HiddenGhost
Hidden Ghost is an new solution for find system call table with support for 5.7x kernels +. Hidden Ghost finds the syscall table via the
module with the kallsyms_lookup_name
headder.<linux/kprobes.h>
Before starting the explanation of how the rootkit works in depth I will explain the basics.
-
Tested On:
[✔️] Debian 12 6.7X amd64
-
Usage:
1) install the kernel headers:
sudo apt install linux-headers-$(uname -r)
2) Install Development Tools:
sudo apt install build-essential
3) Install the Kernel Development Kit:
sudo apt install linux-headers-$(uname -r) linux-source
4) Go to the /src directory:
cd src
5) Module Compilation:
make
6) Load the module:
sudo insmod main.ko
7) Check if the module has been loaded:
dmesg | tail -n 10
After these steps are completed, you should see this message:
link of articles:
Links to the repositories I based on: