ARM/X86 Rootkit

In this home lab project, you’ll learn how to create an ARM/X86 rootkit on an ARM MacOS host, using Kali Linux and ARM Ubuntu Server. A rootkit is a set of software tools that enable unauthorized access to a computer or network while concealing its existence. This project will provide a comprehensive, hands-on experience with creating and operating a rootkit.

Objectives

1. Understand the basic concepts of rootkits.
2. Create a simple rootkit for educational purposes.
3. Deploy the rootkit in a controlled lab environment.
4. Test and interact with the rootkit using Kali Linux.

Prerequisites

• ARM MacOS computer.
• Kali Linux (ARM) installed.
• ARM Ubuntu Server installed.
• SSH access between Kali Linux and ARM Ubuntu Server.

Step-by-Step Instructions

Step 1: Setup Kali Linux (ARM) and ARM Ubuntu Server

Step 1.1: Setup Kali Linux

1. Install Kali Linux on ARM MacOS:

• Use a virtual machine (VM) software like Parallels or UTM to create a VM for Kali Linux.
• Download the ARM image for Kali Linux from the official website.
• Install Kali Linux on the VM.

1. Update Kali Linux:

sudo apt update && sudo apt upgrade -y

Step 1.2: Setup ARM Ubuntu Server

1. Install ARM Ubuntu Server on ARM MacOS:

• Similarly, use a VM software to create a VM for ARM Ubuntu Server.
• Download the ARM image for Ubuntu Server from the official website.
• Install ARM Ubuntu Server on the VM.

1. Update ARM Ubuntu Server:

sudo apt update && sudo apt upgrade -y

Step 2: Develop the Rootkit

Step 2.1: Prepare the Development Environment

1. Install necessary tools on Kali Linux:

sudo apt install build-essential linux-headers-$(uname -r)

Step 2.2: Write the Rootkit Code

1. Create the rootkit directory on Kali Linux:

• mkdir ~/rootkit cd ~/rootkit

1. Create the rootkit source file (rootkit.c):

• nano rootkit.c

1. Add the following content to rootkit.c:

#include <linux/module.h>
#include <linux/proc_fs.h>
#include <linux/uaccess.h>

#define PROCFS_NAME "rootkit"

ssize_t procfile_read(struct file *file, char __user *buffer, size_t length, loff_t *offset) {
    static int finished = 0;
    if (finished) {
        finished = 0;
        return 0;
    }
    finished = 1;
    if (copy_to_user(buffer, "Hello from the kernel!\n", 25)) {
        return -EFAULT;
    }
    return 25;
}

static struct proc_ops proc_file_fops = {
    .proc_read = procfile_read,
};

static int __init rootkit_init(void) {
    proc_create(PROCFS_NAME, 0644, NULL, &proc_file_fops);
    printk(KERN_INFO "Rootkit loaded\n");
    return 0;
}

static void __exit rootkit_exit(void) {
    remove_proc_entry(PROCFS_NAME, NULL);
    printk(KERN_INFO "Rootkit unloaded\n");
}

MODULE_LICENSE("GPL");
module_init(rootkit_init);
module_exit(rootkit_exit);

Create the Makefile:

nano Makefile

Add the following content to Makefile:

obj-m += rootkit.o

all:
    make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
    make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Step 3: Compile and Test the Rootkit

Step 3.1: Compile the Rootkit on Kali Linux

1. Compile the rootkit module:

make clean
make

Verify the creation of rootkit.ko:

ls

Step 3.2: Transfer the Rootkit to ARM Ubuntu Server

1. Use SCP to transfer the rootkit module:

scp rootkit.ko user@ubuntu_server_ip:/home/user/

Step 4: Deploy and Interact with the Rootkit

Step 4.1: Load the Rootkit on ARM Ubuntu Server

1. SSH into the ARM Ubuntu Server:

ssh user@ubuntu_server_ip

1. Load the rootkit module:

sudo insmod /home/user/rootkit.ko

1. Verify the module is loaded:

lsmod | grep rootkit

Step 4.2: Interact with the Rootkit from Kali Linux

1. Create a script on Kali Linux to interact with the proc file on the ARM Ubuntu Server:
2. Create interact.sh:

nano interact.sh

Add the following content to interact.sh:

#!/bin/bash

SERVER="user@ubuntu_server_ip"  # Replace with your actual server user and address
PROC_FILE="/proc/rootkit"  # Replace with the actual proc file name

# Function to read from the proc file
read_proc() {
    ssh $SERVER "cat $PROC_FILE"
}

# Function to write to the proc file
write_proc() {
    echo "Enter the message to write to $PROC_FILE:"
    read message
    ssh $SERVER "echo '$message' | sudo tee $PROC_FILE"
}

# Main menu
while true; do
    echo "Choose an option:"
    echo "1) Read from $PROC_FILE"
    echo "2) Write to $PROC_FILE"
    echo "3) Exit"
    read -p "Option: " option

    case $option in
        1)
            read_proc
            ;;
        2)
            write_proc
            ;;
        3)
            exit 0
            ;;
        *)
            echo "Invalid option. Please try again."
            ;;
    esac
done

1. Make the script executable:

chmod +x interact.sh

1. Run the script to interact with the rootkit:

./interact.sh

Step 5: Cleanup

Step 5.1: Remove the Rootkit from ARM Ubuntu Server

1. Unload the rootkit module:

sudo rmmod rootkit

1. Verify the module is unloaded:

lsmod | grep rootkit

Step 5.2: Cleanup Files

1. Remove rootkit files from ARM Ubuntu Server:

rm /home/user/rootkit.ko

Summary

This lab provides a hands-on approach to creating and testing a simple rootkit on an ARM-based system using Kali Linux and ARM Ubuntu Server. By following these steps, you gain valuable experience in rootkit development, deployment, and interaction, which is highly employable in the field of cybersecurity.