carloslack/KoviD

 ## ⚠️ 重要免责声明 - 仅供教育与防御性安全研究 ⚠️ **本项目严格用于教育目的和防御性安全研究。** ### 我们的使命 Rootkit 通常是闭源威胁，在暗处运作，使其难以理解和防御。**KoviD 的存在是为了改变这一范式**，通过提供一个开源实现来： - **赋能安全研究人员** 在透明、受控的环境中理解 rootkit 技术 - **帮助系统管理员** 学习如何检测和防御现实世界的威胁 - **教育学生和专业人士** 了解内核级安全漏洞 - **通过暴露潜在的攻击向量用于防御目的，为提升 Linux 安全性做出贡献** ### 为何开源 Rootkit 研究至关重要 大多数野外（in-the-wild）的 rootkit 都是闭源的，致使防御者处于劣势。通过提供开源实现： - 安全专业人员无需逆向工程恶意软件即可研究真实的 rootkit 技术 - 防御工具可以针对已知的 rootkit 行为进行测试 - 安全社区可以协作开发检测和预防方法 - 组织可以为防御复杂的内核级威胁做好准备 ### 仅限合法与道德使用 **警告：** 本软件仅用于授权的安全测试和教育目的。 - **切勿** 在您不拥有或未获得明确测试许可的系统上使用本软件 - **切勿** 将本软件用于任何非法或恶意目的 - **务必** 遵守您所在司法管辖区内的所有适用法律法规 - **谨记：** 未经授权访问计算机系统是非法且不道德的 使用本软件即表示您同意负责任地使用它，且仅用于改善安全态势和理解相关知识。 ## 教育与研究目标 KoviD 作为一个综合性的教育平台，旨在： ### 对于安全研究人员 - 在受控、可观察的环境中**分析 rootkit 行为** - 为安全工具和 IDS/IPS 系统**开发检测特征** - 针对已知的 rootkit 技术**测试防御解决方案** - **研究内核安全**漏洞与缓解策略 ### 对于系统管理员 - **学习识别** rootkit 感染的迹象 - **了解攻击向量**以更好地保护生产系统 - 在安全环境中**测试事件响应**流程 - **验证安全工具**对抗 rootkit 技术的有效性 ### 对于学生与教育者 - 关于内核级安全概念的**动手学习** - 理论安全漏洞的**实践演示** - 关于 Linux 内核安全的**研究项目** - 关于 rootkit 检测与预防方法的**论文工作** ### 这如何帮助提升 Linux 安全性 1. **透明性**：开源代码让社区能更好地理解威胁 2. **协作**：研究人员可以共同开发检测方法 3. **创新**：推动更好的安全工具和内核加固的发展 4. **准备**：帮助组织在遇到真实威胁之前准备好防御措施 ## 1 - 关于 KoviD 安全研究工具 ``` KoviD is an open-source Loadable Kernel Module (LKM) security research tool designed to help security professionals understand and defend against rootkit techniques in Linux Kernel version 5 and later. This educational tool demonstrates various rootkit capabilities to help defenders: • Understand how rootkits hide from detection systems • Test security monitoring and detection tools • Learn kernel-level security vulnerabilities • Develop better defensive strategies Research capabilities demonstrated include: • Module concealment techniques from SysFS • Process hiding mechanisms in proc filesystem • Log manipulation and evasion techniques • CPU usage concealment methods • Privilege escalation vectors • File and directory hiding approaches • Network connection concealment By understanding these techniques, security professionals can better protect systems. ``` ### 1.1 KoviD 的影响力 `KoviD` 已影响了安全研究社区：它被许多论文和分析文章引用，后来的工具也采用了其中的技术理念。 #### 1.1.1 文章与研究 ``` • [Phrack magazine](http://phrack.org/issues/71/12.html#article) Where g1inko works on some challenges posed by `KoviD` • [Black Hat Arsenal 2025](https://www.youtube.com/watch?v=FKcX-6jReAc) wetw0rk's awesome [Sickle Payload Framework](https://github.com/wetw0rk/Sickle), `KoviD` is deployed without touching the disk! • [Sandfly Security](https://sandflysecurity.com/blog/sandfly-5-3-1-new-license-tiers-and-selinux-support) Sandfly Agentless Linux Security and stealth rootkit detection technics • [Thalium](https://blog.thalium.re/posts/linux-kernel-rust-module-for-rootkit-detection/) Linux kernel Rust module for rootkit detection • [Universite de Bordeaux](https://mastercsi.labri.fr/wp-content/uploads/2025/03/Kovid_Rootkit-Charbonnier_Raphel.pdf) Master SCI KoviD rootkit case-study by Charbonnier Elouan & Raphel Elsa • [Phrack magazine](http://phrack.org/issues/71/12.html#article) Where g1inko works on some challenges posed by `KoviD` • [Bloo](https://bloo.io/blog/inside-kovid-the-stealthy-linux-kernel-rootkit-threat) Inside KoviD: The Stealthy Linux Kernel Rootkit Threat ``` #### 1.1.2 对其他 LKM 研究的影响 我们也启发了其他 LKM rootkit，它们具有一些独特的功能集，举例如下： ``` • Ftrace disabling call interception • TTY session logging • tainted mask manipulation • Process handling • BPF introspection operations • SysFS entries re-addition - Essential for debugging and development ``` APT Down 泄露事件包含的一个 rootkit 似乎复用了 KoviD 的部分代码，特别是 SysFS 隐藏/取消隐藏实现和辅助例程 —— 见下方链接。 [ENKI Whitehat](https://www.enki.co.kr/en/media-center/blog/in-depth-analysis-of-the-apt-down-the-north-korea-files-leak) [APT Down - The North Korea Files, leak](https://phrack.org/issues/72/7_md) 许多公共领域的项目从 KoviD 中汲取了灵感。在某些情况下，开发者调整了概念或复用了小段代码片段，以重现我们项目中独具特色的功能： [blackbox-ave](https://github.com/Yuragy/blackbox-ave) [basilisk rootkit](https://github.com/lil-skelly/basilisk) [Singularity rootkit](https://github.com/MatheuZSecurity/Singularity) ### 1.2 从源代码构建 我们建议通过 `docker` 进行构建，例如： ``` $ docker build --build-arg BASE_UBUNTU_VERSION=20.04 --build-arg UBUNTU_KERNEL_VERSION=5.15.0-43-generic -t kovid-builder . ``` 更多信息，请查看 `docs/Automated-Build-With-Docker.md`。 ### 1.3 主要测试环境 ``` 6.x: Linux 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC x86_64 x86_64 x86_64 GNU/Linux gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0 5.x: Ubuntu 22.04.1 LTS Linux hash-virtual-machine 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC UTC 2 x86_64 x86_64 x86_64 GNU/Linux 5.x: Linux Standard-PC-Q35-ICH9-2009 5.15.0-43-generic #46-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux 5.x: Ubuntu 22.04 LTS Linux 5.15.0-43-generic #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0 5.x: Ubuntu 20.10 Linux ubuntu 5.8.0-55-generic #62-Ubuntu SMP Tue Jun 1 08:21:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux gcc (Ubuntu 10.3.0-1ubuntu1~20.10) 10.3.0 5.x: Ubuntu 18.04.5 LTS Linux ubuntu 5.4.0-89-generic #100~18.04.1-Ubuntu SMP Wed Sep 29 10:59:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 4.x: Debian GNU/Linux 10 Linux debian10teste 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux gcc (Debian 8.3.0-6) 8.3.0 4.x: CentOS Linux release 8.3.2011 4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux gcc (GCC) 8.3.1 20191121 (Red Hat 8.3.1-5) ``` ## 2 - 功能特性 ### 2.1 隐藏自身（模块） ``` KoviD hides itself, making it challenging to detect. It customizes kernel code to evade anti-rootkit detectors and disappears from /sys/module listings. ``` ### 2.2 隐藏文件和目录 ``` KoviD hides files and directories effectively by hijacking filldir and filldir64 kernel functions, significantly simplifying the process. ``` ### 2.3 函数与 syscall 劫持：Ftrace ``` KoviD leverages Ftrace, a legitimate method for function and syscall hijacking in Kernel v5+. This approach offers greater stability compared to traditional hooking techniques. ``` ### 2.4 后门 ``` KoviD incorporates popular and reliable methods for backdooring systems, such as port-knocking with custom packets. These open connections to Netcat, OpenSSL, and Socat sessions. ``` ### 2.5 防火墙规避 ``` KoviD sends magic packets and establishes reverse shell connections. These packets trigger netfilter hooks and instruct KoviD to create a reverse shell connection. These outgoing packets bypass iptables rules, ensuring effective evasion. ``` ### 2.6 任务 ``` Hiding processes is a crucial feature, giving KoviD the ability to run undetected. It provides full support for children processes, ensuring that no hanging processes are left behind. ``` ### 2.7 日志 ``` KoviD's hidden tasks result in missing logs, making it even more challenging for administrators to detect its presence. It eliminates logs generated by userland tools like w, lsmod, ps, who, ls. ``` ### 2.8 TCP/UDP 日志 ``` KoviD hides network connections and manipulates network logs to maintain stealth for back-doors. Libpcap+recvmsg. (ss, tcpdump, netstat...) ``` ### 2.9 r00t ``` Gain root privileges easily with kill -SIGCONT 666. ``` ### 2.10 CPU - 隐藏/挖矿 ``` KoviD hides CPU consumption, making its processes invisible as heavy consumers. However, be cautious not to max out the CPU, as this can lead to unusual usage patterns. ``` ### 2.11 持久化 ``` KoviD offers persistence via Volundr. It can infect executables, like SSHD, to ensure KoviD loads on reboot. You can also use your preferred tool, Volundr use here is just a suggestion. ``` ### 2.12 基址 ``` KoviD allows for the retrieval of base addresses of other executables without needing to open /proc//maps. ``` ### 2.13 BPF ``` KoviD can evade few anti-rootkit tools that rely on BPF (Berkeley Packet Filter) for detecting rootkits. Tested against: https://github.com/pathtofile/bpf-hookdetect.git ``` ### 2.14 污染标记 ``` $ sudo insmod ./kovid.ko $ cat /proc/sys/kernel/tainted 0 ``` ## 3 - 使用方法 ``` Before compiling and loading KoviD, edit the Makefile to choose a unique name for /proc/. Compile and load KoviD using sudo insmod kovid. Ensure the chosen name for /proc/ is not easily predictable. ``` ### 3.1 /proc/ 接口 ``` To enable the /proc/mytest interface, use the command: $ kill -SIGCONT 31337. The interface will disable itself after 120 seconds and can be reactivated using the same command. ``` ### 3.2 命令返回码 ``` Some commands can return a status code. Enable status code: $ echo output-enable >/proc/mytest $ cat /proc/mytest 1 $ echo output-disable >/proc/mytest $ cat /proc/mytest 0 0 disabled 1 enabled Command example after output-enable: $ echo hide-lkm >/proc/mytest $ cat /proc/mytest 0 ``` ### 3.3 任务 ``` You can hide/unhide processes using the /proc/mytest interface. For example, to hide a task, run: $ echo 14886 >/proc/mytest. If a task is a backdoor that needs tcp hiding, run: $ echo hide-task-backdoor= >/proc/mytest Unhiding is the same as for regular tasks: $ echo "" >/proc/mytest ``` ### 3.4 隐藏模块 ``` To hide the KoviD module, use the command: `$ echo hide-lkm >/proc/mytest`. In release mode, the module is hidden by default, and a key can be displayed by running `$ cat /proc/mytest`. ``` ### 3.5 隐藏/取消隐藏/列出文件和目录 ``` To hide a file or directory, use: $ echo hide-file=/tmp/README.txt >/proc/mytest To unhide, use: $ echo unhide-file=README.txt >/proc/mytest You can list hidden files and directory names with: $ echo list-hidden-file >/proc/mytest. ``` ### 3.6 SSH/FTP TTY 嗅探器 ``` KoviD can snoop SSH sessions via tty keystrokes and steal passwords and commands effectively. ``` ### 3.7 后门 ``` For instructions, run 'scripts/bdclient.sh' and a help list is displayed. ``` ## 4 - Bugs ``` As with any software, KoviD may have bugs. If you encounter issues or oopses, please report them in detail for potential fixes. Test KoviD extensively, preferably in a VM that mimics the target environment. Disclaimer: The use of KoviD in a real target is discouraged ```

标签：0day挖掘, AMSI绕过, DAST, EDR绕过, Kernel-mode, Linux内核, LKM, Rootkit, Zeek, 二进制分析平台, 云资产清单, 内核安全, 内核模块, 嗅探欺骗, 威胁检测, 子域名枚举, 安全资源, 客户端加密, 客户端加密, 恶意软件分析, 攻击模拟, 教育安全, 数据展示, 权限维持, 系统安全, 红队, 网络安全, 请求拦截, 逆向工程, 防御研究, 隐私保护, 隐藏技术, 驱动签名利用, 高交互蜜罐