matteomattia / moo_rootkit

it's a simple LKM rootkit.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

moo_rootkit

it's a simple LKM rootkit. Tested on Linux Debian 6 - Kernel 2.6.32-5-686 (32bit) e con GCC 4.4.5

Just for fun

#Functionality:

  • hide itself from commands like insmod, lsmod, modprobe..
  • syscall hijacking
  • hide a chosen tcp port
  • parse commands from a /proc node ex. echo nasconditi > /proc/moooo # hide itself

References

http://core.ipsecs.com/rootkit/kernel-rootkit/kbeast-v1/ipsecs-kbeast-v1.c https://memset.wordpress.com/2011/03/18/syscall-hijacking-dynamically-obtain-syscall-table-address-kernel-2-6-x-2/ http://www.phrack.org/issues/58/6.html#article http://www.phrack.org/issues/58/7.html#article https://volatility-labs.blogspot.it/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html

About

it's a simple LKM rootkit.

License:GNU General Public License v3.0


Languages

Language:C 96.5%Language:Makefile 3.5%