Add hidden TCP/UDP connections and hide them in SS commands such as Netsat. Complete installation and usage instructions

carloslack / KoviD

Linux kernel rootkit

Other

279 stars 54 forks source link

Add hidden TCP/UDP connections and hide them in SS commands such as Netsat. Complete installation and usage instructions #101

Open xiaojj2021 opened 1 month ago

xiaojj2021 commented 1 month ago

I haven't seen the installation documentation or usage instructions README.md Inside, there is no clear definition of how to execute it? What commands do I need to hide the process What command do I need to hide TCP-UDP connection? I don't quite understand

carloslack commented 1 month ago

Good idea, I will write a usage instructions. In the meantime you can check some demo here https://github.com/carloslack/kv-demos/tree/master

About tcp/udp: it is hidden automatically, you don't need a separate command for that. You can check with tcpdump

To hide a process you first need to turn /proc interface on: kill -SIGCONT 31337 will do it. Then you: echo PID >/proc/ "PID" is the pid number of your process you want to hide.
whereas "name" is the one you set in Makefile, see changeme

Thanks

xiaojj2021 commented 1 month ago

My C2 connection destination will display TCP as 8.8.8.8:1234 What do I need to do to hide TCP network connections 8.8.8.8?

The administrator can easily detect my c2 using commands such as ss and netstat - an

carloslack commented 1 month ago

Currently I dont think it is possible, KoviD hides its own backdoors connections. Including this in the list of things to do.

xiaojj2021 commented 1 month ago

I noticed that some Rookits support hidden TCP or UDP connections? For example, I need to hide 8.8.8.8

Command:/elite/elite _cmd connhide

The following project does not support the latest kernel https://github.com/f0rb1dd3n/Reptile

Hide TCP and UDP connections Hide: /reptile/reptile_cmd conn hide Unhide: /reptile/reptile_cmd conn show