alichtman
commented
5 years ago An extra control script that uses these Makefiles is probably the best solution to the build problem. The script should should be implemented in either a Python 3 or Bash. My vote is for Python since it's both easier to write and understand, in my opinion.
There are two important processes we need to script: installation and removal.
Installation
The install process should go something like this:
-
Check for Linux, root, and the SELinux module.
- If not Linux, throw exception
- If not root, throw exception
- If SELinux is detected, try to disable / work around it. If that fails, throw exception.
-
Get inputs for installation-specific config (IP for reverse shell, name of rootkit, folders to hide, etc) and generate a
config.hfile to be compiled along with the kernel module. -
Compile rootkit kernel module. The Makefile should be set up such that
$ make allis the only call needed for this step. -
Install the commands for controlling the rootkit behavior in some directory defined in Step 2. Make them executable, and give only a certain backdoor user access, etc.
-
Prompt the user to see if they want to nuke the evidence of rootkit installation.
Removal
While in early development stages, a removal that will work is simply: $ sudo rmmod ROOTKIT_MODULE_NAME. After we implement the anti-removal and rootkit hiding features, this will become a bit more complex. We'll dig into this when we're there.
Docs
What is KBuild, really: https://stackoverflow.com/a/29243761 Kbuild Docs: https://www.kernel.org/doc/Documentation/kbuild/modules.txt Makefiles for Kernel Modules: https://unix.stackexchange.com/questions/288540/makefile-installing-external-linux-kernel-module Compiling Kernel Modules: https://wiki.archlinux.org/index.php/Compile_kernel_module
We'll need to compile the
khookslibrary, the rootkit itself, and any plugins we create, which will live inrootkit/plugins/.