tkmru / Awesome Linux Rootkits
a summary of linux rootkits published on GitHub
Stars: ✭ 107
Labels
Projects that are alternatives of or similar to Awesome Linux Rootkits
linux-rootkits-red-blue-teams
Linux Rootkits (4.x Kernel)
Stars: ✭ 56 (-47.66%)
Mutual labels: rootkit
Diamorphine
LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x (x86/x86_64 and ARM64)
Stars: ✭ 725 (+577.57%)
Mutual labels: rootkit
Awesome Windows Kernel Security Development
windows kernel security development
Stars: ✭ 1,208 (+1028.97%)
Mutual labels: rootkit
Vegile
This tool will setting up your backdoor/rootkits when backdoor already setup it will be hidden your spesisifc process,unlimited your session in metasploit and transparent. Even when it killed, it will re-run again. There always be a procces which while run another process,So we can assume that this procces is unstopable like a Ghost in The Shell
Stars: ✭ 478 (+346.73%)
Mutual labels: rootkit
Rootkits List Download
This is the list of all rootkits found so far on github and other sites.
Stars: ✭ 815 (+661.68%)
Mutual labels: rootkit
S6 pcie microblaze
PCI Express DIY hacking toolkit for Xilinx SP605
Stars: ✭ 301 (+181.31%)
Mutual labels: rootkit
Emp3r0r
linux post-exploitation framework made by linux user
Stars: ✭ 419 (+291.59%)
Mutual labels: rootkit
Hidden
Windows driver with usermode interface which can hide objects of file-system and registry, protect processes and etc
Stars: ✭ 768 (+617.76%)
Mutual labels: rootkit
Sutekh
An example rootkit that gives a userland process root permissions
Stars: ✭ 62 (-42.06%)
Mutual labels: rootkit
Rootkit
Linux rootkit for Ubuntu 16.04 and 10.04 (Linux Kernels 4.4.0 and 2.6.32), both i386 and amd64
Stars: ✭ 601 (+461.68%)
Mutual labels: rootkit
Shadow Box For Arm
Shadow-Box: Lightweight and Practical Kernel Protector for ARM (Presented at BlackHat Asia 2018)
Stars: ✭ 64 (-40.19%)
Mutual labels: rootkit
Vlany
Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)
Stars: ✭ 804 (+651.4%)
Mutual labels: rootkit
Awesome Linux Rootkits 
The following is a quote from wikipedia.
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a compound of "root" (the traditional name of the privileged account on Unix-like operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
Linux rookit has been published a lot on GitHub. This page is a summary of them.
LD_PRELOAD rootkit
- mempodippy/vlany: Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)
- chokepoint/azazel: Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection.
- chokepoint/jynxkit: JynxKit is an LD_PRELOAD userland rootkit for Linux systems with reverse connection SSL backdoor
- chokepoint/Jynx2: JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit. The backdoor has been replaced with an "accept()" system hook.
- ChristianPapathanasiou/apache-rootkit: A malicious Apache module with rootkit functionality
- unix-thrust/beurk: BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.
Kernel Module rootkit
- mncoppola/suterusu: An LKM rootkit targeting Linux 2.6/3.x on x86(_64), and ARM
- m0nad/Diamorphine: LKM rootkit for Linux Kernels 2.6.x/3.x/4.x
- nurupo/rootkit: Linux rootkit for Ubuntu 16.04 and 10.04 (Linux Kernels 4.4.0 and 2.6.32), both i386 and amd64
- QuokkaLight/rkduck: Linux v4.x.x Rootkit
- David-Reguera-Garcia-Dreg/enyelkm: LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry.
- trimpsyw/adore-ng: linux rootkit adapted for 2.6 and 3.x
Ramdisk rootkit
- r00tkillah/HORSEPILL: HORSEPILL rootkit PoC
- us-16-Leibowitz-Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf
Rootkit checker
- chkrootkit -- locally checks for signs of a rootkit
- The Rootkit Hunter project
- ossec/ossec-hids: OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
Materials
- Malware Memory Analysis of the Jynx2 Linux Rootkit (Part 1): Investigating a Publicly Available Linux Rootkit Using the Volatility Memory Analysis Framework
- SANS Institute: Rootkit Detection with OSSEC
- The Horse Pill Rootkit vs. Forcepoint Threat Protection for Linux | Forcepoint
- The magic of LD_PRELOAD for Userland Rootkits | FlUxIuS' Blog
- Linux Rootkit Internals - Speaker Deck
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].