- 101
- General Information
- Introducing Ring -3 Rootkits
- Rise of the dual architecture usermode rootkit
- Pitfalls of virtual machine introspection on modern hardware
- Thunderstrike
- Thunderstrike is the name for a class of Apple EFI firmware security vulnerabilities that allow malicious software or Thunderbolt devices to flash untrusted code to the boot ROM and propagate via shared devices.
- SharknAT&To
- Platforms
- Android
- FreeBSD
- Linux
- Educational
- BoutiqueKit: Playing WarGames with Expensive Rootkits and Malware- Defcon 21
- Kernel Rootkit Experiences - stealth
- How to Write Your Own Linux Kernel Module with a Simple Example - thegeekstuff.com
- Writing a Linux character Device Driver - appusajeev.wordpress
- Linux Kernel: System call hooking example - StackOverflow
- Examples
- Suterusu
- An LKM rootkit targeting Linux 2.6/3.x on x86(_64), and ARM
- DragonKing Rootkit
- This is an open source rootkit created for a class taught on Rootkit Design. This rootkit hides by hooking the system call table and using an agent to do interactive manipulation in userland.
- Diamorphine
- Diamorphine is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x originally developed by m0nad and forked by me. This fork hides high CPU usage from tools like top, htop or other commonly used utilities, by hooking the read() syscall and modifying the buffer returning the contents for /proc/stat and /proc/loadavg. The syscall sysinfo() is also hooked, but it's not used by these tools.
- Suterusu
- Writeups
- Linux on-the-fly kernel patching without LKM - sd, devik
- Analyzing the Jynx rootkit and the LD-Preload technique
- In this post I will analyze the Jynx rootkit using Volatility’s new Linux features.
- Smart TV Security - #1984 in 21 st century
- This talk is more about security bugs and rootkits than about firmware for TVs. This talk more covers rootkits than security bugs and exploitation thereof, as they’re not different to traditional techniques. This talk is about general security issues of all Smart TV vendors.
- Tools
- Shadow Walker
- Shadow Walker - Raising the Bar for Rootkit detection - BH 2005
- TLB Synchronization (Split TLB)
- Slides - MoRE Shadow Walker : TLB - splitting on Modern x86
- MoRE, or Measurement of Running Executables, was a DARPA Cyber Fast Track effort to study the feasibility of utilizi ng x86 translation look - aside buffer (TLB) splitting techniques for realizing periodic measurements of running and dynamically changing applications. It built upon PaX, which used TLB splitting to emulate the no - execute bit and Shadow Walker, a memory hidi ng rootkit ; both designed for earlier processor architectures. MoRE and MoRE Shadow Walker are a defensive TLB splitting system and a prototype memory hiding rootkit for the current Intel i - series processors respectively – demonstrating the evolution of th e x86 architecture and how its complexity allows software to effect the apparent hardware architecture.
- Video - MoRE Shadow Walker : TLB - splitting on Modern x86
- This presentation provides a cohesive overview of the work performed by AIS, Inc. on the DARPA CFT MoRE effort. MoRE was a 4-month effort which examined the feasibility of utilizing TLB splitting as a mechanism for periodic measurement of dynamically changing binaries. The effort created a proof-of-concept system to split the TLB for target applications, allowing dynamic applications to be measured and can detect code corruption with low performance overhead.
- Measurement of Running Executables
- Educational
- OS X
- Crafting Mac OS Rootkits
- Masochist
- Masochist is a framework for creating XNU based rootkits. Very useful in OS X and iOS security research.
- Revisiting Mac OS X Kernel Rootkits - fG! phrack@put.as-
- UEFI
- Windows
- Educational
- NTIllusion: A portable Win32 userland rootkit - Kdm
- KernelMode Rootkits: Part 1, SSDT hooks - adlice
- KernelMode Rootkits: Part 2, IRP hooks - adlice
- KernelMode Rootkits: Part 3, kernel filters- adlice
- Program Develop: Windows Rootkits
- Stealth hooking : Another way to subvert the Windows kernel - mxatone and ivanlef0u
- A Catalog of Windows Local Kernel-mode Backdoors
- This paper presents a detailed catalog of techniques that can be used to create local kernel-mode backdoors on Windows. These techniques include function trampolines, descriptor table hooks, model-specific register hooks, page table modifications, as well as others that have not previously been described. The majority of these techniques have been publicly known far in advance of this paper. However, at the time of this writing, there appears to be no detailed single point of reference for many of them. The intention of this paper is to provide a solid understanding on the subject of local kernel-mode backdoors. This understanding is necessary in order to encourage the thoughtful discussion of potential countermeasures and perceived advancements. In the vein of countermeasures, some additional thoughts are given to the common misconception that PatchGuard, in its current design, can be used to prevent kernel-mode rootkits.
- Raising The Bar For Windows Rootkit Detection - Phrack
- Concepts for the Steal the Windows Rootkit (The Chameleon Project)Joanna Rutkowska2003
- futo
- Since the introduction of FU, the rootkit world has moved away from implementing system hooks to hide their presence. Because of this change in offense, a new defense had to be developed. The new algorithms used by rootkit detectors, such as BlackLight, attempt to find what the rootkit is hiding instead of simply detecting the presence of the rootkit's hooks. This paper will discuss an algorithm that is used by both Blacklight and IceSword to detect hidden processes. This paper will also document current weaknesses in the rootkit detection field and introduce a more complete stealth technique implemented as a prototype in FUTo.
- Examples
- WindowsRegistryRootkit - Cr4sh
- Kernel rootkit, that lives inside the Windows registry value data.
- DdiMon
- DdiMon is a hypervisor performing inline hooking that is invisible to a guest (ie, any code other than DdiMon) by using extended page table (EPT). DdiMon is meant to be an educational tool for understanding how to use EPT from a programming perspective for research. To demonstrate it, DdiMon installs the invisible inline hooks on the following device driver interfaces (DDIs) to monitor activities of the Windows built-in kernel patch protection, a.k.a. PatchGuard, and hide certain processes without being detected by PatchGuard.
- HookPasswordChange
- WindowsRegistryRootkit - Cr4sh
- Writeups
- Educational
- Defense Against/Identifying
- Killing Rootkits
- Killing the Rootkit - Shane Macaulay
- Cross-platform, cross-architecture DKOM detection
- Driver security checklist - docs.ms
- This article provides a driver security checklist for driver developers to help reduce the risk of drivers being compromised.
- Tyton
- Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+.
- Homepage
- Interesting Things
- From Kernel to VM
- Description from stormeh on reddit(https://www.reddit.com/r/rootkit/comments/25hsc4/jacob_i_torrey_from_kernel_to_vmm/): Although it's not directly a lecture about rootkit development, the topics discussed are very much of interest: hardware virtualization, page table and TLB manipulation, hypervisors and privilege levels below ring 0, etc. The speaker does also go on to mention how prior rootkits such as Blue Pill and Shadow Walker leveraged these features, as well as defensive technologies such as PaX.
- Slides
- Demon
- GPU keylogger PoC by Team Jellyfish
- WIN_JELLY
- Windows GPU RAT PoC by Team Jellyfish. Project demonstrates persistent executable code storage in gpu that later can be mapped back to userspace after reboot. The sole purpose why we titled this concept that of a trojan is due to what it's capable of. Simply use this code to hide your own basically; we aren't responsible.
- From Kernel to VM
- Samples
- GPU
- Android
- FreeBSD
- Linux
- OS X
- Physical
- Implementation and Implications of a Stealth Hard-Drive Backdoor
- Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the firmware of a commercial over-the-shelf hard drive, by resorting only to public information and reverse engineering. Using such a compromised firmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back- door . The measured performance overhead of the compromised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a re- mote attacker can even establish a communication channel with a compromised disk to infiltrate commands and to ex-filtrate data. In our example, this channel is established over the Internet to an unmodified web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage engine, filesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environment, could automatically extract sensitive data such as /etc/shadow (or a secret key file) in less than a minute. This paper claims that the diffculty of implementing such an at- tack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded criminals, botnet herders and academic researchers.
- Implementation and Implications of a Stealth Hard-Drive Backdoor
- VM
- Windows
- HORSE PILL
- Horse Pill is a PoC of a ramdisk based containerizing root kit. It resides inside the initrd, and prior to the actual init running, it puts it into a mount and pid namespace that allows it to run covert processes and covert storage. This also allows it run covert networking systems, such as dns tunnels.
- WindowsRegistryRootkit
- Kernel rootkit, that lives inside the Windows registry value data. By Oleksiuk Dmytro (aka Cr4sh)
- Rootkit uses the zero day vulnerability in win32k.sys (buffer overflow in function win32k!bInitializeEUDC()) to get the execution at the OS startup.
- HORSE PILL
-
WoW64 internals...re-discovering Heaven's Gate on ARM - wbenny
-
5 Days To Virtualization: A Series On Hypervisor Development - Daax Rynd
-
Day 2: Entering VMX Operation, Explaining Implementation Requirements - Daax Rynd
-
Find which process is using the microphone, from a kernel-mode driver - Bruce Dang
-
- Disable DSE and WinTcb (without breaking DRM)
-
- Windows x64 Driver Signature Enforcement Overrider
-
Some fun with vintage bugs and driver signing enforcement - kat.lua
-
- This work in progress ring 3 rootkit hides processes, files and directories from applications in user mode. Future implementation on modules, registry, services and possibly other entities is planned.