This tutorial is for educational purposes only, and by NO MEANS should you actually be malicious when (or after) making a rootkit. I thought I'd share how to do this for any security minded people who would like to learn more on how to prevent or look for rootkits. This will be done in C on Linux, probably using libraries and functions you've never seen. It is also advisable to do this in a VM to get the hang of compiling and loading modules. Messing with the kernel can cause things to go crazy, if not break- you have been warned.
So what is a rootkit anyways?
Simply put: it is malicious program that hides its existence from within an operating system to perform malicious activities that go unseen. Imagine a program that was imbedded into your current OS that actively hides a virus from your process list, or replaces log file output, or both- effectively erasing its very existence.
It can manipulate system calls from within the protected area of memory or directing packets on an interface out to another. This tutorial will focus on hooking system calls to perform these activities.
In the first section of this tutorial we will make our very own system call, followed by making a rootkit that hooks to our system call. In the final part we will create a rootkit that hides a process of our choosing.
User Space and Kernel Space
The reason we are making a system call first is to better understand what happens in kernel space vs user space. Processes running in user space have limited access to memory, while kernel space has access to all memory.
However, user space can access kernel space through interfaces exposed by the kernel: system calls.
If you’ve ever programmed with C and played around in Linux (yes, we will be programming in C but no worries it will be simple), then you’ve probably used system calls without even knowing it. Read(), write(), open() are just a few examples of system calls that are usually called from within the libraries such as fopen() or fprintf().
Just because you are running as root does not mean you are in kernel space. Running as root is actually a user space process.
Roots UID=0, which the kernel has checked to verify its permissions. Superuser privileges still make requests to the kernel through system call interfaces. I hope that is clear, if not then you should probably research more elsewhere before beginning this.
Ok enough chat, let’s get started.
- A linux Kernel (I am using debian minimal install, kernel version 3.16.36)
- Virtual machine software (VMware, Virtualbox, ESXi, etc)
- I recommend giving the VM 2 cores, and at minimum of 4GB RAM, but 1 core and 2GB will do.
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.