KoviD
Red-Team LKM
Install / Use
/learn @carloslack/KoviDREADME
⚠️ IMPORTANT DISCLAIMER - EDUCATIONAL & DEFENSIVE SECURITY RESEARCH ONLY ⚠️
This project is strictly for educational purposes and defensive security research.
Our Mission
Rootkits are typically closed-source threats that operate in shadows, making them difficult to understand and defend against. KoviD exists to change this paradigm by providing an open-source implementation that:
- Empowers security researchers to understand rootkit techniques in a transparent, controlled environment
- Helps system administrators learn how to detect and defend against real-world threats
- Educates students and professionals about kernel-level security vulnerabilities
- Contributes to making Linux more secure by exposing potential attack vectors for defensive purposes
Why Open Source Rootkit Research Matters
Most rootkits in the wild are closed-source, leaving defenders at a disadvantage. By providing an open-source implementation:
- Security professionals can study real rootkit techniques without reverse-engineering malware
- Defensive tools can be tested against known rootkit behaviors
- The security community can collaborate on detection and prevention methods
- Organizations can prepare their defenses against sophisticated kernel-level threats
Legal and Ethical Use Only
WARNING: This software is provided for authorized security testing and educational purposes ONLY.
- DO NOT use this software on systems you do not own or lack explicit permission to test
- DO NOT use this software for any illegal or malicious purposes
- ALWAYS comply with all applicable laws and regulations in your jurisdiction
- REMEMBER: Unauthorized access to computer systems is illegal and unethical
By using this software, you agree to use it responsibly and solely for improving security posture and understanding.
Educational & Research Objectives
KoviD serves as a comprehensive educational platform for:
For Security Researchers
- Analyze rootkit behavior in a controlled, observable environment
- Develop detection signatures for security tools and IDS/IPS systems
- Test defensive solutions against known rootkit techniques
- Research kernel security vulnerabilities and mitigation strategies
For System Administrators
- Learn to identify signs of rootkit infection
- Understand attack vectors to better secure production systems
- Test incident response procedures in safe environments
- Validate security tools effectiveness against rootkit techniques
For Students & Educators
- Hands-on learning about kernel-level security concepts
- Practical demonstrations of theoretical security vulnerabilities
- Research projects on Linux kernel security
- Thesis work on rootkit detection and prevention methods
How This Helps Improve Linux Security
- Transparency: Open-source code allows the community to understand threats better
- Collaboration: Researchers can work together on detection methods
- Innovation: Drives development of better security tools and kernel hardening
- Preparation: Helps organizations prepare defenses before encountering real threats
1 - About KoviD Security Research Tool
KoviD is an open-source Loadable Kernel Module (LKM) security research tool
designed to help security professionals understand and defend against rootkit
techniques in Linux Kernel version 5 and later.
This educational tool demonstrates various rootkit capabilities to help defenders:
• Understand how rootkits hide from detection systems
• Test security monitoring and detection tools
• Learn kernel-level security vulnerabilities
• Develop better defensive strategies
Research capabilities demonstrated include:
• Module concealment techniques from SysFS
• Process hiding mechanisms in proc filesystem
• Log manipulation and evasion techniques
• CPU usage concealment methods
• Privilege escalation vectors
• File and directory hiding approaches
• Network connection concealment
By understanding these techniques, security professionals can better protect systems.
1.1 KoviD impact and influence
KoviD has influenced the security‑research community: it is cited in numerous
papers and analyses, and later tools have adopted technical ideas from it.
1.1.1 Articles and Researches
• [Phrack magazine](http://phrack.org/issues/71/12.html#article)
Where g1inko works on some challenges posed by `KoviD`
• [Black Hat Arsenal 2025](https://www.youtube.com/watch?v=FKcX-6jReAc)
wetw0rk's awesome [Sickle Payload Framework](https://github.com/wetw0rk/Sickle),
`KoviD` is deployed without touching the disk!
• [Sandfly Security](https://sandflysecurity.com/blog/sandfly-5-3-1-new-license-tiers-and-selinux-support)
Sandfly Agentless Linux Security and stealth rootkit detection technics
• [Thalium](https://blog.thalium.re/posts/linux-kernel-rust-module-for-rootkit-detection/)
Linux kernel Rust module for rootkit detection
• [Universite de Bordeaux](https://mastercsi.labri.fr/wp-content/uploads/2025/03/Kovid_Rootkit-Charbonnier_Raphel.pdf)
Master SCI KoviD rootkit case-study by Charbonnier Elouan & Raphel Elsa
• [Phrack magazine](http://phrack.org/issues/71/12.html#article)
Where g1inko works on some challenges posed by `KoviD`
• [Bloo](https://bloo.io/blog/inside-kovid-the-stealthy-linux-kernel-rootkit-threat)
Inside KoviD: The Stealthy Linux Kernel Rootkit Threat
1.1.2 Influence on other LKM researches
We also inspire other LKM rootkits, with some unique set of features, to name a few:
• Ftrace disabling call interception
• TTY session logging
• tainted mask manipulation
• Process handling
• BPF introspection operations
• SysFS entries re-addition - Essential for debugging and development
The APT Down leak contains a rootkit that appears to reuse parts of KoviD, notably the SysFS hide/unhide implementation and helper routines — see links below.
APT Down - The North Korea Files, leak
A number of public‑domain projects have drawn inspiration from KoviD. In some cases developers adapted concepts or reused small, code fragments recreate features that were distinctive to our project:
1.2 Build from source
We propose building it via docker, e.g.:
$ docker build --build-arg BASE_UBUNTU_VERSION=20.04 --build-arg UBUNTU_KERNEL_VERSION=5.15.0-43-generic -t kovid-builder .
For more info, check out docs/Automated-Build-With-Docker.md.
1.3 Mostly tested against
6.x: Linux 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC x86_64 x86_64 x86_64 GNU/Linux
gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0
5.x: Ubuntu 22.04.1 LTS
Linux hash-virtual-machine 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC
UTC 2 x86_64 x86_64 x86_64 GNU/Linux
5.x: Linux Standard-PC-Q35-ICH9-2009 5.15.0-43-generic #46-Ubuntu
SMP x86_64 x86_64 x86_64 GNU/Linux
5.x: Ubuntu 22.04 LTS
Linux 5.15.0-43-generic #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0
5.x: Ubuntu 20.10
Linux ubuntu 5.8.0-55-generic #62-Ubuntu SMP Tue Jun 1 08:21:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
gcc (Ubuntu 10.3.0-1ubuntu1~20.10) 10.3.0
5.x: Ubuntu 18.04.5 LTS
Linux ubuntu 5.4.0-89-generic #100~18.04.1-Ubuntu SMP Wed Sep 29 10:59:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
4.x: Debian GNU/Linux 10
Linux debian10teste 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux
gcc (Debian 8.3.0-6) 8.3.0
4.x: CentOS Linux release 8.3.2011
4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
gcc (GCC) 8.3.1 20191121 (Red Hat 8.3.1-5)
2 - Features
2.1 Hide itself (module)
KoviD hides itself, making it challenging to detect. It customizes kernel
code to evade anti-rootkit detectors and disappears
from /sys/module listings.
2.2 Hide files and directories
KoviD hides files and directories effectively by hijacking filldir and
filldir64 kernel functions, significantly simplifying the process.
2.3 Function and syscall hijacking: Ftrace
KoviD leverages Ftrace, a legitimate method for
function and syscall hijacking in Kernel v5+.
This approach offers greater stability compared
to traditional hooking techniques.
2.4 Backdoors
KoviD incorporates popular and reliable methods for backdooring systems,
such as port-knocking with custom packets.
These open connections to Netcat, OpenSSL, and Socat sessions.
2.5 Firewall Evasion
KoviD sends magic packets and establishes reverse shell connections.
These packets trigger netfilter hooks and instruct KoviD to create a
reverse shell connection. These outgoing packets bypass iptables rules,
ensuring effective evasion.
2.6 Tasks
Hiding processes is a crucial feature, giving KoviD the
ability to run undetected. It provides full support for
children processes, ensuring that no hanging processes are left behind.
2.7 Logs
KoviD's hidden tasks result in missing logs, making it
even more challenging for administrators to detect its
presence. It eliminates logs generated by userland tools
like w, lsmod, ps, who, ls.
2.8 TCP/UDP logs
KoviD hides netwo
Related Skills
himalaya
338.0kCLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
coding-agent
338.0kDelegate coding tasks to Codex, Claude Code, or Pi agents via background process
tavily
338.0kTavily web search, content extraction, and research tools.
mcp-for-beginners
15.7kThis open-source curriculum introduces the fundamentals of Model Context Protocol (MCP) through real-world, cross-language examples in .NET, Java, TypeScript, JavaScript, Rust and Python. Designed for developers, it focuses on practical techniques for building modular, scalable, and secure AI workflows from session setup to service orchestration.
