Advanced Linux Kernel Rootkit
Advanced Linux Kernel Rootkit
Extensively Tested Rootkit
Comprehensive testing across multiple Linux kernel versions
KoviD is a mature and battle-tested rootkit designed for Linux Kernel 4.18+ and later versions. This comprehensive project has been extensively tested across multiple distributions and kernel versions, establishing itself as a reliable reference implementation for kernel-level security research.
Mature & Battle-Tested
"KoviD has become the gold standard for rootkit development, making the creation of new rootkits largely redundant given its comprehensive capabilities and mature codebase."
Core Capabilities
Self-Hiding Module
KoviD hides itself from kernel module listings, making detection extremely difficult for anti-rootkit tools.
File & Directory Hiding
Hijacks filldir and filldir64 kernel functions to effectively hide files and directories from system listings.
Ftrace Hijacking
Uses legitimate Ftrace framework for stable function and syscall hijacking in Kernel v5+.
Backdoor Capabilities
Implements port-knocking with custom packets for secure backdoor access via Netcat, OpenSSL, and Socat.
Firewall Evasion
Sends magic packets that bypass iptables rules and establish reverse shell connections.
Process Hiding
Hides processes and their children from system monitoring tools like ps, top, and htop.
Log Manipulation
Eliminates logs generated by userland tools, making forensic analysis significantly more difficult.
Network Stealth
Hides TCP/UDP connections and manipulates network logs to maintain stealth for backdoors.
Privilege Escalation
Gain root privileges easily with kill -SIGCONT 666 command.
Technical Specifications
Compatibility
Advanced Features
Detection Evasion
Usage Examples
Interactive Commands
The terminal above demonstrates real KoviD commands and their expected outputs. All commands shown are actual usage examples from the KoviD documentation, showcasing the rootkit's stealth capabilities and interface.
Research Papers & Resources
KoviD Papers
TheOpenStealth Research
Comprehensive research papers covering KoviD and KoviD-Obfuscation techniques, providing deep insights into rootkit development and evasion methods.
Phrack Magazine
Issue #71 - Challenge Article
Read the Phrack magazine article where g1inko works on challenges posed by KoviD, showcasing real-world analysis and problem-solving approaches.
Research Tools
Detection & Analysis
Additional tools and resources for rootkit detection, analysis, and defensive research in the cybersecurity community.
Academic & Research Use
These resources are designed for educational purposes, academic research, and defensive security analysis. They provide valuable insights into rootkit techniques, detection methods, and cybersecurity research methodologies for students, researchers, and security professionals.
About the Author
Carlos Lack
Security Researcher & Developer
Creator of KoviD Rootkit
Security researcher and developer with expertise in Linux kernel development, rootkit techniques, and red team operations. Creator of KoviD, an advanced Linux kernel rootkit designed for educational and penetration testing purposes.
Repository Statistics
Project Evolution Timeline
KoviD rootkit development begins with basic kernel module functionality and process hiding capabilities.
Implementation of file hiding, network stealth, log manipulation, and Ftrace hijacking techniques.
Addition of BPF evasion, SSH/FTP TTY sniffer, persistence mechanisms, and cross-kernel compatibility.
Rapid growth in GitHub stars, community contributions, and educational adoption in security courses.
Ongoing maintenance, Linux 6.x compatibility testing, and continuous improvement of stealth techniques.
Contributors
The KoviD project is made possible by the dedicated contributors who have helped shape this advanced Linux kernel rootkit through their code, documentation, and community support.
Join the Community
Want to contribute to KoviD? Check out our GitHub repository, report issues, submit pull requests, or join the discussion.
Credits & Attribution
Attribution Guidelines
If you develop a rootkit or security tool based on KoviD's techniques, concepts, or code, please ensure proper attribution and credit.
Required Attribution
- Mention KoviD as inspiration or base
- Credit Carlos Lack as original author
- Link to original KoviD repository
- Specify which techniques were adapted
"Open source thrives on proper attribution and community recognition"
Projects Based on KoviD
The following projects have been developed based on KoviD's techniques and concepts. This list will be updated as new projects are properly attributed.
KoviD-Obfuscation
Enhanced version with obfuscation techniques
TheOpenStealth Papers
Research papers documenting KoviD techniques
More projects will be listed here as they are properly attributed
Submit Your Project
If you've created a project based on KoviD with proper attribution, contact us to have it listed here.
No Thanks
The following projects have been identified as using KoviD's techniques, concepts, or code without proper attribution or credit. This section serves as a reminder of the importance of giving credit where credit is due in the open source community.
Projects Without Proper Attribution
This list will be updated as we identify projects that fail to give proper credit to KoviD.
Singularity
Linux Kernel Rootkit for modern kernels (6x)
Uses similar techniques: ftrace hooking, process hiding, file hiding, network stealth, privilege escalation, and module concealment
More projects will be listed here as they are identified
"Proper attribution is not just about following licensesβit's about respecting the community and the hard work of fellow developers."
Open Source License
KoviD is released under an open source license that encourages research, education, and responsible use. When building upon this work, please respect the original author's contributions and maintain the spirit of open source collaboration.