Traditionally, rootkits are supposed to work at the kernel level and provide functions like process hiding, user hiding, network hiding, anti-debugging, anti-forensics, persistent reinstalls, backdoors, etc. Then there are bootkits, which infect the Master Boot Record (MBR), allowing execution before the operating system itself boots! Some of them listed on the PenTestIT blog can be found here. Since they have to hook every system process, they have to be coded with care or risk the possibility of a DoS. On Windows systems, they have extensions such as .sys, and .so on *NIX systems. But, what if there is a rootkit, which does not fall into the above mentioned categories, is cross-platform and does not mess up your system completely? Enter – the PHP Module Rootkit!
What is the PHP Module Rootkit?
The PHP Module rootkit is an open source rootkit that hides inside a PHP module and can be used to intercept standard-library & module function calls. It interacts with the PHP interpreter, instead of the OS kernel itself thereby avoiding the possibility of a system crash and obvious detection. Not only that, we tend to look at PHP modules when scanning for a rootkit on the system. This avoids further discovery. Additionally, this PHP module rootkit has to simply hook a single system process.
How does the PHP Module Rootkit work?
The proof-of-concept code created by the author is only 80 lines long and works by hooking generic hashing methods – hash and sha1. The actual hook code works as follows:
- The PHP Module Rootkit starts out by locating the method you want to hook in the global function table, and storing a reference to it.
- If it successfully finds the function, a detour is added by storing the original location of the method in a variable called original and setting the value in the global function table to the address of the hook variable.
- This results in the hook getting called before the real method, which gives the rootkit author full control.
Download the PHP Module Rootkit:
More information about this rootkit can be found here, while the source code can be found here. Don’t expect help if you do not know how to compile PHP modules and implement the the rootkit_hook_function method.