├── .gitignore ├── 1-sys_call_table ├── fshid │ ├── 032416_525.mp4 │ ├── Makefile │ ├── fshid.c │ └── zeroevil ├── fsmon │ ├── Makefile │ ├── fsmon.c │ └── zeroevil ├── hello │ ├── Makefile │ ├── hello.c │ └── zeroevil ├── psmon │ ├── Makefile │ ├── psmon.c │ └── zeroevil ├── sys_call_table │ ├── Makefile │ ├── sys_call_table.c │ └── zeroevil └── write_protection │ ├── Makefile │ ├── write_protection.c │ └── zeroevil ├── 2-fundamentals ├── fshid │ ├── Makefile │ ├── fshid.c │ ├── test │ │ └── 032416_525.mp4 │ └── zeroevil ├── kohid │ ├── Makefile │ ├── kohid.c │ └── zeroevil ├── komon │ ├── Makefile │ ├── komon.c │ ├── test │ │ ├── Makefile │ │ ├── test.c │ │ └── zeroevil │ └── zeroevil ├── pshid │ ├── Makefile │ ├── pshid.c │ └── zeroevil ├── pthid │ ├── Makefile │ ├── pthid.c │ └── zeroevil └── root │ ├── Makefile │ ├── r00tme.sh │ ├── root.c │ └── zeroevil ├── 3-persistence ├── codeinj │ ├── Makefile │ ├── codeinj.c │ ├── fshid │ │ ├── Makefile │ │ ├── fshid.c │ │ ├── test │ │ │ └── 032416_525.mp4 │ │ └── zeroevil │ ├── infect.sh │ └── zeroevil ├── elf │ ├── lssec.c │ ├── lssym.c │ ├── makefile │ ├── setsym.c │ ├── uelf.c │ └── uelf.h ├── noinj │ ├── Makefile │ ├── infect.sh │ ├── noinj.c │ └── zeroevil └── real │ ├── fshid │ ├── Makefile │ ├── fshid.c │ ├── test │ │ └── 032416_525.mp4 │ └── zeroevil │ └── infect.sh ├── 4-entry_SYSCALL_64 ├── get │ ├── Makefile │ ├── get.c │ └── zeroevil ├── ifmon │ ├── Makefile │ ├── ifmon.c │ └── zeroevil ├── rec │ ├── Makefile │ ├── rec.c │ └── zeroevil └── set │ ├── Makefile │ ├── set.c │ └── zeroevil ├── 5-inline-hooking └── jmp │ ├── 032416_525.mp4 │ ├── Makefile │ ├── getop.sh │ ├── jmp.c │ └── zeroevil ├── COPYING.txt ├── README-zh_CN.rst ├── README.rst ├── compat ├── LINKS.rst └── NR_syscalls.txt ├── extra └── sys_open_is_not_exported │ ├── Makefile │ ├── kallsyms.sh │ ├── symbols.c │ └── zeroevil ├── scripts ├── rename.sh └── updatelink.sh ├── tests └── makeall.sh └── zeroevil ├── structs.h ├── zeroevil.c └── zeroevil.h /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/.gitignore -------------------------------------------------------------------------------- /1-sys_call_table/fshid/032416_525.mp4: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /1-sys_call_table/fshid/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/1-sys_call_table/fshid/Makefile -------------------------------------------------------------------------------- /1-sys_call_table/fshid/fshid.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/1-sys_call_table/fshid/fshid.c -------------------------------------------------------------------------------- /1-sys_call_table/fshid/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /1-sys_call_table/fsmon/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/1-sys_call_table/fsmon/Makefile -------------------------------------------------------------------------------- /1-sys_call_table/fsmon/fsmon.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/1-sys_call_table/fsmon/fsmon.c -------------------------------------------------------------------------------- /1-sys_call_table/fsmon/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /1-sys_call_table/hello/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/1-sys_call_table/hello/Makefile -------------------------------------------------------------------------------- /1-sys_call_table/hello/hello.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/1-sys_call_table/hello/hello.c -------------------------------------------------------------------------------- /1-sys_call_table/hello/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /1-sys_call_table/psmon/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/1-sys_call_table/psmon/Makefile -------------------------------------------------------------------------------- /1-sys_call_table/psmon/psmon.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/1-sys_call_table/psmon/psmon.c -------------------------------------------------------------------------------- /1-sys_call_table/psmon/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /1-sys_call_table/sys_call_table/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/1-sys_call_table/sys_call_table/Makefile -------------------------------------------------------------------------------- /1-sys_call_table/sys_call_table/sys_call_table.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/1-sys_call_table/sys_call_table/sys_call_table.c -------------------------------------------------------------------------------- /1-sys_call_table/sys_call_table/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /1-sys_call_table/write_protection/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/1-sys_call_table/write_protection/Makefile -------------------------------------------------------------------------------- /1-sys_call_table/write_protection/write_protection.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/1-sys_call_table/write_protection/write_protection.c -------------------------------------------------------------------------------- /1-sys_call_table/write_protection/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /2-fundamentals/fshid/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/fshid/Makefile -------------------------------------------------------------------------------- /2-fundamentals/fshid/fshid.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/fshid/fshid.c -------------------------------------------------------------------------------- /2-fundamentals/fshid/test/032416_525.mp4: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2-fundamentals/fshid/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /2-fundamentals/kohid/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/kohid/Makefile -------------------------------------------------------------------------------- /2-fundamentals/kohid/kohid.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/kohid/kohid.c -------------------------------------------------------------------------------- /2-fundamentals/kohid/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /2-fundamentals/komon/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/komon/Makefile -------------------------------------------------------------------------------- /2-fundamentals/komon/komon.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/komon/komon.c -------------------------------------------------------------------------------- /2-fundamentals/komon/test/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/komon/test/Makefile -------------------------------------------------------------------------------- /2-fundamentals/komon/test/test.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/komon/test/test.c -------------------------------------------------------------------------------- /2-fundamentals/komon/test/zeroevil: -------------------------------------------------------------------------------- 1 | ../../../zeroevil -------------------------------------------------------------------------------- /2-fundamentals/komon/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /2-fundamentals/pshid/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/pshid/Makefile -------------------------------------------------------------------------------- /2-fundamentals/pshid/pshid.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/pshid/pshid.c -------------------------------------------------------------------------------- /2-fundamentals/pshid/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /2-fundamentals/pthid/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/pthid/Makefile -------------------------------------------------------------------------------- /2-fundamentals/pthid/pthid.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/pthid/pthid.c -------------------------------------------------------------------------------- /2-fundamentals/pthid/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /2-fundamentals/root/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/root/Makefile -------------------------------------------------------------------------------- /2-fundamentals/root/r00tme.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/root/r00tme.sh -------------------------------------------------------------------------------- /2-fundamentals/root/root.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/2-fundamentals/root/root.c -------------------------------------------------------------------------------- /2-fundamentals/root/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /3-persistence/codeinj/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/codeinj/Makefile -------------------------------------------------------------------------------- /3-persistence/codeinj/codeinj.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/codeinj/codeinj.c -------------------------------------------------------------------------------- /3-persistence/codeinj/fshid/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/codeinj/fshid/Makefile -------------------------------------------------------------------------------- /3-persistence/codeinj/fshid/fshid.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/codeinj/fshid/fshid.c -------------------------------------------------------------------------------- /3-persistence/codeinj/fshid/test/032416_525.mp4: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /3-persistence/codeinj/fshid/zeroevil: -------------------------------------------------------------------------------- 1 | ../../../zeroevil -------------------------------------------------------------------------------- /3-persistence/codeinj/infect.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/codeinj/infect.sh -------------------------------------------------------------------------------- /3-persistence/codeinj/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /3-persistence/elf/lssec.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/elf/lssec.c -------------------------------------------------------------------------------- /3-persistence/elf/lssym.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/elf/lssym.c -------------------------------------------------------------------------------- /3-persistence/elf/makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/elf/makefile -------------------------------------------------------------------------------- /3-persistence/elf/setsym.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/elf/setsym.c -------------------------------------------------------------------------------- /3-persistence/elf/uelf.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/elf/uelf.c -------------------------------------------------------------------------------- /3-persistence/elf/uelf.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/elf/uelf.h -------------------------------------------------------------------------------- /3-persistence/noinj/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/noinj/Makefile -------------------------------------------------------------------------------- /3-persistence/noinj/infect.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/noinj/infect.sh -------------------------------------------------------------------------------- /3-persistence/noinj/noinj.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/noinj/noinj.c -------------------------------------------------------------------------------- /3-persistence/noinj/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /3-persistence/real/fshid/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/real/fshid/Makefile -------------------------------------------------------------------------------- /3-persistence/real/fshid/fshid.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/real/fshid/fshid.c -------------------------------------------------------------------------------- /3-persistence/real/fshid/test/032416_525.mp4: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /3-persistence/real/fshid/zeroevil: -------------------------------------------------------------------------------- 1 | ../../../zeroevil -------------------------------------------------------------------------------- /3-persistence/real/infect.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/3-persistence/real/infect.sh -------------------------------------------------------------------------------- /4-entry_SYSCALL_64/get/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/4-entry_SYSCALL_64/get/Makefile -------------------------------------------------------------------------------- /4-entry_SYSCALL_64/get/get.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/4-entry_SYSCALL_64/get/get.c -------------------------------------------------------------------------------- /4-entry_SYSCALL_64/get/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /4-entry_SYSCALL_64/ifmon/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/4-entry_SYSCALL_64/ifmon/Makefile -------------------------------------------------------------------------------- /4-entry_SYSCALL_64/ifmon/ifmon.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/4-entry_SYSCALL_64/ifmon/ifmon.c -------------------------------------------------------------------------------- /4-entry_SYSCALL_64/ifmon/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /4-entry_SYSCALL_64/rec/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/4-entry_SYSCALL_64/rec/Makefile -------------------------------------------------------------------------------- /4-entry_SYSCALL_64/rec/rec.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/4-entry_SYSCALL_64/rec/rec.c -------------------------------------------------------------------------------- /4-entry_SYSCALL_64/rec/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /4-entry_SYSCALL_64/set/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/4-entry_SYSCALL_64/set/Makefile -------------------------------------------------------------------------------- /4-entry_SYSCALL_64/set/set.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/4-entry_SYSCALL_64/set/set.c -------------------------------------------------------------------------------- /4-entry_SYSCALL_64/set/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /5-inline-hooking/jmp/032416_525.mp4: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /5-inline-hooking/jmp/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/5-inline-hooking/jmp/Makefile -------------------------------------------------------------------------------- /5-inline-hooking/jmp/getop.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/5-inline-hooking/jmp/getop.sh -------------------------------------------------------------------------------- /5-inline-hooking/jmp/jmp.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/5-inline-hooking/jmp/jmp.c -------------------------------------------------------------------------------- /5-inline-hooking/jmp/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /COPYING.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/COPYING.txt -------------------------------------------------------------------------------- /README-zh_CN.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/README-zh_CN.rst -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/README.rst -------------------------------------------------------------------------------- /compat/LINKS.rst: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /compat/NR_syscalls.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/compat/NR_syscalls.txt -------------------------------------------------------------------------------- /extra/sys_open_is_not_exported/Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/extra/sys_open_is_not_exported/Makefile -------------------------------------------------------------------------------- /extra/sys_open_is_not_exported/kallsyms.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/extra/sys_open_is_not_exported/kallsyms.sh -------------------------------------------------------------------------------- /extra/sys_open_is_not_exported/symbols.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/extra/sys_open_is_not_exported/symbols.c -------------------------------------------------------------------------------- /extra/sys_open_is_not_exported/zeroevil: -------------------------------------------------------------------------------- 1 | ../../zeroevil -------------------------------------------------------------------------------- /scripts/rename.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/scripts/rename.sh -------------------------------------------------------------------------------- /scripts/updatelink.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/scripts/updatelink.sh -------------------------------------------------------------------------------- /tests/makeall.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/tests/makeall.sh -------------------------------------------------------------------------------- /zeroevil/structs.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/zeroevil/structs.h -------------------------------------------------------------------------------- /zeroevil/zeroevil.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/zeroevil/zeroevil.c -------------------------------------------------------------------------------- /zeroevil/zeroevil.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NoviceLive/research-rootkit/HEAD/zeroevil/zeroevil.h --------------------------------------------------------------------------------