A list of kits for everyone.
Now on Linux and Windows
Now on Linux and Windows
Important
This repository is educational-only. It describes concepts and historic categories of kernel/userland malware so defenders can recognize, study, and detect them. It does not provide operational code, exploitation recipes, nor step‑by‑step instructions to build or deploy malicious software. Use this content only in legal, controlled environments (isolated VMs, CTF labs you own, or explicit instructor-approved training setups).
-
Module-hiding / Stealth
- Concept: techniques aimed at making a component invisible to standard OS listings.
- Defensive focus: integrity checks, kernel module signing, and monitoring kernel symbol tables.
-
Privilege escalation
- Concept: granting or elevating privileges without proper authorization.
- Defensive focus: auditing credential changes, enabling least-privilege, and using LSMs (AppArmor/SELinux).
-
Syscall hooking / interception (historical)
- Concept: intercepting kernel entry points to alter behavior.
- Defensive focus: integrity verification, ftrace/eBPF monitoring, and kernel self-protection features.
-
Persistence mechanisms
- Concept: techniques intended to survive reboots or updates.
- Defensive focus: secure boot, package integrity, and monitoring startup paths.
-
I/O / filesystem tampering
- Concept: hiding or altering files/metadata to conceal activity.
- Defensive focus: filesystem integrity tools, auditd rules, and read-only baselines.
- eBPF / bpftrace — trace system activity without modifying kernel memory. Great for learning detection patterns.
- ftrace / tracepoints — collect syscall/driver behavior for offline analysis.
- Auditd + auditctl — log sensitive syscalls and file attribute changes.
- fanotify / inotify — build userland policers/monitors for file operations.
- Isolated VMs & snapshots — always test in throwaway environments.
- CTF-style exercises — learn detection and remediation (write detectors, not exploit code).