Skip to content

1sis/Volg

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
common
common
 
 
include
include
 
 
kernel
kernel
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
server.py
server.py
 
 

Repository files navigation

Volg

Volg is a Proof of Concept rootkit designed to test the combinaison of eBPF/XDP networking stack and the io_uring asynchronous I/O interface.

Installation

Prerequisites

You will need a Linux environment (Kernel 5.10+) with libbpf and liburing support and clang'.

sudo apt update
sudo apt install clang llvm libelf-dev libbpf-dev liburing-dev build-essential
pip install -r requirements.txt # for python dependencies

Compilation

Ensure you have your common.h and engine.h files in the include path.

make clean && make

Usage:

On the target machine, run:

sudo ./volg [NETWORK INTERFACE]

On the attacker machine, configure in the Python script and run:

sudo python3 server.py

Detection:

1. Networking Stack (eBPF/XDP Hooks):

The XDP hook is the primary point of detection. Even if the user-space process is hidden, the kernel must maintain the hook to process incoming packets.

  • Interface Inspection:

    ip link show [INTERFACE]

    Indicator: Look for the xdpgeneric or xdp flag associated with a program ID.

  • eBPF Inspection:

    sudo bpftool net list

    Indicator: This explicitly lists the xdp_backdoor_func attached to the network interface.

2. Kernel Objects (eBPF Maps):

Volg uses a QUEUE type Map for communication. These objects persist in kernel memory as long as the program is loaded.

  • Listing Active Maps:

    sudo bpftool map show

    Indicator: A map named rb of type queue. Standard system services rarely use named queues without a visible associated daemon.

  • Memory Dump:

    sudo bpftool map dump name rb

    Indicator: Extraction of raw structures containing remote IP addresses and command payloads.

3. Process Behavioral Analysis:

Despite renaming the process to [kworker/u2:1] and detaching it from the TTY, several artifacts reveal its true nature.

  • Executable Path:

    ls -l /proc/[PID]/exe

    Indicator: The symlink will point to the original binary path or show (deleted), confirming a fileless execution pattern.

  • PID & PPID Anomalies: Genuine kernel threads typically have a Parent Process ID (PPID) of 2 (kthreadd). A "kworker" with a PPID of 1 (systemd/init) or an unusually high PID for a kernel thread is a major red flag.

  • System Call Monitoring:

    grep -i "uring" /proc/[PID]/status

    Indicator: Observing io_uring usage from a process masquerading as a standard kernel worker is a high-confidence indicator of compromise (IoC).

Grateful Acknowledgments

Disclaimer:

This project is for educational and research purposes only. Unauthorized access to computer systems is illegal.

About

PoC Rootkit linux

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages