernel to develop new ways of infection/detection.

  • https://github.com/nurupo/rootkit

    Linux rootkit for Ubuntu 16.04 and 10.04 (Linux Kernels 4.4.0 and 2.6.32), both i386 and amd64

  • https://github.com/m0nad/Diamorphine

    LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x (x86 and x86_64)

  • https://github.com/ivyl/rootkit

    Sample Rootkit for Linux

  • https://github.com/deb0ch/toorkit

    A simple useless rootkit for the linux kernel

  • https://github.com/vrasneur/randkit

    Random number rootkit for the Linux kernel

  • https://github.com/Eterna1/puszek-rootkit

    Yet another LKM rootkit for Linux. It hooks syscall table.

  • https://github.com/trimpsyw/adore-ng

    linux rootkit adapted for 2.6 and 3.x

  • https://github.com/bones-codes/the_colonel

    An experimental linux kernel module (rootkit) with a keylogger and built-in IRC bot

  • https://github.com/David-Reguera-Garcia-Dreg/enyelkm

    LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry.

  • https://github.com/falk3n/subversive

    x86_64 linux rootkit using debug registers

  • https://github.com/jiayy/lkm-rootkit

    An lkm rootkit support x86/64,arm,mips

  • https://github.com/a7vinx/liinux

    A linux rootkit works on kernel 4.0.X or higher

  • https://github.com/hanj4096/wukong

    Wukong: a LKM rootkit for Linux kernel 2.6.x, 3.x and 4.x

  • https://github.com/varshapaidi/Kernel_Rootkit

    Linux Kernel Rootkit - To hide modules and ssh service

  • https://github.com/kacheo/KernelRootkit

    Linux kernel rootkit to hide certain files and processes.

  • https://github.com/dsmatter/brootus

    bROOTus is a Linux kernel rootkit that comes as a single LKM (Loadable Kernel Module) and it is totally restricted to kernel 2.6.32.

  • https://github.com/jarun/keysniffer

    A Linux kernel module to grab keys pressed in the keyboard.

  • https://github.com/PinkP4nther/Sutekh

    An example rootkit that gives a userland process root permissions (x86, 4.x)

  • https://github.com/En14c/LilyOfTheValley

    LilyOfTheValley is a simple LKM linux kernel rootkit for v4.x that works on (x86 and x86_64)

  • https://github.com/NoviceLive/research-rootkit

    This is LibZeroEvil & the Research Rootkit project, in which there are step-by-step, experiment-based courses that help to get you started and keep your hands dirty with offensive or defensive development in the Linux kernel (LibZeroEvil).

  • https://github.com/NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit :zap: writeup :zap:

    Out of Sight, Out of Mind is a study and implementation of Linux rootkit methods. In addition a new covert network channel using additional Domain Name System (DNS) is implemented.

  • https://github.com/h3xduck/Umbra

    An experimental LKM rootkit for v4.x/5.x kernels which opens a backdoor that can be used to get a reverse shell remotely.

  • https://github.com/kris-nova/boopkit

    Linux backdoor, rootkit, and eBPF bypass tools. Remote command execution over raw TCP.

  • https://github.com/milabs/kopycat

    KOPYCAT - Linux Kernel module-less implant (backdoor).

  • https://github.com/h3xduck/TripleCross

    A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.

  • https://github.com/carloslack/KoviD

Linux 4.18+ rootkit with multiple reverse backdoors, task management, CPU usage hiding, stealth techniques, ELF infection and evasion from anti-rooktiks based on eBPF.

  • https://github.com/reveng007/reveng_rtkit

    Linux Loadable Kernel Module (LKM) based rootkit capable of hiding itself, processes/implants, rmmod proof, has ability to bypass infamous rkhunter antirootkit.

:speak_no_evil: related stuff

  • https://github.com/landhb/DrawBridge

    A layer 4 Single Packet Authentication (SPA) Module, used to conceal TCP ports on public facing machines and add an extra layer of security.

  • https://github.com/gianlucaborello/libprocesshider

    Hide a process under Linux using the ld preloader

  • https://github.com/spiderpig1297/kprochide

    LKM for hiding processes from the userland. The module is able to hide multiple processes and is able to dynamically receive new processes to hide.

  • https://github.com/spiderpig1297/kfile-over-icmp

    kfile-over-icmp is a loadable kernel module for stealth sending of files over ICMP communication.

  • https://github.com/spiderpig1297/kunkillable

    LKM (loadable kernel module) that makes userland processes unkillable.

  • https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html

    Heroin, an LKM based rootkit, and many more LKM based rootkit techniques (it's backdated, but posses powerful knowledge).

Contributing

Please refer the guidelines at contributing.md for details

Metadata

1.6k
Stars
232
Forks
Watchers

Owner

verified publisher icon milabs

Metadata

awesome-linux-rootkits

Back