Linux Kernel Module(LKM) rootkit tutorial.
What is LKM? Ask wikipedia, I don't want to explain cause I'm a lazy bone....
This is a series of tutorials. This is my first attempt. I will talk about the basic LKM rootkit technology in the next few posts
Notice: Please ignore my bad English, My mother tongue is chinese, lol
Let's begin, shall we?
First thing first: Develop environment configuration
For me, I like to use Vagrant because it is light weight and easy to use.
In order to install vagrant on Linux, You just execute:
sudo pacman -S vagrant
The command based on your operating system.
Then we can start an virtual machine through executing:
vagrant init generic/ubuntu2004 && vagrant up && vagrant ssh
If everything goes right, you are in a Ubuntu shell now. You just install something you need to make this vm suitable to your usage.
Second, writing a basic linux kernel module.
Finally we get into the topic. I will introduce the basic structure of Linux Kernel Module to you guys.
As a kernel program, LKM does not use user header files like <stdio.h> <stdlib.h>... The following is a basic LKM, try to read the code and will explain this later.
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("slyat");
MODULE_DESCRIPTION("basic lkm");
MODULE_VERSION("0.01");
static int __init example_init(void)
{
printk(KERN_INFO "Hello, world!\n");
return 0;
}
static void __exit example_exit(void)
{
printk(KERN_INFO "Goodbye, world!\n");
}
module_init(example_init);
module_exit(example_exit);
As you see, different from normal c code, there isn't a main() function. Instead, the module_init() function receives a function which will be execute when the module be loaded,
for sure, the module_exit() function receives a function which will be execute when the module be removed.
To compile this kernel module, we use this Makefile:
obj-m += rootkit.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
(change the "rootkit.o" into your file name, eg: Your filename is backdoor.c, then replace the "rootkit.o" into "backdoor.o")
Then you will get a bunch of output files, one of them should be named as "xxx.ko", execute:
sudo dmesg --clear && sudo insmod xxx.ko && sudo dmesg
Then you will probably see an output text contains "Hello World"
Then remove the Module with "sudo rmmod xxx"
CODE EXPLAIN
In the code, we specified some information about the kernel module in line 5~8. You know English so you know what those means.
We used printk() to print kernel info, you are right, we can't use printf() stuffs.....
In next post, I will talk about how to hide your self, how to communicate with remote hosts, how to hide other files, how to use multi-threads in kernel modules and so on
It will be send out in about 1 hour, Pay attention to my post if you are interested in this.
What is LKM? Ask wikipedia, I don't want to explain cause I'm a lazy bone....
This is a series of tutorials. This is my first attempt. I will talk about the basic LKM rootkit technology in the next few posts
Notice: Please ignore my bad English, My mother tongue is chinese, lol
Let's begin, shall we?
First thing first: Develop environment configuration
For me, I like to use Vagrant because it is light weight and easy to use.
In order to install vagrant on Linux, You just execute:
sudo pacman -S vagrant
The command based on your operating system.
Then we can start an virtual machine through executing:
vagrant init generic/ubuntu2004 && vagrant up && vagrant ssh
If everything goes right, you are in a Ubuntu shell now. You just install something you need to make this vm suitable to your usage.
Second, writing a basic linux kernel module.
Finally we get into the topic. I will introduce the basic structure of Linux Kernel Module to you guys.
As a kernel program, LKM does not use user header files like <stdio.h> <stdlib.h>... The following is a basic LKM, try to read the code and will explain this later.
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("slyat");
MODULE_DESCRIPTION("basic lkm");
MODULE_VERSION("0.01");
static int __init example_init(void)
{
printk(KERN_INFO "Hello, world!\n");
return 0;
}
static void __exit example_exit(void)
{
printk(KERN_INFO "Goodbye, world!\n");
}
module_init(example_init);
module_exit(example_exit);
As you see, different from normal c code, there isn't a main() function. Instead, the module_init() function receives a function which will be execute when the module be loaded,
for sure, the module_exit() function receives a function which will be execute when the module be removed.
To compile this kernel module, we use this Makefile:
obj-m += rootkit.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
(change the "rootkit.o" into your file name, eg: Your filename is backdoor.c, then replace the "rootkit.o" into "backdoor.o")
Then you will get a bunch of output files, one of them should be named as "xxx.ko", execute:
sudo dmesg --clear && sudo insmod xxx.ko && sudo dmesg
Then you will probably see an output text contains "Hello World"
Then remove the Module with "sudo rmmod xxx"
CODE EXPLAIN
In the code, we specified some information about the kernel module in line 5~8. You know English so you know what those means.
We used printk() to print kernel info, you are right, we can't use printf() stuffs.....
In next post, I will talk about how to hide your self, how to communicate with remote hosts, how to hide other files, how to use multi-threads in kernel modules and so on
It will be send out in about 1 hour, Pay attention to my post if you are interested in this.
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding