loneicewolf
commented
1 year ago Of course, it goes without saying - if 1 or more 'todos' is already done, please point them out so I don't reinvent the wheel.
Thank you.
Open loneicewolf opened 1 year ago
loneicewolf
commented
1 year ago Of course, it goes without saying - if 1 or more 'todos' is already done, please point them out so I don't reinvent the wheel.
Thank you.
reveng007
commented
1 year ago Of course, it goes without saying - if 1 or more 'todos' is already done, please point them out so I don't reinvent the wheel.
Thank you.
No TODO list is actually done till now :)
loneicewolf
commented
1 year ago No TODO list is actually done till now :)
edit: I will begin with the easiest one, the system() like function(but in kernel);
Thank you for fast reply and have a great continuing day!
reveng007
commented
1 year ago Thanks a lot for the appreciation! π―
Thanks again to you for showing interest in contributing to my project π
Rootkit will also act as a revshell (rather than kernel mode revshell) just to nullify the use of usermode revshell for long time just for being stealthy.
Allrounder meaning: funtionality of revshell + stealthy as LKM rootkit
Actually, I have no idea how to achieve this till now ;( Ig some assembly language will be needed to achieve this stuff...
Cryptography and Obfuscation are really dope idea :fire: but Steganography will be dependent upon the Scenario/environment of the Victim Machine, right?
"Note these would take longer time to make but , still wanted to point them out."
=> Not a problem at all man!!
Again thanks for providing a helping hand to me :)
"I also thought of adding something related to kernel-mode shellcode execution, as it is something I have been working on now for some time. I will see if I have the time; if this would be something of interest."
You are most welcome to add those if you want to. That would really help this project to attract more public attention!!
Thank you @loneicewolf π€ , have a nice day!!
reveng007
commented
1 year ago No TODO list is actually done till now :)
edit: I will begin with the easiest one, the system() like function(but in kernel);
Thank you for fast reply and have a great continuing day!
I'm also excited about this π Not a problem at all Thank u, same to u as well
loneicewolf
commented
1 year ago No problems at all, with the Persistence "exercise" as I called it, I was meaning that I myself would do it; and make (I guess, another Pull Request when it's done)
loneicewolf
commented
1 year ago On the Steganography step, I was a bit vague too, broadly speaking, it "can" be a picture, but it can also be just, a covert channel; whatever that might be can be another question (there is loads of methods to achieve this).
Have a nice day! And keep it up :)
Edit: adding footnotes (related links) as-to clarify what I meant by the Cryptography Obfuscation Steganography
https://embeddedsw.net/Randomness_Test_Home.html
https://embeddedsw.net/OpenPuff_Steganography_Home.html
https://embeddedsw.net/MultiObfuscator_Cryptography_Home.html
reveng007
commented
1 year ago Btw, do u know how to make custom logger ?? Like when we inject it creates some logs right? So I wanted to create a custom logger which can log our kernel print, instead of syslog logging our rootkit's behaviour. Targeting for more OPSEC.
Or another idea was to use macros like, KERN_EMERG, KERN_ALERT from printk.h header which has lower log lvl than console log level so that those logs will not be logged by syslog, rather it will be shown in the console, like ctrl + shift + f5/f4 (i don't really remember that particular tty).
But we have to some how perform proxying of those outputs from console to our current terminal, that means those kernel prints will work like printf (in c) or like echo in bash
Did I make any sense?
loneicewolf
commented
1 year ago Thanks for additional reply;
Btw, do u know how to make custom logger ?? Like when we inject it creates some logs right? So I wanted to create a custom logger which can log our kernel print, instead of syslog logging our rootkit's behaviour. Targeting for more OPSEC.
Or another idea was to use macros like,
KERN_EMERG,KERN_ALERTfrom printk.h header which has lower log lvl than console log level so that those logs will not be logged by syslog, rather it will be shown in the console, likectrl + shift + f5/f4(i don't really remember that particulartty).But we have to some how perform proxying of those outputs from console to our current terminal, that means those kernel prints will work like
printf(in c) or likeechoin bashDid I make any sense?
Uhm, the last sentence is flawless - sorry I am having a bit trouble following what you try to say; I will try (below):
KERN_ALERT to (according to your text - again, if I understand you correctly) - is to hide the output..?) if you want to hide the output, why not just comment it out? (or if you need the outputs but still don't want it to be "so plaintext" maybe log them somewhere else? Perhaps encrypted?)And, soon I will have to head home for the night, ill come back online tomorrow.
can you perhaps make an example of each of them (draw a diagram, or some example code) maybe in another language to demonstrate..? If it is difficult explaining. :)
loneicewolf
commented
1 year ago I think I do understand the - logging the output to another tty - so you have to do the ctrl+shift+fX key (where X is 5,4,...,2,1.) to see the output, correct? If this is not a correct understanding I think you have to elaborate, sorry :)
Have a good night!
reveng007
commented
1 year ago I think I do understand the - logging the output to another tty - so you have to do the
ctrl+shift+fXkey (whereXis 5,4,...,2,1.) to see the output, correct? If this is not a correct understanding I think you have to elaborate, sorry :)Have a good night!
You are right, exactly !
But the thing is, that will be quite hectic right?
Searching for the value of X in ctrl+shift+fX for every machine once it is injected into kernel. For every machine, that value of X is different if I remember correctly.
Same to u too! :)
reveng007
commented
1 year ago Yes
If I comment out the Comment lines, then how will I know that those instructions got successfully executed in the kernel? Am I right? According to this link,
Any log messages with levels less than this (that is, of higher priority) will be printed to the console, whereas any messages with levels equal to or greater than this will not be displayed.
I'm talking about this!
"Proxy the outputs from console to current terminal" here I do not follow at all I think.. Do you want to redirect the output from something to something else..? Sorry. Please clarify
Exactly. I want to redirect the output from Console to current terminal we are having as Operator. Does this make sense now?
And, soon I will have to head home for the night, ill come back online tomorrow.
Not a problem ππΌ
Can you perhaps make an example of each of them (draw a diagram, or some example code) maybe in another language to demonstrate..? If it is difficult explaining. :)
If more explanation is needed, pls feel free to ask me ππΌ
loneicewolf
commented
1 year ago Goodmorning!
Yes, thank you @reveng007 Ill check that link, I'm on train now so it will take awhile but; thanks for being patient and so (very) quick responding!
reveng007
commented
1 year ago Goodmorning!
Yes, thank you @reveng007 Ill check that link, I'm on train now so it will take awhile but; thanks for being patient and so (very) quick responding!
Hey, not a problem. You are only helping me out by contributing to my project. So thanks to u :) @loneicewolf
loneicewolf
commented
1 year ago Hello, @reveng007 now I have made up a kinda plan, I will as said be slow on this, not only because of various factors such as the diff.kernel version the rootkit is using, safe coding (since, even if we code in the kernel a rootkit, we should still strive to make it as "stable" and "reliable" ironically speaking as possible); and so on;
Regarding the Persistence step, a naive approach (I guess you & everyone else think of this first when thinking about rootkit persistence) is just, to "load it at startup" like any other loadable kernel module, (which, as a start might be just, placing a copy in a folder that has modules to load at boot); so I think the actual persistence wouldn't be so - complex - but the "exercise" here would be the steps required to make it harder to detect (relatively speaking).
And I have checked your blog (comprehensive I have to tell you - keep it up! One minor improvement could be to make the subtitles more "visible" because I had to scroll quite lots to get to a part you refereed me to but other than that it's really well structured). :)
So, basically I will at times prepare (not at the same time , but one by one):
I wish you a nice continuing day! This will be a fun project to contribute to! ππ»
reveng007
commented
1 year ago Yes, Safe coding is required but I guess before that we need our concepts to work. After that we should stabilize our code based on that.
This can be helpful, although I don't have a good knowledge in asm, in this case it may require us the usage of kernel mode asm. link: https://programmer.group/inject-your-rootkit-code-into-a-linux-kernel-module.html
Yes, Our Target will be more stealth!
" "load it at startup" like any other loadable kernel module" is easy:
We can leverage `initramfs` to set up rootkit to load up automatically at boot time.
With sudo:
1. adding rootkit (without .ko) to /etc/modules
2. Copying rootkit LKM to: /lib/modules/5.15.0-58-generic/kernel/drivers/<any driver/module folder>
3. depmod -a
4. update-initramfs -uThanks a lot! Actually at that time I was totally noob, I didn't know anything about kernel, LKM, even the concept of OS and usermode C was unknown to me. I have made that comprehensive just to log my learning path. But at last I decided to make that public so that someone like me can learn creating rootkit from scratch even if they don't really have a knowledge of all those basics, without getting intimidated by other high level blogs/posts.
I have to find that out, that how to add those feature so that one click over a topic enables user to easily navigate to that particular topic.
In this section, I don;t really have to add anything, everything that we said is perfect! Except one thing, although it is my query. Do u have any idea how to do this?
I wish you a nice continuing day! This will be a fun project to contribute to! ππ»
Same to you my Man! ππΌ
loneicewolf
commented
1 year ago regarding the last 2 points, it depends, because "completely" is not possible. But I assume you mean as closest as possible to "complete". I mean, obviously nothing is perfect or 100% secure (this is obvious).
But - I mean, you could do some checks, instead of only "hiding a file that has a prefix" you can, "hide the file iff it contains some specific data" like, some metadata to match - for example the file is In a particular location, at a particular time, made by a particular user(and so on), or have some keyword inside of it. (this can be, whatever from a first line of random letters to some cipher or what it now might be) of course this is a extremely broad, thing - because there is loads of ways you can program a rootkit, or even just program 1 "thing";
so it depends on the situation very much.
Actually at that time I was totally noob, I didn't know anything about kernel, LKM, even the concept of OS and usermode C was unknown to me.
respect! Hard worker ^_^ we all begin somewhere and I don't like to use the word "noob" by the way; but Have a nice night! β
reveng007
commented
1 year ago Hmmm!! Got you point....
Thanks a lot π Good night to u as well!
loneicewolf
commented
1 year ago @reveng007 Hi!
this was quite the delay, I have to admit. I will hopefully begin very soon with the proof of concepts(as we always start with), then make it more stable. I have researched some topics, and looked into your blog (Because of various factors like as it was long and, a bit all-consuming to read, and so on - I had to re-write certain parts, on my side that is. I don't really have anything to contribute to the blog post, as I think it's quite well structured. And as you point out in this repo, this is not for the latest kernels, but a specific one.).
Briefly speaking, I have reviewed some stuff I would need in order to make all these contribution "points" (persistence, kernel-mode system() function, etc). And will begin with POCS very shortly.
You can close this if you want, as I will probably (excluding time) make new pull/issues for each "part". As I always do.
Wishes!
reveng007
commented
1 year ago No worries... Take ur time... I also haven't got time to put in to Linux kernel...
Mostly spending time windows... Thanks again!
All the very best :)
Hello! @reveng007 First of, nice project I have to say! Many great links and well structured ππ».
Overview
I plan on contributing to this project, that is - I saw (both the Issues, and the TODO-List) you have made, some of them:
I plan on contributing to all the TODO's, (as by the time writing, each Issue and TODO you have listed does not really seem impossible for me to achieve). Like, the adding a system() like function.
TODO 4# Sockets
This TODO I need to request some details before I dive in. It is unclear what you want to achieve.
on both of these, what exactly do you want to achieve here?:
TODO 5# Persistence
As well as, this one got me specifically interested into contributing, since this would be a great exercise:
Additional Idea
I have thought of some things to add to your project, some of them is included (but not lim. To):
socketsso it's not sent inplain text..)Note these would take longer time to make but , still wanted to point them out.
Edit:
I also thought of adding something related to kernel-mode shellcode execution, as it is something I have been working on now for some time. I will see if I have the time; if this would be something of interest.have a great day! If any comments,thoughts,problems or concerns rise - please point them out!