2 min readJan 19, 2022

Writing a rootkit for linux

Linux Process Has 3 Main Part

1-User-Mode

2-Kernel-Mode

3-Hardware

And Rootkits processes is under this 3 main parts
we have so many rootkits types and main types are:

1-User-Mode

2-Kernel-Mode

Kernel has the highest privileges for changing and modify user operating system and that why kernel-mode rootkits are dangerous. before 5.0.0 version of linux kernel, attackers can change entire kernel processes, but after 5.0.0 version of linux kernel such as 5.7.0 version so many header files that required for modifying system-calls are gone and there is no more kernel-mode rootkits for 5.10 and upper version of linux, that mean we can just use and develop user-mode rootkits and this page is about making a user-mode rootkit.

Hooking system-calls

hooking is still easy for TEST, what’s that mean? that means we can’t use this method for hooking victim system-calls we use TERMINAL for hooking this time because kallsyms.h is not exists and we cant use kallsyms_lookup_name function any more and this tutorial is for 5.7 and upper versions.

sudo grep -nr ‘sys_call_table’ /proc/kallsyms

Note: For define sys_call_table in our source code we need sys_call_table address that only showing when grep have root access

with using grep command we can search for our required sys_call_table in kallsyms file. lets define sys_call_table in our source code

NOTE: 0xb84002c0 must be 0xffffffffb84002c0 i make a mistake

now we have access to sys_call_table and power to modify sys-calls definition is similar to using kallsyms_lookup_name when kallsyms_lookup_name is still exists attackers define sys_call_table like this:

static unsigned long *sys_call_table;
sys_call_table = (void *)kallsyms_lookup_name(“sys_call_table”);

WRITING OUR ROOTKIT

now we have access to the sys_call_table lets modify sys-calls with code below: