I Built a Tool That Simulates and Detects Linux Rootkits

There is something about the way rootkits work that I find genuinely fascinating. They do not break into a system; they hide inside it. They manipulate the operating system's own interfaces to make themselves invisible. A process running on your machine that ps cannot see. A network connection that netstat will never show you. Files that ls refuses to acknowledge exist.

I became obsessed with understanding how that works at a technical level. Not just reading about it, but actually building it.

So I built RootWatch.

What it does

RootWatch is a Linux rootkit simulation and detection framework. It implements eight techniques used by real-world rootkits and then runs a detection engine that catches them by reading the OS directly bypassing the hooks a rootkit would install.

The simulation side deploys real techniques in a controlled environment. The LD_PRELOAD injection compiles an actual shared object that hooks readdir() and fopen(), the same method used by Symbiote, PUMAKIT, and Medusa, rootkits that were active in 2024 and used in nation-state attacks. Process hiding, file hiding, SUID backdoors, multi-vector persistence, log tampering, network connection hiding, timestamp manipulation — all eight techniques run safely on your own machine, all artefacts confined to /tmp.

None

How the detection works

The detection engine does not trust userspace tools. A rootkit can hook ps, netstat, and ls, but it cannot easily hide from someone reading /proc directly.

So that is exactly what the detector does. It compares /proc PID list against ps output to find hidden processes. It reads /proc/net/tcp raw and compares it against ss to find hidden connections. It scans /proc/PID/maps for libraries loaded from suspicious paths. It cross-references multiple data sources simultaneously, so a rootkit cannot hide from all of them at once.

None

Every detection maps to a MITRE ATT&CK for Linux technique ID. The dashboard shows not just what was found but what technique it corresponds to, what tactic it belongs to, what the real-world references are, and what the mitigations are.

None

Why Linux

Linux is the operating system that matters for this kind of research. It runs the majority of servers, cloud infrastructure, and OT environments. It is where real rootkits are deployed. The techniques in this framework are based on documented real-world malware.

What I learned

Building the simulator and the detector side by side taught me something that reading about rootkits never could. When you write the code that hides a process and then write the code that finds it, you understand the cat and mouse at a level that no article can give you.

The obsession with building secure systems led me here. Understanding how they break is part of understanding how to protect them.

The full code is on GitHub: HevenTafese/Advanced-Linux-Rootkit-Simulation-and-Detection-Framework: A Linux rootkit simulation and detection framework implementing 8 real-world techniques mapped to MITRE ATT&CK, with a live detection engine and forensic dashboard.

#Cybersecurity #Linux #Rootkit #EthicalHacking #InfoSec #PenetrationTesting #MalwareAnalysis #OpenSource #GitHub #Portfolio #Security #CyberDefense #BlueTeam #RedTeam #MITRE #MITREAttack #LinuxSecurity #ThreatDetection #IncidentResponse #ForensicAnalysis #CyberSecurity #Programming #Python #SecurityResearch #SystemSecurity #NetworkSecurity #Hacking #Developer #Tech #KaliLinux