ngl, I think u wasted too many syscalls here 🌟
Whiteice is a modular kernel rootkit designed for lab environments and virtual machine analysis. It incorporates advanced techniques for hiding processes, files, and communications using sophisticated hooking methods and direct kernel manipulation.
- Advanced process hiding through DKOM (Direct Kernel Object Manipulation) on EPROCESS structures.
- SSDT (System Service Descriptor Table) hooking and inline hooking techniques to intercept and modify critical system calls.
- Configurable logging system with support for DbgPrint and optional serial console output for real-time analysis without impacting performance.
- Complete handling of basic network protocols (IP, TCP, UDP) to facilitate the development of traffic cloaking modules in future versions.
- Modular architecture organized into specific components: encryptor, SHA, rootkit, and hooks, allowing easy maintenance and extension.
- Configurable definitions through macros to adapt the rootkit to different scenarios and hiding requirements.
- Process hiding via EPROCESS manipulation:
https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/manipulating-activeprocesslinks-to-unlink-processes-in-userland - SSDT and inline hooking techniques: https://www.blackhat.com/presentations/bh-usa-08/BH_US_08-Petroni-Skrien.pdf
- Advanced kernel rootkit analysis:
https://www.sans.org/white-papers/341/
The rootkit implements a configurable logging system that can enable or disable output to DbgPrint and serial console, allowing detailed monitoring during testing without significant system performance impact.
The codebase is divided into specific folders for each functionality, facilitating integration of new techniques and project maintainability.
Change the settings you want in src/config.c. This includes your username and password that will be used to access the backdoor deployed by Whiteice.
Default Backdoor Credentials:
Username: wh1t3adm
Password: g0ldpass
sudo apt install xxd libpcap-dev libpam0g-dev libwrap0-dev make gcc
mkdir -p build bin
make