Best Linux Rootkits Resources
user mode rootkits
- https://github.com/mempodippy/vlanyLinux LD_PRELOAD rootkit (x86 and x86_64 architectures)
- https://github.com/unix-thrust/beurkBEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.
- https://github.com/chokepoint/azazelAzazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit.
- https://github.com/chokepoint/Jynx2JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit.
- https://github.com/chokepoint/jynxkitJynxKit is an LD_PRELOAD userland rootkit for Linux systems with reverse connection SSL backdoor
- https://github.com/NexusBots/Umbreon-RootkitLD_PRELOAD based
- https://github.com/ChristianPapathanasiou/apache-rootkitA malicious Apache module with rootkit functionality
kernel mode rootkits
- https://github.com/jermeyyy/rootyAcademic project of Linux rootkit made for Bachelor Engineering Thesis.
- https://github.com/trailofbits/krfA kernelspace randomized syscall faulter for Linux 4.15+
- https://github.com/f0rb1dd3n/Reptile details Reptile is a LKM rootkit written for evil purposes that runs on Linux kernel 2.6.x/3.x/4.x
- https://github.com/QuokkaLight/rkduck details rkduck – Rootkit for Linux v4
- https://github.com/croemheld/lkm-rootkitA LKM rootkit for most newer kernel versions.
- https://github.com/mncoppola/suterusuAn LKM rootkit targeting Linux 2.6.x/3.x on x86, and ARM
- https://github.com/romeroperezabel/ARP-RootKitAn open source rootkit for the Linux Kernel to develop new ways of infection/detection.
- https://github.com/nurupo/rootkitLinux rootkit for Ubuntu 16.04 and 10.04 (Linux Kernels 4.4.0 and 2.6.32), both i386 and amd64
- https://github.com/m0nad/DiamorphineLKM rootkit for Linux Kernels 2.6.x/3.x/4.x (x86 and x86_64)
- https://github.com/ivyl/rootkitSample Rootkit for Linux
- https://github.com/deb0ch/toorkitA simple useless rootkit for the linux kernel
- https://github.com/vrasneur/randkitRandom number rootkit for the Linux kernel
- https://github.com/Eterna1/puszek-rootkitYet another LKM rootkit for Linux. It hooks syscall table.
- https://github.com/trimpsyw/adore-nglinux rootkit adapted for 2.6 and 3.x
- https://github.com/bones-codes/the_colonelAn experimental linux kernel module (rootkit) with a keylogger and built-in IRC bot
- https://github.com/David-Reguera-Garcia-Dreg/enyelkmLKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry.
- https://github.com/falk3n/subversivex86_64 linux rootkit using debug registers
- https://github.com/jiayy/lkm-rootkitAn lkm rootkit support x86/64,arm,mips
- https://github.com/a7vinx/liinuxA linux rootkit works on kernel 4.0.X or higher
- https://github.com/hanj4096/wukongWukong: a LKM rootkit for Linux kernel 2.6.x, 3.x and 4.x
- https://github.com/varshapaidi/Kernel_RootkitLinux Kernel Rootkit – To hide modules and ssh service
- https://github.com/kacheo/KernelRootkitLinux kernel rootkit to hide certain files and processes.
- https://github.com/dsmatter/brootusbROOTus is a Linux kernel rootkit that comes as a single LKM (Loadable Kernel Module) and it is totally restricted to kernel 2.6.32.
- https://github.com/jarun/keysnifferA Linux kernel module to grab keys pressed in the keyboard.
- https://github.com/PinkP4nther/SutekhAn example rootkit that gives a userland process root permissions (x86, 4.x)
- https://github.com/En14c/LilyOfTheValleyLilyOfTheValley is a simple LKM linux kernel rootkit for v4.x that works on (x86 and x86_64)
- https://github.com/NoviceLive/research-rootkitThis is LibZeroEvil & the Research Rootkit project, in which there are step-by-step, experiment-based courses that help to get you started and keep your hands dirty with offensive or defensive development in the Linux kernel (LibZeroEvil).
- https://github.com/NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit writeup Out of Sight, Out of Mind is a study and implementation of Linux rootkit methods. In addition a new covert network channel using additional Domain Name System (DNS) is implemented.
- https://github.com/h3xduck/UmbraAn experimental LKM rootkit for v4.x/5.x kernels which opens a backdoor that can be used to get a reverse shell remotely.
related stuff
- https://github.com/landhb/DrawBridgeA layer 4 Single Packet Authentication (SPA) Module, used to conceal TCP ports on public facing machines and add an extra layer of security.
- https://github.com/gianlucaborello/libprocesshiderHide a process under Linux using the ld preloader
- https://github.com/spiderpig1297/kprochideLKM for hiding processes from the userland. The module is able to hide multiple processes and is able to dynamically receive new processes to hide.
- https://github.com/spiderpig1297/kfile-over-icmpkfile-over-icmp is a loadable kernel module for stealth sending of files over ICMP communication.
- https://github.com/spiderpig1297/kunkillableLKM (loadable kernel module) that makes userland processes unkillable.