Coder Social home page Coder Social logo

rootkit's Introduction

/**********************************************************
	Last Updated: Nov 16, 2014
	CSE509 System Security 2014 Fall @CS SBU
	Written By: 
		Hyungjoon Koo ([email protected])
		Yaohui Chen ([email protected])
***********************************************************/

A. The Rootkit Framework
	Platform
		Tested at ubuntu linux 12.04 LTS kernel 3.2.0-29-generic
		Should be working 3.x kernel version with an appropriate syscall table addr

	Module name
		kcr.ko
		Koo-Chen-Rootkit
		Kernel Cracking Rootkit
		
	Directory structure
		src/kcr.c : 
			Define main function
			Does device registration 
			Hijack linux system call table

		src/dev.c : 
			Misc device operations
			read, write, open, etc

		src/helpers.c: 
			Define helper functions

		src/HJ_x.c:  
			Functions related to hijacking a ¡°x¡± system call 
			All hijackings follow the same patterns
				i.e HJ_ls.c, HJ_ps.c, HJ_read.c, etc.
		
		src/backdoor.c
			Allows a backdoor when having a specific seteuid

		headers/dev.h
		headers/helpers.h
		headers/HJ_ls.h
			Describe headers to the corresponding source code

		headers/all.h: 
			Describe common <linux/*> or <asm/*>  headers
			Include all src/*.c files just for convenience :)

		headers/config.h: 
			Include all.h, and global variables and macros


B. Features (http://securitee.org/teaching/cse509/files/projects/project1.html)
	Required implementation
		Hide specific files and directories from showing up when a user does "ls" and similar commands
			Hide defined prefixes (i.e hide_, bad_, )
			Support dynamically changed prefixes
		Modify the /etc/passwd and /etc/shadow file to add a backdoor account 
			while returning the original contents of the files (pre-attack) 
			when a normal user requests to see the file (sys_read)
		Hides processes from the process table when a user does a "ps"
	Additional implementation
		Key logging (Not yet)
			Either saving keystrokes to local file or sending it out to remote site
		Backdoor
			Allowing a normal program to have a root privilege
		Hide the connections (Not yet)
			Opening/listening ports
			i.e netstat
		Hide the rootkit module itself 
			i.e lsmod
			
C. Usage
	$ make && sudo insmod kcr.ko

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.