/r/rootkit

Photograph via snooOG

Discussion about the research and development of software and hardware rootkits.

Discussion about the research and development of software and hardware rootkits.


Topics

  • Kernel post-exploitation and persistence
  • Function hooking and diverting execution
  • Subverting / infecting firmware and hardware
  • Modifying / manipulating embedded systems
  • Platform firmware exploitation

Posting guidelines

  • Link to the original source
  • Tag PDF submissions with [PDF]
  • Whitepapers are preferred over slides
  • Self-posts are allowed only for on-topic technical questions

Related resources


Community

/r/rootkit

9,148 Subscribers

0

Anyone knows how to root my Android 12 , dm

0 Comments
2024/05/11
12:55 UTC

0

Rootkit

Hi! I was wondering if anyone knows any site that I could find to buy a rootkit Thanks in advance

1 Comment
2024/04/24
20:35 UTC

1

Anyone had researched eBPF rootkit triplecross ?

Here is the project https://github.com/h3xduck/triplecross, I'm looking for someone to research it together or someone who is proficient in eBPF rootkit technology. Can they answer a question for me: When using tc and XDP to control RX and TX traffic, what detection can be evaded? (such as Wireshark?) Also, regarding this project, I noticed that the eBPF program needs to be attached using the "tc" command during startup, but how is XDP loaded into it?

0 Comments
2024/03/24
07:15 UTC

0

Will flashing a BIOS get rid of a rootkit?

Will flashing a BIOS get rid of a rootkit? And if u have one is flashing the BIOS possible?

2 Comments
2024/03/14
19:11 UTC

0

Hyperjacking/BluePill Rootkit

Hyperjacking/BluePill Attacks

So I know it's possible to install a VM within a operating system and fully take over the system but im wondering if its possible for such an attack to go totally undetected. I've read here are steps you can take to suggest virtualization but I dont think theres a 100% assurance to find out is there? Its kind of like the Matrix, youre completely unaware youre running one. hardware can be infected through something like a USB port....but that would require physical access?

How rare is something like this and once it's on your system and would a factory wipe make it go away? You would either be blissfully ignorant or go mad.

It sounds extremely complex to pull off but I was just reading about it and it sounds terrifying if pulled off correctly... thoughts?

0 Comments
2023/12/17
01:25 UTC

3

Rootkit Analysis to Privilege Escalation | TryHackMe Athena

We covered the boot2root challenge Athena from TryHackMe. We scanned the machine with Nmap and discovered SMB server from which we extracted a note that pointed us to a directory on the webserver where we discovered a ping tool running. We used command substitution to inject a bind shell and land the first foothold. We discovered a backup script running on a periodic basis as another user. We modified the script to execute reverse shell and opened another session as the user Athena. Upon enumeration, we found that the user Athena can load kernel modules as sudo using insmod without the need for root password. We downloaded the kernal module "venom.ko" and used Ghidra to reverse engineer the binary. We discovered that it's a rootkit and after code analysis we were able to interact with the module to call a function that escalated privileges from Athena to Root.

Video is here

Writeup is here

0 Comments
2023/11/05
12:25 UTC

0

Goodlock for custom ROMs?

I have a galaxy note8 with a custom ROM. I was wondering if there was a way to get the same customization that good lock gives?

2 Comments
2023/11/03
10:57 UTC

3

galaxy s20 possible tweak discovered

so i was in talkback mode just going deep into the web browser and managed to crack the son of a bitch by placing a working sim card halfway into its slot and causing it to wanna go check the number on the sim which was unlocked, it successfully caused the phone to get unlocked just thought i would share that tidbit with you kings

1 Comment
2023/10/09
20:06 UTC

8

How to cross compile, assemble and link Windows Kernel Module/Driver using MingW and GCC from Linux

How could I cross compile, assemble and link an Windows Kernel Module/Driver to a SYS file over MingW and GCC compiler AR assembler and LD linker.

Alternatively maybe some other open source tool that runs on Linux for cross compiling assembling and linking that can produce Windows SYS files.

I know SYS files are similar to DLLs also flagged for native subsystem and have DriverEntry function referenced in DRIVER_INITIALIZE callback, but how could I create one from scratch without Windows Driver Kit.

Header files like ntddk.h and others are rewritten for MingW, but what else I need to have and to know to craft a driver.

I was able to find Frank Rysanek archive of an example Windows Driver for cross compiling over MingW but there are some problems.

0 Comments
2023/04/02
12:50 UTC

22

Can we expect a 3rd edition for The Rootkit Arsenal anytime soon?

Does anyone know if there are plans for a 3rd edition of the book "The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System" (ISBN: 144962636X) ? Or if it's perhaps even under way?

I've tried to look around but can't find any information if the author is working on it or not. Thanks!

1 Comment
2020/06/12
11:35 UTC

11

Can someone please explain how this works?

I'm trying to learn how rootkit works (for educational purposes). I have the source code of Kbeast rootkit. To hide a process from the ps|| pstree etc. command it has the following function,

asmlinkage int h4x_write(unsigned int fd, const char __user *buf,size_t count)
{
   int r;
   char *kbuf=(char*)kmalloc(256,GFP_KERNEL);
   copy_from_user(kbuf,buf,255);
   if ((strstr(current->comm,"ps"))||(strstr(current->comm,"pstree"))||
        (strstr(current->comm,"top"))||(strstr(current->comm,"lsof"))){
            if(strstr(kbuf,_H4X0R_)||strstr(kbuf,KBEAST)){
                   kfree(kbuf);
                   return -ENOENT;
            }
   }
   r=(*o_write)(fd,buf,count);
   kfree(kbuf);
   return r;
}

This function override sys_call_table [__NR_write]. My understanding is *buf, contain the name of the process it is trying to hide. using copy_from_user(), buf is copied into a kernel buffer kbuf and then upon detecting the ps||pstree||... command using strstr(), it looks for the process_to_hide(H4X0R). It a match found then, free the kernel buffer kbuf. Is my understanding is correct?

I check the content of buf. It contains nothing, therefore it never works. Please help me understand this.

1 Comment
2020/04/06
21:52 UTC

10

Do you know reason of closing rootkit.com?

Hello. Do you know reason of closing rootkit.com? Do you have any archives from this website? I mean files

6 Comments
2019/12/27
10:29 UTC

9

Best guide to start making own rootkits?

Hey, some days ago I bought a book “Rootkits” by Greg Hoglund and James Butler, and it made me really interested in developing own rootkits, but this book is outdated. Does anybody know good book/video/course to make own rootkits?

9 Comments
2019/12/25
21:41 UTC

17

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System [Book]

Hi all, I'd like to ask if the second edition is still relevant for those days and not out of date for any one who wants to start learning about rootkits.

Thanks.

1 Comment
2018/11/16
16:48 UTC

7

bios rootkits ?

Hi, I am a newbie about bios/uefi rootkit and I'd like to ask u your opinion.

Thus, my questions are:

  • Are bios/uefi rootkits real ?

  • How can I check my bios/uefi firmware ? are there some check integrity tools ?

  • is technically possible to hijack the software bios dump to hide the rootkit it self ?

  • is technically possible to infect othere devices like nic or video card to inject a kernel module in the os ?

  • is there a way to write-protect bios/uefi reflashing ? maybe the old jumper way ?

  • libreboot could be a solution to bios/uefi malware ?

Thank u.

6 Comments
2016/10/26
09:32 UTC

8

How did the phide2 rootkit work?

I've been looking up various rootkits and reading about how they worked to try to gain an understanding of their activity, and one that's stumped me is phide2.

I understand that it uses DKOM to hide itself, that it unlinks itself from the EPROCESS list like the FU rootkit, that it unlinks itself from the ETHREAD list as well, and that it implements a private thread scheduler to keep its process running despite being unlinked from the thread lists the scheduler uses to determine process running time, but I'm not sure exactly how it implements that privae scheduler.

My current best guess is that it runs an additional, non-hidden thread which periodically tells the scheduler to execute the hidden threads and keeps those threads off the ETHREAD list for the rest of the time. But doesn't this break the rootkit? If it's running a thread that can't be hidden to implement a private scheduler, what's the point of hiding its hidden threads? There's still a non hidden thread running.

Also, is the Clock Locking Beats rootkit implemented by m0nk (see link, start at 22:00) related to this rootkit? They both seem to do the same thing.

https://youtu.be/gKUleWyfut0

2 Comments
2016/05/13
00:50 UTC

6

Rootkit.com mirror?

Is anyone aware of any mirror of Rootkit.com? with the code samples etc?

4 Comments
2015/05/22
02:28 UTC

7

Any Android rootkit sample available?

Hello people,

I am currently working on my undergraduate thesis on Android forensics. I would like to make some case studies, but I am having hard time finding some Android rootkits. I have found lots of malware, but not rootkits in specific. I am aware of suterusu which is open source, but I am looking for something already compiled.

So, if anyone has any idea/comment/suggestion feel free to throw it or contact me.

Thank you very much.

3 Comments
2015/05/15
12:34 UTC

Back To Top