Xingyiquan is legendary lkm roottk1t for linux kernel 2.6.x and 3.x developed in 2014
(c) Copyright by BluedragonSec All Rights Reserved
Developed by Antonius a.k.a w1sdom a.k.a Sw0rdm4n (@sw0rdm4n) a.k.a Ringlayer

www.bluedragonsec.com
https://github.com/bluedragonsecurity

THIS OLD LKM ROOTKIT FEATURED IN : 

https://dl.acm.org/doi/fullHtml/10.1145/3458903.3458909
https://eprints.glos.ac.uk/4158/8/Detection%20of%20Malware%20and%20Kernel.pdf
https://github.com/skyw4tch3r/RootKits-List-Download
https://opensource.com/article/18/4/linux-filesystem-forensics
https://www.cs.nthu.edu.tw/~ychung/Journal/2021-IEEE-TC.pdf
https://malware-unplugged.blogspot.com/2015/09/linux-memory-diff-analysis-using.html
https://scispace.com/pdf/big-data-based-security-analytics-for-protecting-virtualized-38bvjtwpzr.pdf
and so on ...



DISCLAIMER

This kernel rootkit is just for educatinal purpose and shouldn't be used for any illegal activities, use this at your own risk.


LICENSE

 * (c) Copyright by BluedragonSec All Rights Reserved
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>. *
 *



INSTALLATION

To install, just type : ./install



CONFIGURATION FILES

- xingyiquan configuration file for userspace utility is at xingyi_userspace_src/xingyi_userspace_config.h
- xingyiquan configuration file for kernel space rootkit is at xingyi_kernel_src/xingyi_lkm_config.h


DEFAULT PORTS AND PASSWORDS
- default bindshell port :  7777
- default bindshell password : sw0rdm4n
- default netfilter hook port for reverse shell : 1337
- default port to get reverse shell : 7777
- default root shell binary: xingyi_rootshell
- default root shell password : sw0rdm4n (specified at argument)




FUNCTIONS

- escalate privilege
This rootkit has a binary utility named xingyi_rootshell, once this rootkit installed, you can get rootshell by type : ./xingyi_rootshell "sw0rdm4n". String "sw0rdm4n" is default password for root shell, This string is written in
userspace config file at xingyi_userspace_src/xingyi_userspace_config.h

- bindshell
This rootkit has a default bind shell on port 7777 using default password : "sw0rdm4n". String "sw0rdm4n" is default password for bind shell, This string is written in
userspace config file at xingyi_userspace_src/xingyi_userspace_config.h

- reverse shell
This rootkit has reverse shell functionality which will be triggered by netfilter hook, in order to get reverse shell to your ip via port 7777, you must fire telnet on port 1337 to the box where you install this rootkit. Before that
make sure you prepare a netcat listener on port 7777.

- another common functions
Another common functions : hide files/dirs, hide connections, hide module, hook kill process, hook open, hook open directory.
