A Linux Kernel Module (LKM) rootkit demonstrating advanced syscall hooking, process hiding, and stealth techniques for security research and education.
THIS TOOL IS FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY
β Legal Uses:
- Security research in controlled lab environments
- Penetration testing with written authorization
- Academic study and kernel development learning
- Red team exercises (authorized only)
β Illegal Uses:
- Deploying on systems you don't own or control
- Unauthorized access to computer systems
- Malicious use against any target
- Any violation of local, state, or federal laws
By using this code, you agree to use it responsibly and legally. The author is NOT responsible for any misuse or damage caused by this software.
- Process Hiding - Hide processes from
ps,top, and other tools - Syscall Hooking - Intercept and modify kernel system calls
- Rootkit Detection Evasion - Anti-detection techniques
- Kernel-Level Stealth - Operate below userspace visibility
- PID Manipulation - Control process visibility via
/proc
- Direct syscall table modification
getdents64hooking for file hiding- Support for both 32-bit and 64-bit systems
- Clean module insertion/removal
- Minimal kernel footprint
-
Syscall Table Hooking
- Locates kernel syscall table in memory
- Replaces
sys_getdents64pointer with custom function - Filters directory entries to hide targeted processes
-
Process Hiding Mechanism
// When userspace reads /proc directory: Original sys_getdents64 β Our Hook β Filter PIDs β Return Modified List
-
Stealth Techniques
- Hides from
lsmodby unlinking from kernel module list - Removes
/sys/module/phantomentries - Prevents detection by common rootkit scanners
- Hides from
- Linux kernel 4.x or 5.x (tested on Ubuntu 20.04/22.04)
- GCC compiler
- Kernel headers for your current kernel
- Root/sudo access
Ubuntu/Debian:
sudo apt-get update
sudo apt-get install build-essential linux-headers-$(uname -r)CentOS/RHEL:
sudo yum groupinstall "Development Tools"
sudo yum install kernel-devel kernel-headersArch Linux:
sudo pacman -S base-devel linux-headersgit clone https://github.com/varungor365/phantom-lkm.git
cd phantom-lkmmake clean
makeExpected output:
make -C /lib/modules/5.15.0-generic/build M=/path/to/phantom-lkm modules
CC [M] /path/to/phantom-lkm/phantom.o
MODPOST /path/to/phantom-lkm/Module.symvers
CC [M] /path/to/phantom-lkm/phantom.mod.o
LD [M] /path/to/phantom-lkm/phantom.ko
sudo insmod phantom.koVerify module loaded:
lsmod | grep phantom
# Output: phantom 16384 0Get a process ID to hide:
# Example: Hide Firefox
pgrep firefox
# Output: 1234Hide the process:
echo "1234" | sudo tee /proc/phantom_hideVerify it's hidden:
ps aux | grep 1234
# Should not appear!sudo rmmod phantom# Before loading rootkit
$ ps aux | grep firefox
user 1234 2.1 3.5 firefox
# Load rootkit
$ sudo insmod phantom.ko
[+] Phantom LKM loaded successfully
# Hide Firefox process
$ echo "1234" | sudo tee /proc/phantom_hide
[+] Process 1234 hidden
# Verify hiding
$ ps aux | grep 1234
(no output - process is hidden!)
# But process is still running
$ ls -la /proc/1234
dr-xr-xr-x 9 user user 0 Jan 7 12:00 /proc/1234
# Unload
$ sudo rmmod phantom
[+] Phantom LKM unloaded-
Check syscall table integrity
sudo cat /proc/kallsyms | grep sys_call_table -
Look for hidden modules
diff <(lsmod) <(cat /proc/modules)
-
Use rootkit scanners
sudo chkrootkit sudo rkhunter --check
-
Memory forensics
sudo volatility -f /dev/mem linux_check_syscall
phantom-lkm/
βββ phantom.c # Main kernel module source (259 lines)
βββ Makefile # Build configuration
βββ README.md # This file
βββ LICENSE # GPL-3.0 License
| Function | Purpose |
|---|---|
init_module() |
Initialize rootkit, hook syscalls |
cleanup_module() |
Remove hooks, cleanup |
hook_getdents64() |
Replacement syscall handler |
hide_process() |
Add PID to hidden list |
is_hidden() |
Check if PID should be hidden |
- Kernel Development: Writing loadable kernel modules
- System Internals: How Linux syscalls work
- Security Research: Rootkit techniques and detection
- C Programming: Low-level memory manipulation
- Exploitation: How attackers maintain persistence
- Security researcher studying rootkit behavior
- Penetration tester demonstrating kernel-level compromise
- Student learning Linux kernel internals
- Red team operator showing post-exploitation techniques
If you're a system administrator, protect against kernel rootkits:
- Enable Secure Boot - Prevents unsigned kernel modules
- Use Kernel Lockdown - Restricts kernel modifications
- Monitor syscall tables - Detect hooks
- Regular integrity checks - Compare against known-good state
- Use SELinux/AppArmor - Mandatory access control
- Kernel module signing - Only allow signed modules
# Check kernel logs
dmesg | tail -20
# Common issues:
# - Wrong kernel headers version
# - Secure Boot enabled (disable or sign module)
# - Kernel lockdown mode active# Ensure kernel headers match running kernel
uname -r
dpkg -l | grep linux-headers
# Reinstall headers if needed
sudo apt-get install --reinstall linux-headers-$(uname -r)- Linux Kernel Module Programming Guide
- The Art of Software Security Assessment
- Kernel Rootkits: Techniques and Countermeasures (Phrack)
- Linux Kernel Development by Robert Love
Contributions welcome! This is an educational project.
Areas for improvement:
- Support for newer kernels (6.x)
- Additional hiding techniques (network connections, files)
- Better stealth mechanisms
- Detection evasion improvements
Please submit:
- Bug reports via GitHub Issues
- Pull requests with improvements
- Security findings responsibly
GPL-3.0 License - See LICENSE file
Note: This license allows educational and research use. Commercial use or malicious deployment is prohibited and illegal.
Using this tool on systems you don't own is ILLEGAL and UNETHICAL.
Potential consequences:
- Criminal prosecution under CFAA (Computer Fraud and Abuse Act)
- Civil lawsuits
- Job termination
- Degree revocation
- Prison time
Only use in controlled, authorized environments. You have been warned.
Varun Goradhiya
- GitHub: @varungor365
- Portfolio: github.com/varungor365
Built for cybersecurity education and kernel development learning.
If you found this educational, please star the repository!
Related Projects:
- zerocopy-firewall - eBPF/XDP packet filter
- autofuzzer - Vulnerability fuzzer
- container-breaker - Docker escape toolkit
Last Updated: January 7, 2026 Version: 1.0 Status: Educational Research Project β