Environment: - CPU architecture - Kernel/User mode (or mixed)
Core capabilities: - Persistency - Management interface - Altering system (library) behavior
Stealth capabilities: - Detection evasion - System logs cleaning (filtering)
Hiding stuff capabilities: - Hiding of files and directories - Hiding (tampering) of file contents - Hiding of processes and process trees - Hiding of network connections and activity - Hiding of process accounting information (like CPU usage)
Additional functions: - Keylogger - Backdoor/shell - Gaining priveleges
Linux LDPRELOAD rootkit (x86 and x8664 architectures)
BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.
Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit.
JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit.
JynxKit is an LD_PRELOAD userland rootkit for Linux systems with reverse connection SSL backdoor
A malicious Apache module with rootkit functionality
Academic project of Linux rootkit made for Bachelor Engineering Thesis.
A kernelspace randomized syscall faulter for Linux 4.15+
Reptile is a LKM rootkit written for evil purposes that runs on Linux kernel 2.6.x/3.x/4.x
rkduck - Rootkit for Linux v4
A LKM rootkit for most newer kernel versions.
An LKM rootkit targeting Linux 2.6.x/3.x on x86, and ARM
An open source rootkit for the Linux Kernel to develop new ways of infection/detection.
Linux rootkit for Ubuntu 16.04 and 10.04 (Linux Kernels 4.4.0 and 2.6.32), both i386 and amd64
LKM rootkit for Linux Kernels 2.6.x/3.x/4.x (x86 and x86_64)
Sample Rootkit for Linux
A simple useless rootkit for the linux kernel
Random number rootkit for the Linux kernel
Yet another LKM rootkit for Linux. It hooks syscall table.
linux rootkit adapted for 2.6 and 3.x
An experimental linux kernel module (rootkit) with a keylogger and built-in IRC bot
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside systemcall and sysenterentry.
x86_64 linux rootkit using debug registers
An lkm rootkit support x86/64,arm,mips
A linux rootkit works on kernel 4.0.X or higher
Wukong: a LKM rootkit for Linux kernel 2.6.x, 3.x and 4.x
Linux Kernel Rootkit - To hide modules and ssh service
Linux kernel rootkit to hide certain files and processes.
bROOTus is a Linux kernel rootkit that comes as a single LKM (Loadable Kernel Module) and it is totally restricted to kernel 2.6.32.
A Linux kernel module to grab keys pressed in the keyboard.
An example rootkit that gives a userland process root permissions (x86, 4.x)
LilyOfTheValley is a simple LKM linux kernel rootkit for v4.x that works on (x86 and x86_64)
This is LibZeroEvil & the Research Rootkit project, in which there are step-by-step, experiment-based courses that help to get you started and keep your hands dirty with offensive or defensive development in the Linux kernel (LibZeroEvil).
Out of Sight, Out of Mind is a study and implementation of Linux rootkit methods. In addition a new covert network channel using additional Domain Name System (DNS) is implemented.
A layer 4 Single Packet Authentication (SPA) Module, used to conceal TCP ports on public facing machines and add an extra layer of security.
Hide a process under Linux using the ld preloader
LKM for hiding processes from the userland. The module is able to hide multiple processes and is able to dynamically receive new processes to hide.
kfile-over-icmp is a loadable kernel module for stealth sending of files over ICMP communication.
LKM (loadable kernel module) that makes userland processes unkillable.