Hunting for Rootkits in memory

Hey Squad,

Hey Squad,

Today, we will be hunting for 2 famous rootkits Diamorphine and Reptile.

To learn more about Linux Rootkits. Please follow this blog https://foxtrot-sq.medium.com/linux-rootkits-multiple-ways-to-hook-syscall-s-7001cc02a1e6.

Diamorphine -> https://github.com/m0nad/Diamorphine

Reptile -> https://github.com/f0rb1dd3n/Reptile/

We got access to the memory dump of infected machines. So, let’s start our analysis


Diamorphine

we will use the following Linux profile: Linuxprofile-2_6_32–754_el6_x86_64x64

The linux_check_modules plugin leverages sysfs to detect the hidden module

Plugin: linux_check_syscall

This plugin prints the system call tables and checks for hooked functions. For 64-bit systems, it prints both the 32-bit and 64-bit tables. If a function is hooked, you’ll see “HOOKED” displayed in the output, otherwise, you’ll see the name of the system call function.

linux_check_syscall, identified three hooked syscalls (62, 78, and 217)

Let’s look at the Hooked 62 syscall vs legit 62 syscall

Infected
pristine

By comparing how the two syscalls (sys_kill in the pristine system and sys_kill in the infected system) you can see what a hook looks like.

Reptile

To hide processes, it hooks tgid_iter() , next_tgid(). To hide network connections, it hooks tcp4_seq_show and udp4_seq_show.

let’s also check the linux_check_inline_kernel plugin. This plugin detects inline hooking.

The linux_check_syscal plugin can’t detect the hooking technique being used by the Reptile rootkit (since the syscall handler addresses have not been modified).

Let’s use VolShell against both normal.mem and Reptile.mem to see what a hooked function(tcp4_seq_show) looks like.

This is what tcp4_seq_show looks like in the infected system. It has been modified to jump to the Reptile code.


Please give me a clap if you found it to be useful and follow me to get more hacking knowledge.

You can buy me a coffee if you would like to -> https://www.buymeacoffee.com/gowthamaraj