Rootkits are programs that hide the existence of malware by intercepting (i.e., [Hooking](https://attack.mitre.org/techniques/T1179)) and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a [Hypervisor](https://attack.mitre.org/techniques/T1062), Master Boot Record, or the [System Firmware](https://attack.mitre.org/techniques/T1019). (Citation: Wikipedia Rootkit)Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
Loadable Kernel Module based Rootkit
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| rootkit_file | Path To Module | String | Module.ko |
sudo insmod #{rootkit_file}
Loadable Kernel Module based Rootkit
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| rootkit_file | Path To Module | String | Module.ko |
sudo modprobe #{rootkit_file}
This test exploits a signed driver to execute code in Kernel. SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7 We leverage the work done here: https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html The hash of our PoC Exploit is SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441 This will simulate hiding a process. It would be wise if you only run this in a test environment
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys |
puppetstrings #{driver_path}