Literally a rootkit. (LKM for Linux Kernels 4.14+)
GPL-3.0 License
Quite Literally a Rootkit
This codebase was developed for purely educational reasons. It is illegal to run this code on a machine that is not your own, or you do not have permission to run this on.
To install, simply run $ sudo python3 setup.py install
.
To remove, run $ sudo python3 setup.py uninstall
If you'd be more comfortable reading these same options in your terminal, run $ python3 setup.py -h
.
A known good configuration sequence is:
$ sudo python3 setup.py install
<ENTER>
Y
N
Y
<ENTER>
Y
You'll know things have worked properly if you run $ kill 31337
and are dropped into a root shell. The /garden
binary should not be visible when you run $ ls /
, even though the command /garden
will work. The output for lsmod
should not include garden
if you've followed the config above.
NOTE: Reverse shell is currently broken. I need to read / understand more about kernel-threads in order to implement that part of the rootkit. The magic packet listener is fully functional.
4.15.0-15-generic
4.18.0-16-generic
4.18.0-17-generic
Theoretically, this rootkit will be compatible with every kernel above 4.14
, but these are the only kernels that have been tested.
If you choose to develop on real hardware, make sure you have a full system backup. If you install the rootkit with the "block uninstallation" option toggled, you will not be able to uninstall it. Your only choice for recovery is a full OS reinstall. (At least, that I am aware of / was able to figure out. I had to re-image my VM a few times...)
Download an Ubuntu 18.04.2 Bionic Beaver
VirtualBox or VMWare image from osboxes. This should come with the 4.18.0-15-generic
kernel.
Make sure you have a version of Python 3.X
installed. I wrote the build script in Python 3.6.7
, but anything that's 3.0
or above should work.
$ sudo apt-get update
$ sudo apt-get install gcc make libelf-dev git
# This will not work without my private SSH key.
$ git clone --recurse-submodules [email protected]:alichtman/gardening-starter-pack.git
Then, (for long-term development) add this line to your crontab to deal with the absurd number of debug logs created: 0 * * * * sudo ~/gardening-starter-pack/scripts/clean_vm.sh
See the docs/
directory.
Here are some books, tutorials and projects that helped me as I was writing this.
Linux Kernel Development
Rootkit Development