kacheo / KernelRootkit

Linux kernel rootkit to hide certain files and processes.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ex1:

Initscript was based off the skeleton. I made it check a fake pid file and that way it would default to updating the sshd.pid file. Then we set the module param
with "cat" . We had to make it sleep for a second since it was a forking. And that process is fast...

ex2:

Hooking a readdir and filldir function. And we check if the file has the same name as the PID. We made a new file opts structure, which was the same except 
for the readdir function.

ex4:

Changed the read function for the file of tcp and tcp6. Check the foreign and local address's ports. If this line has the port we are trying to hide in Hex,
we will copy everything after this line over... And reduce "Read" by the amount of characters we deleted, so no bogus lines are detected. The same idea of 
hooking through f_op is used.


About

Linux kernel rootkit to hide certain files and processes.


Languages

Language:C 77.4%Language:Shell 22.6%