Writing a rootkit for linux
Linux Process Has 3 Main Part
1-User-Mode
2-Kernel-Mode
3-Hardware
And Rootkits processes is under this 3 main parts
we have so many rootkits types and main types are:
1-User-Mode
2-Kernel-Mode
Kernel has the highest privileges for changing and modify user operating system and that why kernel-mode rootkits are dangerous. before 5.0.0 version of linux kernel, attackers can change entire kernel processes, but after 5.0.0 version of linux kernel such as 5.7.0 version so many header files that required for modifying system-calls are gone and there is no more kernel-mode rootkits for 5.10 and upper version of linux, that mean we can just use and develop user-mode rootkits and this page is about making a user-mode rootkit.
Hooking system-calls
hooking is still easy for TEST, what’s that mean? that means we can’t use this method for hooking victim system-calls we use TERMINAL for hooking this time because kallsyms.h is not exists and we cant use kallsyms_lookup_name function any more and this tutorial is for 5.7 and upper versions.
sudo grep -nr ‘sys_call_table’ /proc/kallsyms
Note: For define sys_call_table in our source code we need sys_call_table address that only showing when grep have root access
with using grep command we can search for our required sys_call_table in kallsyms file. lets define sys_call_table in our source code
now we have access to sys_call_table and power to modify sys-calls definition is similar to using kallsyms_lookup_name when kallsyms_lookup_name is still exists attackers define sys_call_table like this:
static unsigned long *sys_call_table;
sys_call_table = (void *)kallsyms_lookup_name(“sys_call_table”);
WRITING OUR ROOTKIT
now we have access to the sys_call_table lets modify sys-calls with code below:
conclusion
for more information see:
man syscalls
https://en.wikipedia.org/wiki/Rootkit
how linux work book
rootkits and bootkis book
rootkits source code in github
and…..