{"id":35549,"date":"2024-12-30T07:57:25","date_gmt":"2024-12-30T07:57:25","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=35549"},"modified":"2024-12-30T07:57:27","modified_gmt":"2024-12-30T07:57:27","slug":"blackpill","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/blackpill\/","title":{"rendered":"BlackPill : A Comprehensive Overview Of A Stealthy Linux Rootkit"},"content":{"rendered":"\n<p>Dive into the dark intricacies of BlackPill, a sophisticated Linux rootkit engineered in Rust that epitomizes stealth and versatility in cyber threats. <\/p>\n\n\n\n<p>This article unravels its multi-faceted modules, from evasion tactics to persistent attacks, outlining how it manipulates system operations to remain undetected.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Features<\/strong><a href=\"https:\/\/github.com\/DualHorizon\/blackpill#features\"><\/a><\/h2>\n\n\n\n<p>The rootkit is composed of multiple modules (talking about Rust modules, not kernel modules):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>defense evasion<\/strong>: hide files, processes, network connections, etc.<\/li>\n\n\n\n<li><strong>hooking<\/strong>: hook syscalls and IDT<\/li>\n\n\n\n<li><strong>hypervisor<\/strong>: create a virtual machine to execute malicious code<\/li>\n\n\n\n<li><strong>persistence<\/strong>: make the rootkit persistent after reboot and resilient to supression<\/li>\n\n\n\n<li><strong>utils<\/strong>: various utilities<\/li>\n<\/ul>\n\n\n\n<p>C2 sends crafted assembled x86_64 mnemonics to the rootkit, which then sends it to the VM guest to execute it. The VM guest is isolated from the host and can be used to execute malicious code.<\/p>\n\n\n\n<p>Kernel do not see incoming malicous packets as they are filtered by the eBPF XDP program and sent to the LKM module, and outgoing packets are modified by the eBPF TC program.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Hooking<\/strong><a href=\"https:\/\/github.com\/DualHorizon\/blackpill#hooking\"><\/a><\/h2>\n\n\n\n<p>Hooking is a fundamental capability of the rootkit, implemented using <code>kprobes<\/code> in the Linux kernel. This technique intercepts and redirects the execution of system functions to monitor or modify their behavior. <\/p>\n\n\n\n<p>In the context of this rootkit, <code>kprobes<\/code> provides a powerful mechanism to interact with kernel functions without altering the source code directly.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Defense Evasion<\/strong><a href=\"https:\/\/github.com\/DualHorizon\/blackpill#defense-evasion\"><\/a><\/h2>\n\n\n\n<p>To ensure stealth, the rootkit employs two primary anti-detection mechanisms:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Removing the Module from the Kernel Module List<\/strong><br>When a kernel module is loaded, it is added to the kernel&#8217;s module list, visible via tools like <code>lsmod<\/code> or <code>\/proc\/modules<\/code>. To prevent detection:\n<ul class=\"wp-block-list\">\n<li>The rootkit manually removes itself from this list.<\/li>\n\n\n\n<li>Despite being removed from the list, the module remains operational, enabling continued execution of its functionality.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Hooking the <code>filldir64<\/code> Function to Hide a Specific Directory<\/strong><br>To conceal files used by the rootkit, a hook is implemented on the <code>filldir64<\/code> function. This function is invoked when a process reads directory contents (e.g., via <code>getdents<\/code> or <code>readdir<\/code> system calls).\n<ul class=\"wp-block-list\">\n<li><strong>Hooking Process<\/strong>:\n<ul class=\"wp-block-list\">\n<li>The rootkit intercepts the <code>filldir64<\/code> function using <code>kprobes<\/code>.<\/li>\n\n\n\n<li>During execution, the handler inspects directory entries returned to the user.<\/li>\n\n\n\n<li>If an entry matches the <code>\/BLACKPILL-BLACKPILL<\/code> directory (used to store critical rootkit files), it is filtered out and not returned to the user.<\/li>\n\n\n\n<li>All other directory entries are returned normally, ensuring transparency for user-space tools.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Using eBPF XDP and TC Programs to Modify Ingress and Egress network traffic<\/strong> To normalize our malicious network communications, we use eBPF XDP (eXpress Data Path) and TC (Traffic Control) programs. As such, we can:\n<ul class=\"wp-block-list\">\n<li>Intercept specific incoming (ingress) packets with the XDP program at the lowest network level by matching the crafted TCP payload signature from our C2, which we then redirect to a custom BPF map for VM\/LKM processing.<\/li>\n\n\n\n<li>Intercept specific outgoing (egress) packets with the TC program by matching TCP packets generated by VM\/LKM, which we then modify by overwriting their payload with our C2 response data. \n<ul class=\"wp-block-list\">\n<li>The original packets are automatically retransmitted by TCP, maintaining the appearance of legitimate traffic.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>For more information click <a href=\"https:\/\/github.com\/DualHorizon\/blackpill\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dive into the dark intricacies of BlackPill, a sophisticated Linux rootkit engineered in Rust that epitomizes stealth and versatility in cyber threats. This article unravels its multi-faceted modules, from evasion tactics to persistent attacks, outlining how it manipulates system operations to remain undetected. Features The rootkit is composed of multiple modules (talking about Rust modules, [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":35554,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[7002,737,6321,6052,6325],"class_list":["post-35549","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-blackpill","tag-cybersecurity","tag-informationsecurity","tag-kalilinux","tag-kalilinuxtools"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>BlackPill : A Comprehensive Overview of a Stealthy Linux Rootkit<\/title>\n<meta name=\"description\" content=\"Dive into the dark intricacies of BlackPill, a sophisticated Linux rootkit engineered in Rust that epitomizes stealth and versatility in\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/blackpill\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BlackPill : A Comprehensive Overview of a Stealthy Linux Rootkit\" \/>\n<meta property=\"og:description\" content=\"Dive into the dark intricacies of BlackPill, a sophisticated Linux rootkit engineered in Rust that epitomizes stealth and versatility in\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/blackpill\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2024-12-30T07:57:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-12-30T07:57:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp\" \/>\n<meta name=\"author\" content=\"Varshini\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Varshini\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/blackpill\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/blackpill\/\"},\"author\":{\"name\":\"Varshini\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/3c3b3f82a74146532c4def299fe069fa\"},\"headline\":\"BlackPill : A Comprehensive Overview Of A Stealthy Linux Rootkit\",\"datePublished\":\"2024-12-30T07:57:25+00:00\",\"dateModified\":\"2024-12-30T07:57:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/blackpill\/\"},\"wordCount\":502,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/blackpill\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp\",\"keywords\":[\"BlackPill\",\"cybersecurity\",\"informationsecurity\",\"kalilinux\",\"kalilinuxtools\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/blackpill\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/blackpill\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/blackpill\/\",\"name\":\"BlackPill : A Comprehensive Overview of a Stealthy Linux Rootkit\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/blackpill\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/blackpill\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp\",\"datePublished\":\"2024-12-30T07:57:25+00:00\",\"dateModified\":\"2024-12-30T07:57:27+00:00\",\"description\":\"Dive into the dark intricacies of BlackPill, a sophisticated Linux rootkit engineered in Rust that epitomizes stealth and versatility in\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/blackpill\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/blackpill\/#primaryimage\",\"url\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp\",\"contentUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp\",\"width\":\"1600\",\"height\":\"900\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/3c3b3f82a74146532c4def299fe069fa\",\"name\":\"Varshini\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f19f43637c0f83fb3dcfb498f306b2a9ac0025ce85840ab52ee8c01f5361f269?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f19f43637c0f83fb3dcfb498f306b2a9ac0025ce85840ab52ee8c01f5361f269?s=96&d=mm&r=g\",\"caption\":\"Varshini\"},\"description\":\"Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.\",\"sameAs\":[\"http:\/\/kalilinuxtutorials.com\",\"https:\/\/www.linkedin.com\/in\/senthamil-selvan-14043a285\/\"],\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/vinayakagrawal\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BlackPill : A Comprehensive Overview of a Stealthy Linux Rootkit","description":"Dive into the dark intricacies of BlackPill, a sophisticated Linux rootkit engineered in Rust that epitomizes stealth and versatility in","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/blackpill\/","og_locale":"en_US","og_type":"article","og_title":"BlackPill : A Comprehensive Overview of a Stealthy Linux Rootkit","og_description":"Dive into the dark intricacies of BlackPill, a sophisticated Linux rootkit engineered in Rust that epitomizes stealth and versatility in","og_url":"https:\/\/kalilinuxtutorials.com\/blackpill\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2024-12-30T07:57:25+00:00","article_modified_time":"2024-12-30T07:57:27+00:00","og_image":[{"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp","type":"","width":"","height":""}],"author":"Varshini","twitter_card":"summary_large_image","twitter_image":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"Varshini","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/blackpill\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/blackpill\/"},"author":{"name":"Varshini","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/3c3b3f82a74146532c4def299fe069fa"},"headline":"BlackPill : A Comprehensive Overview Of A Stealthy Linux Rootkit","datePublished":"2024-12-30T07:57:25+00:00","dateModified":"2024-12-30T07:57:27+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/blackpill\/"},"wordCount":502,"commentCount":0,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/blackpill\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp","keywords":["BlackPill","cybersecurity","informationsecurity","kalilinux","kalilinuxtools"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/kalilinuxtutorials.com\/blackpill\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/blackpill\/","url":"https:\/\/kalilinuxtutorials.com\/blackpill\/","name":"BlackPill : A Comprehensive Overview of a Stealthy Linux Rootkit","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/blackpill\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/blackpill\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp","datePublished":"2024-12-30T07:57:25+00:00","dateModified":"2024-12-30T07:57:27+00:00","description":"Dive into the dark intricacies of BlackPill, a sophisticated Linux rootkit engineered in Rust that epitomizes stealth and versatility in","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/blackpill\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/blackpill\/#primaryimage","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp","contentUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp","width":"1600","height":"900"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/3c3b3f82a74146532c4def299fe069fa","name":"Varshini","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f19f43637c0f83fb3dcfb498f306b2a9ac0025ce85840ab52ee8c01f5361f269?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f19f43637c0f83fb3dcfb498f306b2a9ac0025ce85840ab52ee8c01f5361f269?s=96&d=mm&r=g","caption":"Varshini"},"description":"Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.","sameAs":["http:\/\/kalilinuxtutorials.com","https:\/\/www.linkedin.com\/in\/senthamil-selvan-14043a285\/"],"url":"https:\/\/kalilinuxtutorials.com\/author\/vinayakagrawal\/"}]}},"jetpack_featured_media_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAyQNIvQnjHxru0AxBkYqF_-2wfSxwyWRt-aqCQtzV8gmXkmt-beQXaRbHPNJySyeCPH8c33tRHQBkcZm6xAM5Jnj3jOdNteCQI0x9UMAtDWzdxCdbw6Ko9T-UKY64ysMwODxl2jHKtbxDkE9KzMyOHGBn7s5NAUlM52H7R-NklqC3z3EuZfmHCAj3XcKj\/s1600\/BlackPill%20.webp","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":3629,"url":"https:\/\/kalilinuxtutorials.com\/tyton-kernel-rootkit-hunter\/","url_meta":{"origin":35549,"position":0},"title":"Tyton : Kernel-Mode Rootkit Hunter","author":"R K","date":"January 22, 2019","format":false,"excerpt":"Tyton Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+. Detected Attacks Hidden Modules Syscall Table Hooking Network Protocol Hooking Netfilter Hooking Zeroed Process Inodes Process Fops Hooking Interrupt Descriptor Table Hooking Also Read:Hatch \u2013 Brute Force Tool That Is Used To Brute Force Most Websites Additional Features Notifications: Users (including myself) do\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":20467,"url":"https:\/\/kalilinuxtutorials.com\/tor-rootkit\/","url_meta":{"origin":35549,"position":1},"title":"Tor-Rootkit : A Python 3 Standalone Windows 10 \/ Linux Rootkit Using Tor","author":"R K","date":"November 29, 2021","format":false,"excerpt":"Tor-Rootkit is a Python 3 standalone Windows 10 \/ Linux Rootkit. The networking communication get's established over the tor network. How To Use Clone the repo and change directory: git clone https:\/\/github.com\/emcruise\/TorRootkit.gitcd .\/tor-rootkit Build docker container: docker build -t listener . Run docker container: docker run -v $(pwd)\/executables:\/executables\/ -it listener\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg1qpS510FeY095KImUn-o9fd6VpE2onyq6K2zYCt4w-EHT-nN75Iq2TdFhJ-O9XHo14S1_17KZQ_Hh6ca5uss3bsOqok2Qk4eq1d3sxRJTfqs1zo6DcI3ZZa5OFNciZaMf3iJbF3100m-YilAxNeY_AORESiwPW_w-GXZ7EW79M4evA-z5cWAnwa6K=s728","width":350,"height":200,"srcset":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg1qpS510FeY095KImUn-o9fd6VpE2onyq6K2zYCt4w-EHT-nN75Iq2TdFhJ-O9XHo14S1_17KZQ_Hh6ca5uss3bsOqok2Qk4eq1d3sxRJTfqs1zo6DcI3ZZa5OFNciZaMf3iJbF3100m-YilAxNeY_AORESiwPW_w-GXZ7EW79M4evA-z5cWAnwa6K=s728 1x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg1qpS510FeY095KImUn-o9fd6VpE2onyq6K2zYCt4w-EHT-nN75Iq2TdFhJ-O9XHo14S1_17KZQ_Hh6ca5uss3bsOqok2Qk4eq1d3sxRJTfqs1zo6DcI3ZZa5OFNciZaMf3iJbF3100m-YilAxNeY_AORESiwPW_w-GXZ7EW79M4evA-z5cWAnwa6K=s728 1.5x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg1qpS510FeY095KImUn-o9fd6VpE2onyq6K2zYCt4w-EHT-nN75Iq2TdFhJ-O9XHo14S1_17KZQ_Hh6ca5uss3bsOqok2Qk4eq1d3sxRJTfqs1zo6DcI3ZZa5OFNciZaMf3iJbF3100m-YilAxNeY_AORESiwPW_w-GXZ7EW79M4evA-z5cWAnwa6K=s728 2x"},"classes":[]},{"id":31629,"url":"https:\/\/kalilinuxtutorials.com\/demonized-shell\/","url_meta":{"origin":35549,"position":2},"title":"Demonized Shell: Advancing Linux Persistence Techniques and Security Implications.","author":"Varshini","date":"January 5, 2024","format":false,"excerpt":"The article \"Demonized Shell: Advancing Linux Persistence Techniques and Security Implications\" goes into great detail about D3m0n1z3dShell, a complex tool made for making things persistent in Linux settings. The opening would probably talk about how this tool is a big step forward in Linux system security and how it has\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg_D_MqBDJEk7bVW486QZaQigu5NqayhGiOF4YOBmBFHtOBvFE9L41LjYFpE11T4KzBsv6cWlNvZFxiA2F4vFo_QL_uVXMFjy_CC8AZ5DWlcB0k5W6UxngX-b9auVZatkKvpCk3wqtSVSEiBg6RobSaJCDil3pkeFUmuN_TqCt_OO77pFjeKaRyo8_GZw\/s16000\/Demonized%20Shell.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg_D_MqBDJEk7bVW486QZaQigu5NqayhGiOF4YOBmBFHtOBvFE9L41LjYFpE11T4KzBsv6cWlNvZFxiA2F4vFo_QL_uVXMFjy_CC8AZ5DWlcB0k5W6UxngX-b9auVZatkKvpCk3wqtSVSEiBg6RobSaJCDil3pkeFUmuN_TqCt_OO77pFjeKaRyo8_GZw\/s16000\/Demonized%20Shell.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg_D_MqBDJEk7bVW486QZaQigu5NqayhGiOF4YOBmBFHtOBvFE9L41LjYFpE11T4KzBsv6cWlNvZFxiA2F4vFo_QL_uVXMFjy_CC8AZ5DWlcB0k5W6UxngX-b9auVZatkKvpCk3wqtSVSEiBg6RobSaJCDil3pkeFUmuN_TqCt_OO77pFjeKaRyo8_GZw\/s16000\/Demonized%20Shell.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg_D_MqBDJEk7bVW486QZaQigu5NqayhGiOF4YOBmBFHtOBvFE9L41LjYFpE11T4KzBsv6cWlNvZFxiA2F4vFo_QL_uVXMFjy_CC8AZ5DWlcB0k5W6UxngX-b9auVZatkKvpCk3wqtSVSEiBg6RobSaJCDil3pkeFUmuN_TqCt_OO77pFjeKaRyo8_GZw\/s16000\/Demonized%20Shell.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg_D_MqBDJEk7bVW486QZaQigu5NqayhGiOF4YOBmBFHtOBvFE9L41LjYFpE11T4KzBsv6cWlNvZFxiA2F4vFo_QL_uVXMFjy_CC8AZ5DWlcB0k5W6UxngX-b9auVZatkKvpCk3wqtSVSEiBg6RobSaJCDil3pkeFUmuN_TqCt_OO77pFjeKaRyo8_GZw\/s16000\/Demonized%20Shell.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg_D_MqBDJEk7bVW486QZaQigu5NqayhGiOF4YOBmBFHtOBvFE9L41LjYFpE11T4KzBsv6cWlNvZFxiA2F4vFo_QL_uVXMFjy_CC8AZ5DWlcB0k5W6UxngX-b9auVZatkKvpCk3wqtSVSEiBg6RobSaJCDil3pkeFUmuN_TqCt_OO77pFjeKaRyo8_GZw\/s16000\/Demonized%20Shell.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":13061,"url":"https:\/\/kalilinuxtutorials.com\/r77-rootkit\/","url_meta":{"origin":35549,"position":3},"title":"R77 Rootkit : Fileless Ring 3 Rootkit With Installer And Persistence","author":"R K","date":"May 28, 2021","format":false,"excerpt":"R77 is a ring 3 Rootkit that hides following entities from all processes: Files, directories, junctions, named pipes, scheduled tasksProcessesCPU usageRegistry keys & valuesServicesTCP & UDP connections It is compatible with Windows 7 and Windows 10 in both x64 and x86 editions. Hiding By Prefix All entities where the name\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":35886,"url":"https:\/\/kalilinuxtutorials.com\/sunder\/","url_meta":{"origin":35549,"position":4},"title":"Sunder : A Windows Rootkit Exploiting Vulnerable Drivers For Kernel-Level Attacks","author":"Varshini","date":"January 30, 2025","format":false,"excerpt":"Sunder is a Windows rootkit inspired by the Lazarus Group's FudModule rootkit, designed to exploit vulnerabilities in kernel drivers to gain unauthorized access to system resources. This rootkit serves as a framework for post-exploitation activities, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security mechanisms and manipulate\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Sunder-.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Sunder-.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Sunder-.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Sunder-.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Sunder-.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Sunder-.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":33824,"url":"https:\/\/kalilinuxtutorials.com\/kdrill\/","url_meta":{"origin":35549,"position":5},"title":"Kdrill &#8211; Unveiling Rootkit Intrusions In Windows 64-Bit Systems","author":"Varshini","date":"July 15, 2024","format":false,"excerpt":"Kdrill is a tool to analyze the kernel land of Windows 64b systems (tested from Windows 7 to Windows 11). Its main objective is to assess if the kernel is compromised by a rootkit. The code is compatible with python2\/3 without dependencies and can perfom checks without Microsoft symbols or\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh0tzp44UfeUBWJoj0tMqImEqjsJitlLPOoyK0RRUa96JI2uT562fzCCaIBgUdZzThKJB7rgBPjsrrBnRrxohdy6NPujLUvMYMENN9SW2UEVInZWNmisj8IxOCJu7GgNyNksrYtJgM9A-BjD6RTLXgiwnOpc-LqfK5xvTd6xPZCGr_XZFaGJ1zNQ2K7Dl1C\/s16000\/Kdrill%20.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh0tzp44UfeUBWJoj0tMqImEqjsJitlLPOoyK0RRUa96JI2uT562fzCCaIBgUdZzThKJB7rgBPjsrrBnRrxohdy6NPujLUvMYMENN9SW2UEVInZWNmisj8IxOCJu7GgNyNksrYtJgM9A-BjD6RTLXgiwnOpc-LqfK5xvTd6xPZCGr_XZFaGJ1zNQ2K7Dl1C\/s16000\/Kdrill%20.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh0tzp44UfeUBWJoj0tMqImEqjsJitlLPOoyK0RRUa96JI2uT562fzCCaIBgUdZzThKJB7rgBPjsrrBnRrxohdy6NPujLUvMYMENN9SW2UEVInZWNmisj8IxOCJu7GgNyNksrYtJgM9A-BjD6RTLXgiwnOpc-LqfK5xvTd6xPZCGr_XZFaGJ1zNQ2K7Dl1C\/s16000\/Kdrill%20.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh0tzp44UfeUBWJoj0tMqImEqjsJitlLPOoyK0RRUa96JI2uT562fzCCaIBgUdZzThKJB7rgBPjsrrBnRrxohdy6NPujLUvMYMENN9SW2UEVInZWNmisj8IxOCJu7GgNyNksrYtJgM9A-BjD6RTLXgiwnOpc-LqfK5xvTd6xPZCGr_XZFaGJ1zNQ2K7Dl1C\/s16000\/Kdrill%20.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh0tzp44UfeUBWJoj0tMqImEqjsJitlLPOoyK0RRUa96JI2uT562fzCCaIBgUdZzThKJB7rgBPjsrrBnRrxohdy6NPujLUvMYMENN9SW2UEVInZWNmisj8IxOCJu7GgNyNksrYtJgM9A-BjD6RTLXgiwnOpc-LqfK5xvTd6xPZCGr_XZFaGJ1zNQ2K7Dl1C\/s16000\/Kdrill%20.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh0tzp44UfeUBWJoj0tMqImEqjsJitlLPOoyK0RRUa96JI2uT562fzCCaIBgUdZzThKJB7rgBPjsrrBnRrxohdy6NPujLUvMYMENN9SW2UEVInZWNmisj8IxOCJu7GgNyNksrYtJgM9A-BjD6RTLXgiwnOpc-LqfK5xvTd6xPZCGr_XZFaGJ1zNQ2K7Dl1C\/s16000\/Kdrill%20.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/35549","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=35549"}],"version-history":[{"count":6,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/35549\/revisions"}],"predecessor-version":[{"id":35556,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/35549\/revisions\/35556"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/35554"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=35549"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=35549"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=35549"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}