You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some rootkits or most of the open source LKM rootkits on github, always have a feature to make it visible again, for example diamorphine, brokepkg, etc... So, I created a tool called "imperius", which basically creates a linked list of structures called "module_entry" that have the name and address of the LKM rootkit function.
And then it adds an entry to the function that makes the LKM rootkit visible again, called "module_show" with its address, then it calls the function called "magick_lol()" that searches for this entry in the list and if found, calls the function associated with it.
To obtain this address, you can use, for example, trace, from "/sys/kernel/tracing/available_filter_functions_addrs" (however, this functionality is only available from kernel 6.5x onwards).
And it would be very interesting to have it as a feature on CrowArmor.
Some rootkits or most of the open source LKM rootkits on github, always have a feature to make it visible again, for example diamorphine, brokepkg, etc... So, I created a tool called "imperius", which basically creates a linked list of structures called "module_entry" that have the name and address of the LKM rootkit function.
And then it adds an entry to the function that makes the LKM rootkit visible again, called "module_show" with its address, then it calls the function called "magick_lol()" that searches for this entry in the list and if found, calls the function associated with it.
To obtain this address, you can use, for example, trace, from "/sys/kernel/tracing/available_filter_functions_addrs" (however, this functionality is only available from kernel 6.5x onwards).
And it would be very interesting to have it as a feature on CrowArmor.
source of imperius: https://github.com/MatheuZSecurity/Imperius
The text was updated successfully, but these errors were encountered: