https://github.com/matheuzsecurity/imperius

Make an Linux Kernel rootkit visible again.
https://github.com/matheuzsecurity/imperius

kernel linux lkm reveal rootkit

Last synced: 7 months ago
JSON representation

Make an Linux Kernel rootkit visible again.

Host: GitHub
URL: https://github.com/matheuzsecurity/imperius
Owner: MatheuZSecurity
Created: 2024-04-30T03:54:07.000Z (almost 2 years ago)
Default Branch: main
Last Pushed: 2024-09-25T18:01:44.000Z (over 1 year ago)
Last Synced: 2024-12-12T21:51:27.418Z (about 1 year ago)
Topics: kernel, linux, lkm, reveal, rootkit
Language: C
Homepage:
Size: 21.5 KB
Stars: 46
Watchers: 1
Forks: 4
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

          # Imperius

Make an LKM rootkit visible again.

It involves getting the address of the "module_show" function from a rootkit, for example the diamorphine rootkit, and using it to call it, adding it back to lsmod, making it possible to remove an LKM rootkit.

We can obtain the function address in very simple kernels using */sys/kernel/tracing/available_filter_functions_addrs*, however, it is only available from kernel 6.5x onwards.

An alternative to this is to scan the kernel memory, and later add it to lsmod again, so that it can be removed, such as ModTracer: https://github.com/MatheuZSecurity/ModTracer (But there are still ways to bypass it, maybe I'll make a post about it soon).

So in summary, this LKM abuses the function of lkm rootkits that have the functionality to become visible again.

Join in Rootkit Researchers Group

https://discord.gg/66N5ZQppU7

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/matheuzsecurity/imperius

Awesome Lists containing this project

README