A rootkit for Android. Based on Android platform based linux kernel rootkit from Phrack Issue 68
Part of ISA 673 a class project. Adding it here just because there is not just enough documentation out there to do this for Android
I appreciate any pull requests as long as they extend functionality and dont do harm
-
Using kernel tree from here
-
Using ROM image from here
-
Using Android NDK toolchain 4.4.3 from Google.
-
Tried and tested on HTC Bravo running kernel version 2.6.38.8
Filename: sys_call_table.ko
Desciption: This rookit is developed to intercept the following calls
- SYS_WRITE
- SYS_READ
- SYS_CREAT
- SYS_MKDIR
- SYS_RMDIR
- SYS_KILL
- SYS_OPEN
- SYS_CLOSE
- SYS_GETDENT
- SYS_UNLINK
- SYS_KILL
Author: Hitesh Dharmdasani hdharmda@gmu.edu
License: GPL v2
Depends: Android NDK, Kernel source tree of target
Vermagic: 2.6.38.8-cos-bravo-jellybean+ preempt mod_unload ARMv7
- The source tree will not complile to give you a zImage that you should use. A hack around it was to just use a pre built rom with the same specs
- If you are facing vermagic issues. Fix them by the obvious.
- Fix entry in utrelease.h
- Fix entry in kernel.release
- DO NOT 'make' the kernel source tree after you do this
- Edit the makefile to suit your paths for the NDK and the kernel source tree for your Android Operating system
- The rootkit compiles as a kernel object and needs to be run on the phone.
# insmod sys_call_table.ko# ./sys_call_table_inst
- Use
dmesgto debug