ksymless - A kernel rootkit works without kallsyms скачать в хорошем качестве

ksymless - A kernel rootkit works without kallsyms

R3 0816 Successfully executing code in the kernel is not necessarily the end of an attack. There's a gap between opening backdoor and achieving persistent, stealthy control — and that's where a Linux kernel rootkit comes in. Its focus is not on exploitation, but rather on maintaining long-term control and hiding information. A key technique is function hooking, which alters kernel behavior. To perform function hooking, the addresses of kernel functions must be known. Most existing rootkits rely on kallsyms to retrieve these addresses, but kallsyms can be disabled under certain kernel configurations. Therefore, the goal of ksymless is to control system calls and the filesystem — and to hide information — without relying on kallsyms, instead leveraging other kernel mechanisms. ksymless targets Linux version 6.11 and above on the x86-64 architecture and is designed to minimize dependencies on specific kernel configurations. Under this premise, ksymless implements several capabilities, including a framework for controlling syscalls and procfs, hiding files and network connections, kernel-level process hiding, persistent kernel module injection, and remote backdoor access. In addition, ksymless considers user experience by providing shell scripts for some use cases, such as one-click generation of a minimal Live USB and one-click injection of malicious programs. Chisheng Chen Chisheng Chen, also known as rota1001, is a CTF player from the team B33P 50UP and a computer science student at National Cheng Kung University. He began participating in CTF competitions 1.5 years ago, with a focus on pwn, crypto, and reverse. He has also spent some time studying operating systems and malware development. In recent months, he has shifted his focus to Linux kernel research and has started developing kernel rootkits.