Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/m0nad/Diamorphine
LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64)
https://github.com/m0nad/Diamorphine
advanced-persistent-threat backdoor c hacking hacking-tool kernel kernel-module linux linux-kernel lkm-rootkit malware pentest pentesting redteam redteaming rootkit security security-audit security-tools stealth
Last synced: 3 months ago
JSON representation
LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64)
- Host: GitHub
- URL: https://github.com/m0nad/Diamorphine
- Owner: m0nad
- License: other
- Created: 2013-11-06T22:38:47.000Z (over 10 years ago)
- Default Branch: master
- Last Pushed: 2023-09-20T10:56:06.000Z (10 months ago)
- Last Synced: 2024-01-21T18:48:24.725Z (6 months ago)
- Topics: advanced-persistent-threat, backdoor, c, hacking, hacking-tool, kernel, kernel-module, linux, linux-kernel, lkm-rootkit, malware, pentest, pentesting, redteam, redteaming, rootkit, security, security-audit, security-tools, stealth
- Language: C
- Homepage:
- Size: 28.3 KB
- Stars: 1,553
- Watchers: 57
- Forks: 418
- Open Issues: 7
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Lists
- my-awesome-stars - Diamorphine
- awesome-malware - Diamorphine - LKM rootkit for Linux Kernels 2.6.x, 3.x, and 4.x. (Uncategorized / Uncategorized)
- awesome-linux-rootkits - m0nad/Diamorphine: LKM rootkit for Linux Kernels 2.6.x/3.x/4.x
- awesome - Diamorphine - LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x (x86/x86_64 and ARM64) (C)
- awesome-stars - m0nad/Diamorphine - LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64) (security-tools)
- awesome-rainmana - m0nad/Diamorphine - LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64) (C)
README
Diamorphine
===========
Diamorphine is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64)
Features
--
- When loaded, the module starts invisible;
- Hide/unhide any process by sending a signal 31;
- Sending a signal 63(to any pid) makes the module become (in)visible;
- Sending a signal 64(to any pid) makes the given user become root;
- Files or directories starting with the MAGIC_PREFIX become invisible;
- Source: https://github.com/m0nad/Diamorphine
Install
--
Verify if the kernel is 2.6.x/3.x/4.x/5.x
```
uname -r
```
Clone the repository
```
git clone https://github.com/m0nad/Diamorphine
```
Enter the folder
```
cd Diamorphine
```
Compile
```
make
```
Load the module(as root)
```
insmod diamorphine.ko
```
Uninstall
--
The module starts invisible, to remove you need to make it visible
```
kill -63 0
```
Then remove the module(as root)
```
rmmod diamorphine
```
References
--
Wikipedia Rootkit
https://en.wikipedia.org/wiki/Rootkit
Linux Device Drivers
http://lwn.net/Kernel/LDD3/
LKM HACKING
https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html
Memset's blog
http://memset.wordpress.com/
Linux on-the-fly kernel patching without LKM
http://phrack.org/issues/58/7.html
WRITING A SIMPLE ROOTKIT FOR LINUX
https://web.archive.org/web/20160620231623/http://big-daddy.fr/repository/Documentation/Hacking/Security/Malware/Rootkits/writing-rootkit.txt
Linux Cross Reference
http://lxr.free-electrons.com/
zizzu0 LinuxKernelModules
https://github.com/zizzu0/LinuxKernelModules/
Linux Rootkits: New Methods for Kernel 5.7+
https://xcellerator.github.io/posts/linux_rootkits_11/