Skip to content
/ dpatch Public

x64 Linux Syscall Dispatcher Patching PoC

Notifications You must be signed in to change notification settings

xmmword/dpatch

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 

Repository files navigation

dpatch

An x64 PoC Linux kernel driver that hooks system calls via patching the system call dispatcher.


Description

dpatch is a PoC kernel driver which patches the system call dispatcher for x64 Linux. It does this by first making a mutable/writeable copy of the system call table, overwriting the function pointers in that table with the function pointers that point to the hook functions, and then patching the first several bytes of the dispatcher to make it jump to a custom system call handler. The custom handler will then index and invoke system calls (or hooks, if the function pointer was overwritten) from the copied (writeable) table.

Features

  • Linux 5.15 - 6.0 Support
  • Patches kernel system call dispatcher
  • sys_call_table isn't touched or modified at all
  • Undetected by most, if not all public usermode/kernelmode rootkit scanners

Bugs

  • Decent chance of crashing when the driver gets unloaded (working on fixing this/reducing the chance of crashes)

Built with

  • C

Getting started

Compiling

To compile dpatch, simply execute the following script:

  • ./build.sh

Usage

  • insmod dpatchdriver.ko

Credits

https://github.com/xmmword

Contributions 🎉

All contributions are accepted, simply open an Issue / Pull request.

About

x64 Linux Syscall Dispatcher Patching PoC

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published