reveng007 / reveng_rtkit Goto Github PK

Goal:
Our reveng_rtkit is getting detected by chkrootkit antirootkit. till now, under chkproc section.
To evade/bypass that, we have to manipulate or get around the mechanism present in chkproc.c file, ig!?

Goal:
Once our reveng_rtkit is loaded into the kernel, it should be impossible for defenders/admins to remove our LKM rootkit even after system reboot.

This rootkit is capable of providing rootshell to only bash and sh shell, not others. Although, it is possible for other shells as well but with some tricks. We can use system() C function alike function in Linux Kernel programming, so that we 1st trigger a bash/sh shell then offer rootshell to the attacker. I haven't got that type of kernel function till now, but as soon as I get it, I will add it up. If anybody viewing this know about this, or interested to contribute, are most welcome to make a pull request.

Nice and all, but with selinux enforcing, getting root is not enough.

Breaking the main kernel c code kernel_src/reveng_rtkit.c into smaller files (or logical blocks).
Based on that, Makefile and README.md must be edited accordingly.

I don't have much knowledge about this till now. I will try to update this Issue when ever I get something important regarding this
Thanks to @Zibri for reminding this to me

Hiding rootkit from being revealed to usermode program via /sys/module/ directory, using syscall interception or any other methods (calling APIs or any other things).

Goal:
Once our reveng_rtkit is loaded into the kernel, it should be impossible for defenders/admins to remove our LKM rootkit even after system reboot.

Hello! @reveng007
First of, nice project I have to say! Many great links and well structured 👏🏻.

Overview

I plan on contributing to this project, that is - I saw (both the Issues, and the TODO-List) you have made, some of them:

• system() like function (but in kernel)
• sockets (this one was a bit broad/confusing) - do you want it to be a reverse shell..?
• Among others.

I plan on contributing to all the TODO's, (as by the time writing, each Issue and TODO you have listed does not really seem impossible for me to achieve). Like, the adding a system() like function.

TODO 4# Sockets

This TODO I need to request some details before I dive in. It is unclear what you want to achieve.

Adding Linux Kernel Sockets to this LKM rootkit, so that this rootkit acts as an all-rounder. Both, as a LKM rootkit as well as stealthy C2 Server.

on both of these, what exactly do you want to achieve here?:

• "stealthy C2 Server."
• "this rootkit acts as an all-rounder."

TODO 5# Persistence

As well as, this one got me specifically interested into contributing, since this would be a great exercise:

• Surviving system reboot

Additional Idea

I have thought of some things to add to your project, some of them is included (but not lim. To):

• Cryptography, Obfuscation and Steganography.
  • Cryptography - encryption & decryption (like, encrypting the sockets so it's not sent in plain text..)
  • Obfuscation - This is pretty self explanatory.
  • Steganography - if required by the user (that controls the rootkit), he or she will be able to choose to use Steganography as a extra-additional step for security. That is, when exfiltrating something (data, which might be a reverse shell, or something on those lines) It could work by hiding it in, normal pictures or just something else.

Note these would take longer time to make but , still wanted to point them out.

Edit: I also thought of adding something related to kernel-mode shellcode execution, as it is something I have been working on now for some time. I will see if I have the time; if this would be something of interest.

Adding Linux Kernel Sockets to this LKM rootkit, so that this rootkit acts as an all-rounder. Both, as a LKM rootkit as well as stealthy C2 Server.