Illustration by @SumiKiriko, still working in progress...
Yet another modern Linux kernel rootkit for educational purposes.
We have tested compiling the Nornir-Rootkit on following distros (newest available version). If your computer do not use anyone of them, it's possible that the program can be run successfully, or some problems may occur too.
Note that currently you may need to install some packages manually before compiling this project (e.g., package that provides kernel headers like linux-headers-$(uname -r), or specific compiler package like gcc-12 for Ubuntu 22.04.5 LTS). Scripts for checking missing packages for different distros are coming soooooon in the future...
Firstly we need to configure features we'd like to enable in the Nornir-RootKit, a graphic configuration menu can be run simply by:
make menuconfigYou can also use the step-by-step guidance, just do the following:
make configAlso, we've also provide a default configuration set. You can use it directly by:
make defconfigAfter the configuration, all you only need to do is:
make allA loadable kernel module executable binary nornir.ko will appear under src/ .
You can use following command to load the kernel module into the kernel directly:
make installNote that currently we do not provide techniques for long-term living yet (bcuz I'm lazy).
Currently the following functions are supported in Nornir-RootKit:
- Hide the module itself
- Grant root privilege if needed
- Hide specific process
- Hide files with specific name
- Hide network connections
Note that we have provided many different techniques in this project to implement some specific functions. For example, the following strategies are available for hidding files:
- Hook the
getdents()system call directly - Hook
filldir(),filldir64(), andcompat_filldir()function - Hook VFS structures like specific
dir_operations - ......
You can refer to the configuration menu (e.g., menuconfig) to see all strategies we support.
TODO
- Code: arttnba3 [email protected]
- Illustration: 墨 桐子 [email protected]
This project is licensed under the GPL v2 License.
You may obtain a copy of the License at https://opensource.org/license/gpl-2-0.