Skip to content

varungor365/phantom-lkm

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1 Commit
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Phantom-LKM - Linux Kernel Rootkit

C Linux License Security

A Linux Kernel Module (LKM) rootkit demonstrating advanced syscall hooking, process hiding, and stealth techniques for security research and education.

⚠️ LEGAL DISCLAIMER

THIS TOOL IS FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY

βœ… Legal Uses:

  • Security research in controlled lab environments
  • Penetration testing with written authorization
  • Academic study and kernel development learning
  • Red team exercises (authorized only)

❌ Illegal Uses:

  • Deploying on systems you don't own or control
  • Unauthorized access to computer systems
  • Malicious use against any target
  • Any violation of local, state, or federal laws

By using this code, you agree to use it responsibly and legally. The author is NOT responsible for any misuse or damage caused by this software.


🎯 Features

Core Capabilities:

  • Process Hiding - Hide processes from ps, top, and other tools
  • Syscall Hooking - Intercept and modify kernel system calls
  • Rootkit Detection Evasion - Anti-detection techniques
  • Kernel-Level Stealth - Operate below userspace visibility
  • PID Manipulation - Control process visibility via /proc

Technical Highlights:

  • Direct syscall table modification
  • getdents64 hooking for file hiding
  • Support for both 32-bit and 64-bit systems
  • Clean module insertion/removal
  • Minimal kernel footprint

πŸ› οΈ Technical Details

How It Works:

  1. Syscall Table Hooking

    • Locates kernel syscall table in memory
    • Replaces sys_getdents64 pointer with custom function
    • Filters directory entries to hide targeted processes
  2. Process Hiding Mechanism

    // When userspace reads /proc directory:
    Original sys_getdents64 β†’ Our Hook β†’ Filter PIDs β†’ Return Modified List
  3. Stealth Techniques

    • Hides from lsmod by unlinking from kernel module list
    • Removes /sys/module/phantom entries
    • Prevents detection by common rootkit scanners

πŸ“‹ Prerequisites

System Requirements:

  • Linux kernel 4.x or 5.x (tested on Ubuntu 20.04/22.04)
  • GCC compiler
  • Kernel headers for your current kernel
  • Root/sudo access

Install Dependencies:

Ubuntu/Debian:

sudo apt-get update
sudo apt-get install build-essential linux-headers-$(uname -r)

CentOS/RHEL:

sudo yum groupinstall "Development Tools"
sudo yum install kernel-devel kernel-headers

Arch Linux:

sudo pacman -S base-devel linux-headers

πŸš€ Installation & Usage

1. Clone Repository

git clone https://github.com/varungor365/phantom-lkm.git
cd phantom-lkm

2. Compile

make clean
make

Expected output:

make -C /lib/modules/5.15.0-generic/build M=/path/to/phantom-lkm modules
  CC [M]  /path/to/phantom-lkm/phantom.o
  MODPOST /path/to/phantom-lkm/Module.symvers
  CC [M]  /path/to/phantom-lkm/phantom.mod.o
  LD [M]  /path/to/phantom-lkm/phantom.ko

3. Load Module

sudo insmod phantom.ko

Verify module loaded:

lsmod | grep phantom
# Output: phantom    16384  0

4. Hide a Process

Get a process ID to hide:

# Example: Hide Firefox
pgrep firefox
# Output: 1234

Hide the process:

echo "1234" | sudo tee /proc/phantom_hide

Verify it's hidden:

ps aux | grep 1234
# Should not appear!

5. Unload Module

sudo rmmod phantom

πŸ“Š Demo Output

# Before loading rootkit
$ ps aux | grep firefox
user    1234  2.1  3.5  firefox

# Load rootkit
$ sudo insmod phantom.ko
[+] Phantom LKM loaded successfully

# Hide Firefox process
$ echo "1234" | sudo tee /proc/phantom_hide
[+] Process 1234 hidden

# Verify hiding
$ ps aux | grep 1234
(no output - process is hidden!)

# But process is still running
$ ls -la /proc/1234
dr-xr-xr-x 9 user user 0 Jan 7 12:00 /proc/1234

# Unload
$ sudo rmmod phantom
[+] Phantom LKM unloaded

πŸ” Detection

How to Detect This Rootkit:

  1. Check syscall table integrity

    sudo cat /proc/kallsyms | grep sys_call_table
  2. Look for hidden modules

    diff <(lsmod) <(cat /proc/modules)
  3. Use rootkit scanners

    sudo chkrootkit
    sudo rkhunter --check
  4. Memory forensics

    sudo volatility -f /dev/mem linux_check_syscall

πŸ—οΈ Code Structure

phantom-lkm/
β”œβ”€β”€ phantom.c          # Main kernel module source (259 lines)
β”œβ”€β”€ Makefile           # Build configuration
β”œβ”€β”€ README.md          # This file
└── LICENSE            # GPL-3.0 License

Key Functions:

Function Purpose
init_module() Initialize rootkit, hook syscalls
cleanup_module() Remove hooks, cleanup
hook_getdents64() Replacement syscall handler
hide_process() Add PID to hidden list
is_hidden() Check if PID should be hidden

πŸŽ“ Educational Value

What You'll Learn:

  • Kernel Development: Writing loadable kernel modules
  • System Internals: How Linux syscalls work
  • Security Research: Rootkit techniques and detection
  • C Programming: Low-level memory manipulation
  • Exploitation: How attackers maintain persistence

Use Cases:

  • Security researcher studying rootkit behavior
  • Penetration tester demonstrating kernel-level compromise
  • Student learning Linux kernel internals
  • Red team operator showing post-exploitation techniques

πŸ›‘οΈ Defense Recommendations

If you're a system administrator, protect against kernel rootkits:

  1. Enable Secure Boot - Prevents unsigned kernel modules
  2. Use Kernel Lockdown - Restricts kernel modifications
  3. Monitor syscall tables - Detect hooks
  4. Regular integrity checks - Compare against known-good state
  5. Use SELinux/AppArmor - Mandatory access control
  6. Kernel module signing - Only allow signed modules

πŸ› Troubleshooting

Module won't load

# Check kernel logs
dmesg | tail -20

# Common issues:
# - Wrong kernel headers version
# - Secure Boot enabled (disable or sign module)
# - Kernel lockdown mode active

Compilation errors

# Ensure kernel headers match running kernel
uname -r
dpkg -l | grep linux-headers

# Reinstall headers if needed
sudo apt-get install --reinstall linux-headers-$(uname -r)

πŸ“š References & Further Reading


🀝 Contributing

Contributions welcome! This is an educational project.

Areas for improvement:

  • Support for newer kernels (6.x)
  • Additional hiding techniques (network connections, files)
  • Better stealth mechanisms
  • Detection evasion improvements

Please submit:

  • Bug reports via GitHub Issues
  • Pull requests with improvements
  • Security findings responsibly

πŸ“œ License

GPL-3.0 License - See LICENSE file

Note: This license allows educational and research use. Commercial use or malicious deployment is prohibited and illegal.


⚠️ Final Warning

Using this tool on systems you don't own is ILLEGAL and UNETHICAL.

Potential consequences:

  • Criminal prosecution under CFAA (Computer Fraud and Abuse Act)
  • Civil lawsuits
  • Job termination
  • Degree revocation
  • Prison time

Only use in controlled, authorized environments. You have been warned.


πŸ‘¨β€πŸ’» Author

Varun Goradhiya

Built for cybersecurity education and kernel development learning.


🌟 Star This Project

If you found this educational, please star the repository!

Related Projects:


Last Updated: January 7, 2026 Version: 1.0 Status: Educational Research Project βœ…

About

Linux kernel rootkit demonstrating syscall hooking and process hiding for security research

Topics

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors