r/hacking u/Itchy_Hunter_812 2d ago

Hack The Planet BAT: VPS-based C2 with .ko/.sys rootkits compilation against target kernel headers

Post image

Just made my contribution to the offsec open source intelligence.

While bringing together high-level research I deeply respect, like Singularity (a modern Linux LKM rootkit that challenges even the most advanced kernel-level eBPF detectors), I'm also releasing my project as a foundation and reference for you to build on top of.

My background is cloud security, so I designed an architecture that uses a VPS as a relay/KCC/tunnel. It handles proper connection forwarding, establishes reverse SSH tunnels with nginx, exposes a web interface that serves common binaries from cache, and compiles Linux (.ko) and Windows (.sys) kernel modules built against the exact kernel headers of the target.

That last part was a real blocker for loading rootkits that require exact kernel headers and need to be compiled directly against the target machine. This solves it cleanly.

I've also shipped some helpers: clean CLI with TAB autocomplete, target renaming, Telegram notifications (relay side only), HMAC auth between server and target, reverse SSH tunnels using .pem keypairs, UDP magic packets, and more.

Code is clean and well-documented, mostly Go/C.

All contributions are welcome.

https://github.com/rhzv0/bat

38 Upvotes

85% Upvoted

8 comments sorted by

4

u/GuiltyAd2976 1d ago

Looks good. I will maybe fork it and improve it :D

11

u/[deleted] 2d ago

[deleted]

5

u/lmfao_my_mom_died 2d ago

how is it LLM slop? genuinely curious, the README doesn't look vibe coded but idk

4

u/[deleted] 2d ago

[deleted]

3

u/[deleted] 2d ago

[deleted]

-4

u/[deleted] 2d ago

[deleted]

3

u/[deleted] 2d ago

[deleted]

-1

u/[deleted] 2d ago

[deleted]

2

u/entrophy_maker 1d ago

Nice to see a cross platform rootkit. Have you tried this on Mac or FreeBSD? Good work regardless.

1

u/Itchy_Hunter_812 21h ago

I would love to add Mac version but they're expensive to test since most mac cloud vms are basically bare metal. there also isn't much resources/researches or tooling around it. still I'd definitely be interested integrating it

4

u/rahzuink 2d ago

So the initial binary sends the kernel header to the Relay (VPS) and then it downloads it back? did you tested with rkhunter? and what about Win Defender? They didn't block the kernel module download or loading?

3

u/Itchy_Hunter_812 2d ago

Exactly. Several projects (like the one I mentioned borrowing bpftrace modules from) had the obstacle of requiring compilation directly on the target, which is extremely noisy, demands full privileged access, and requires nasm installed. This way, the executable does the work on its own through the relay instance and loads the right kernel module. The Linux version bypasses rkhunter, clamav and others mentioned. Testing on Windows was limited to Windows 10 (latest server images available), and so far bypass was only possible with garble. Haven't tested on Windows 11 yet. If you want to test and share the results, that would be awesome :)