Technique to make LKM rootkit visible. #10
Assignees
Labels
enhancement
New feature or request
Comments
rem0obb
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Some rootkits or most of the open source LKM rootkits on github, always have a feature to make it visible again, for example diamorphine, brokepkg, etc... So, I created a tool called "imperius", which basically creates a linked list of structures called "module_entry" that have the name and address of the LKM rootkit function.
And then it adds an entry to the function that makes the LKM rootkit visible again, called "module_show" with its address, then it calls the function called "magick_lol()" that searches for this entry in the list and if found, calls the function associated with it.
To obtain this address, you can use, for example, trace, from "/sys/kernel/tracing/available_filter_functions_addrs" (however, this functionality is only available from kernel 6.5x onwards).
And it would be very interesting to have it as a feature on CrowArmor.
source of imperius: https://github.com/MatheuZSecurity/Imperius
The text was updated successfully, but these errors were encountered: