Displaying 1 to 17 from 17 results

rootkit - Linux rootkit for Ubuntu 16

  •    C

A simple Linux kernel rootkit written for fun, not evil. The rootkit was tested to work on Linux kernels 2.6.32-38 and 4.4.0-22 as provided by Ubuntu in Ubuntu 10.04.4 LTS and Ubuntu 16.04 LTS respectively, but it should be very easy to port to kernels in-between, as well as newer ones.

HiddenWall - Tool to generate a Linux kernel module for custom rules with Netfilter hooking. (block ports, Hidden mode, rootkit functions etc)

  •    C

HiddenWall is a Linux kernel module generator for custom rules with netfilter. (block ports, Hidden mode, rootkit functions etc). The motivation: on bad situation, attacker can put your iptables/ufw to fall... but if you have HiddenWall, the attacker will not find the hidden kernel module that block external access, because have a hook to netfilter on kernel land(think like a second layer for firewall).

s6_pcie_microblaze - PCI Express DIY hacking toolkit for Xilinx SP605

  •    C

This repository contains a set of tools and proof of concepts related to PCI-E bus and DMA attacks. It includes HDL design which implements software controllable PCI-E gen 1.1 endpoint device for Xilinx SP605 Evaluation Kit with Spartan-6 FPGA. In comparison with popular USB3380EVB this design allows to operate with raw Transaction Level Packets (TLP) of PCI-E bus and perform full 64-bit memory read/write operations. It's early version of my first much or less complicated FPGA project, so the speed is quite slow (around 1-2 Mb/s), but in upcoming releases it will be significantly increased by connecting PCI-E endpoint to MicroBlaze soft processor with AXI DMA engine. However, even such low speed is more than enough for reliable implementation of various practical attacks over PCI-E bus: to demonstrate applied use cases of the design, there's a tool for pre-boot DMA attacks on UEFI based machines which allow executing arbitrary UEFI DXE drivers during platform init. Another example shows how to use pre-boot DMA attacks to inject Hyper-V VM exit handler backdoor into the virtualization-based security enabled Windows 10 Enterprise running on UEFI Secure Boot enabled platform. Provided Hyper-V backdoor PoC might be useful for reverse engineering and exploit development purposes, it provides an interface for inspecting of hypervisor state (VMCS, physical/virtual memory, registers, etc.) from guest partition and perform the guest to host VM escape attacks. s6_pcie_microblaze.xise − Xilinx ISE project file.

awesome-linux-rootkits - awesome-linux-rootkits


BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.

enyelkm - LKM rootkit for Linux x86 with the 2

  •    C

LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry. EnyeLKM hides files, directories and processes by inserting jumps to trampoline functions in both the system_call() and sys_enter() instructions in the kernel. All user space applications (read() , write(), etc) invoke kernel space functionality (system calls) through one of these two functions.

lsrootkit - Rootkit Detector for UNIX

  •    C

Warning!!: the code is bullshit (is only a beta prototype). Very Important: if lsrootkit process crash you can have a rootkit in the system with some bugs: memory leaks etc.

shadow-box-for-arm - Shadow-Box: Lightweight and Practical Kernel Protector for ARM (Presented at BlackHat Asia 2018)

  •    C

Shadow-box v2 (for ARM) is a next generation of Shadow-box v1 (for x86). If you want to know about Shadow-box for x86, please visit Shadow-box for x86 project. Shadow-box for ARM is an ARM TrustZone-based and practical kernel protector, and it was introduced at security conferences below.

shadow-box-for-x86 - Shadow-Box: Lightweight and Practical Kernel Protector for x86 (Presented at BlackHat Asia 2017/2018, beVX 2018 and HITBSecConf 2017)

  •    C

Shadow-box v2 (for ARM) is a next generation of Shadow-box v1 (for x86). If you want to know about Shadow-box for ARM, please visit Shadow-box for ARM project. Shadow-box is a lightweight and practical kernel protector, and it was introduced at security conferences below.

Simple-Antirootkit-SST-Unhooker - This is a demo project to illustrate the way to verify and restore original SST in case of some malware hooks

  •    C++

There are a number of ways for malware to intrude into the system. This project represents a simple software solution that helps to remediate one aspect of possible rootkit intrusions – System Service Table violations performed to hide files, services, or processes. This antirootkit restores original SST. The implementation of rootkit detection is based on the idea of comparing the current version of SST with the one stored in ntoskernel.exe. The techniques of work with the memory-mapped files in kernel mode are used.

WSAAcceptBackdoor - Winsock accept() Backdoor Implant.

  •    C

This project is a POC implementation for a DLL implant that acts as a backdoor for accept Winsock API calls. Once the DLL is injected into the target process, every accept call is intercepted using the Microsoft's detour library and redirected into the BackdooredAccept function. When a socket connection with a pre-defined special source port is establised, BackdooredAccept function launches a cmd.exe process and binds the accepted socket to the process STD(OUT/IN) using a named pipe.

mojo_thor - Research about malware that infects the EFI and SMC of Apple MacBooks.

  •    Assembly

Loki / Thor / Mojo are a triad of Apple internal tools and malware that infects the SMC, EFI and macOS of Apple MacBooks.

We have large collection of open source products. Follow the tags from Tag Cloud >>

Open source products are scattered around the web. Please provide information about the open source projects you own / you use. Add Projects.