CPL0(0) Linux Programmer's Manual CPL0(0)
NAME
_ __
__ _ __| |/ \
/ _| '_ \ | () |
\__| .__/_|\__/
|_| cpl0.zip - current privilege level 0
DESCRIPTION
cpl0 is a collective of Linux malware programmers.
WINTERMUTE
kvmrk
bluepill for arm64 linux via hijacking kvm + hidden breakpoints via trapping el1 access to debug registers.
rain king (writeup)
an arm64 Linux rootkit capable of silently hooking system calls without modifying sys_call_table, syscall ha-
ndlers and without using ftrace.
view on github.
ramiel (writeup)
a diskless UEFI bootkit capable of surviving disk wipes and firmware reflashes. ramiel is also capable of by-
passing OVMF's secureboot implementation.
view on github.
hvICE (writeup)
a POC implementation of hypervisor enforced code integrity for the Linux kernel using the> Xen hypervisor an-
d libVMI. ICEbreaker is a KASLR offset spoofer for libVMI.
view on github.
pswap
an implementation of software watchpoints + physical page swapping on execute/read via page fault handler ho-
oking. (abandoned)
github 3intermute
discord wintermute#0440
email wintermute@cpl0.zip
BLOOM
lukah
a runtime rdtsc spoofer for KVM (svm) + hardened QEMU/KVM implementation. (work in progress)
gitlab rookie
github af280cf94190a54043e947948a0031ce7ed71dc
email o@ra.pe
MYSTERE
spy.ko
a lightweight Linux kernel module that logs all input events from any input device.
gitlab eretsym
discord mystère#2936
email contact@myst.re
DJNN
unix keylogger
a quick n dirty usermode Linux keylogger + encrypted communication with logging server.
pitstop
a ptraceless function tracing tool using ROP gadgets via writing to the stack with /proc/mem. (work in progr-
ess)
github bogdzn
twitter djnn1337
email email@djnn.sh
CONTACT
email contact@cpl0.zip
discord https://discord.gg/5s3q8gCNtP
CPL0 2023-05-19 CPL0(0)