Skip to content

A ring0 Loadable Kernel Module (Linux) to log all commnds run on the system.

License

Notifications You must be signed in to change notification settings

Trevohack/R0DDY

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 

Repository files navigation

image

R0DDY: Linux kernel-level rootkit (ring0) to log all commands executed in the system.
GitHub Repo stars Static Badge Static Badge

Install Documentation Usage


Features

  • Stealth Mode: R0DDY hides itself from the lsmod output, making it difficult to detect through common system administration commands.

  • Command Logging: Every command run on the system is logged into /var/log/cmd.log.

  • Compatibility: Currently supporting 4.X kernels (not supported on older kernels)
  • The log includes:

    • TTY: The terminal in which the command was executed.
    • Directory: The current working directory when the command was run.
    • Time: The timestamp of the command execution.
    • Binary: The binary or script being executed.
    • Full Command: The complete command with arguments.
    • Syscall Hooks: To achieve this, R0DDY hooks the execve and execveat system calls, which are responsible for executing programs.
  • Hooks init_module and finit_module to block insertion of other rootkits.

  • Total system calls hooked: 4

image

Important

  • For Educational Purposes Only: R0DDY is intended solely for educational purposes. Please use it responsibly and understand the legal implications of deploying rootkits.

  • Compatibility: R0DDY may not work on older Linux kernels. It relies on specific system call implementations and other features available only in more recent kernel versions.

Code Examples

Hook execve

The hook_execve function is a system call hook that replaces the original execve system call. It intercepts every execution of a program, logs relevant details, and performs additional actions like hiding the rootkit if needed. Here’s a detailed breakdown of how it works:

Function Signature:

notrace asmlinkage long hook_execve(const char __user *filename, const char __user *const __user *argv, const char __user *const __user *envp)
  • notrace: Prevents the function from being traced, improving stealth.
  • asmlinkage: Ensures the function parameters are passed via the stack (common in system call implementations).
  • Parameters:
    • filename: The path to the executable being run.
    • argv: Array of arguments passed to the executable.
    • envp: Array of environment variables passed to the executable.
  1. Forbidden Command Check:
if (check_forbidden_command(filename, argv)) {
return 0;
}
  • Purpose: This checks if the command being run matches a set of forbidden commands.
  • If the command is forbidden, the function returns 0, meaning the command is blocked and not executed.
  1. Log Command:
log_command(filename, args, cwd, tty);
  • Purpose: This logs the command execution details. It logs:
  • filename: The executable being run.
  • args: The arguments passed to the command.
  • cwd: The current working directory.
  • tty: The terminal from which the command was run.

The hook_execve function hooks into the system’s execve syscall, logging details about each executed command (such as the executable name, arguments, current directory, and terminal). It also hides the rootkit if needed and blocks forbidden commands. After logging, it passes control back to the original execve to run the command normally. Error handling ensures that memory is properly freed in case of failure.

Upcoming Features

  • Capture tty where the command is run
  • Capture current working directory where the command is run
  • Get the time when the command is run
  • R0DDY hides itself
  • Hide the log file
  • Compatibility for older and newer kernels
  • Persistence
  • Efficient logging
  • Block insertion of other LKM/rootkits

Installation

  1. Git:
git clone https://github.com/Trevohack/R0DDY 
cd R0DDY 
make 

Usage

  • Insert the R0DDY to the kernel!
insmod R0DDY.ko 
  • Watch out /var/log/cmd.log
tail -f /var/log/cmd.log 
cat /var/log/cmd.log 

Contribute

  • We welcome contributions to help enhance this tool! If you're interested in collaborating, feel free to reach out: Discord Server . Your support is appreciated!

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy