Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/matheuzsecurity/imperius
Make an Linux Kernel rootkit visible again.
https://github.com/matheuzsecurity/imperius
kernel lkm rootkit
Last synced: about 5 hours ago
JSON representation
Make an Linux Kernel rootkit visible again.
- Host: GitHub
- URL: https://github.com/matheuzsecurity/imperius
- Owner: MatheuZSecurity
- Created: 2024-04-30T03:54:07.000Z (7 months ago)
- Default Branch: main
- Last Pushed: 2024-09-17T22:00:12.000Z (2 months ago)
- Last Synced: 2024-09-18T02:43:11.567Z (2 months ago)
- Topics: kernel, lkm, rootkit
- Language: C
- Homepage:
- Size: 19.5 KB
- Stars: 21
- Watchers: 1
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Imperius
Make an LKM rootkit visible again.
# This tool is part of research on LKM rootkits that will be launched.
It involves getting the address of the "module_show" function from a rootkit, for example the diamorphine rootkit, and using it to call it, adding it back to lsmod, making it possible to remove an LKM rootkit.
We can obtain the function address in very simple kernels using */sys/kernel/tracing/available_filter_functions_addrs*, however, it is only available from kernel 6.5x onwards.
An alternative to this is to scan the kernel memory, and later add it to lsmod again, so that it can be removed, such as ModTracer: https://github.com/MatheuZSecurity/ModTracer (But there are still ways to bypass it, maybe I'll make a post about it soon).
So in summary, this LKM abuses the function of lkm rootkits that have the functionality to become visible again.
OBS: There is another trick of removing/defusing a LKM rootkit, but it will be in the research that will be launched in this year.
Join in Rootkit Researchers Group
https://discord.gg/66N5ZQppU7