m0nad / diamorphine Goto Github PK
View Code? Open in Web Editor NEWLKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64)
License: Other
LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x/6.x (x86/x86_64 and ARM64)
License: Other
Hello
Whenn I try to make the file it gives me the following error
`root@lubusecusimup1:/Diamorphine# make clean/Diamorphine# make
make -C /lib/modules/4.15.0-117-generic/build M=/root/Diamorphine clean
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-117-generic'
CLEAN /root/Diamorphine/.tmp_versions
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-117-generic'
root@lubusecusimup1:
make -C /lib/modules/4.15.0-117-generic/build M=/root/Diamorphine modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-117-generic'
CC [M] /root/Diamorphine/diamorphine.o
In file included from /root/Diamorphine/diamorphine.c:1:0:
./arch/x86/include/asm/uaccess.h:30:27: error: unknown type name ‘mm_segment_t’; did you mean ‘apm_event_t’?
static inline void set_fs(mm_segment_t fs)
^~~~~~~~~~~~
apm_event_t
In file included from ./arch/x86/include/asm/uaccess.h:7:0,
from /root/Diamorphine/diamorphine.c:1:
./arch/x86/include/asm/uaccess.h: In function ‘user_access_begin’:
./arch/x86/include/asm/uaccess.h:39:26: error: ‘current’ undeclared (first use in this function)
#define user_addr_max() (current->thread.addr_limit.seg)
^
./include/linux/compiler.h:77:42: note: in definition of macro ‘unlikely’
^
./arch/x86/include/asm/uaccess.h:101:2: note: in expansion of macro ‘likely’
likely(!__range_not_ok(addr, size, user_addr_max()));
^~~~~~
./arch/x86/include/asm/uaccess.h:101:10: note: in expansion of macro ‘__range_not_ok’
likely(!__range_not_ok(addr, size, user_addr_max()));
^~~~~~~~~~~~~~
./arch/x86/include/asm/uaccess.h:101:37: note: in expansion of macro ‘user_addr_max’
likely(!__range_not_ok(addr, size, user_addr_max()));
^~~~~~~~~~~~~
./arch/x86/include/asm/uaccess.h:718:16: note: in expansion of macro ‘access_ok’
if (unlikely(!access_ok(type, ptr, len)))
^~~~~~~~~
./arch/x86/include/asm/uaccess.h:39:26: note: each undeclared identifier is reported only once for each function it appears in
#define user_addr_max() (current->thread.addr_limit.seg)
^
./include/linux/compiler.h:77:42: note: in definition of macro ‘unlikely’
^
./arch/x86/include/asm/uaccess.h:101:2: note: in expansion of macro ‘likely’
likely(!__range_not_ok(addr, size, user_addr_max()));
^~~~~~
./arch/x86/include/asm/uaccess.h:101:10: note: in expansion of macro ‘__range_not_ok’
likely(!__range_not_ok(addr, size, user_addr_max()));
^~~~~~~~~~~~~~
./arch/x86/include/asm/uaccess.h:101:37: note: in expansion of macro ‘user_addr_max’
likely(!__range_not_ok(addr, size, user_addr_max()));
^~~~~~~~~~~~~
./arch/x86/include/asm/uaccess.h:718:16: note: in expansion of macro ‘access_ok’
if (unlikely(!access_ok(type, ptr, len)))
^~~~~~~~~
scripts/Makefile.build:337: recipe for target '/root/Diamorphine/diamorphine.o' failed
make[2]: *** [/root/Diamorphine/diamorphine.o] Error 1
Makefile:1585: recipe for target 'module/root/Diamorphine' failed
make[1]: *** [module/root/Diamorphine] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-117-generic'
Makefile:7: recipe for target 'all' failed
make: *** [all] Error 2
root@lubusecusimup1:~/Diamorphine#`
Hi, we've found an issue that happens during a scan of /proc
on CentOS 7 (kernel 3.10.0-1160.36.2.el7.x86_64): the program sometimes crashes (wazuh/wazuh#9737) and sometimes falls into an infinite loop (wazuh/wazuh#9032), when Diamorphine (commit 8988105) is installed.
We've written this program to detect this problem:
#include <sys/types.h>
#include <dirent.h>
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <stdbool.h>
#include <unistd.h>
#include <string.h>
volatile bool keepalive = false;
// List content of a directory
static void list_dir(const char * dirname, int depth) {
char fname[PATH_MAX];
struct dirent * entry;
DIR * dir = opendir(dirname);
if (dir == NULL) {
return;
}
while ((entry = readdir(dir)) != NULL) {
if (entry->d_name[0] == '.' && (entry->d_name[1] == '\0' || (entry->d_name[1] == '.' && entry->d_name[2] == '\0'))) {
continue;
}
snprintf(fname, PATH_MAX, "%s/%s", dirname, entry->d_name);
puts(fname);
if (depth > 0) {
list_dir(fname, depth - 1);
}
}
closedir(dir);
keepalive = true;
}
// Monitor keepalive with 1-second timeout
static void * monitor_main() {
int delay = 0;
while (true) {
sleep(1);
if (keepalive) {
if (delay > 0) {
fprintf(stderr, "INFO: Program is now responding.\n");
}
delay = 0;
keepalive = false;
} else {
fprintf(stderr, "WARNING: Program is taking %d sec. to respond.\n", ++delay);
}
}
return NULL;
}
// Launch monitor thread
static void run_monitor() {
pthread_t thread;
int r = pthread_create(&thread, NULL, (void *(*)(void *))monitor_main, NULL);
if (r != 0) {
fprintf(stderr, "ERROR: Cannot run thread: %s\n", strerror(r));
exit(EXIT_FAILURE);
}
r = pthread_detach(thread);
if (r != 0) {
fprintf(stderr, "ERROR: Cannot detach thread: %s\n", strerror(r));
}
}
int main(int argc, char ** argv) {
run_monitor();
while (true) {
if (argc > 1) {
int i;
for (i = 1; i < argc; i++) {
list_dir(argv[i], 1);
}
} else {
list_dir("/proc", 1);
}
}
return EXIT_SUCCESS;
}
We've managed to reproduce this problem by scanning /proc
and launching lots of ephemeral processes (/bin/echo
). I think that the issue occurs when a directory (or its content) is removed while readdir()
is getting it. However, I don't know if this happens only with /proc
.
insmod diamorphine.ko
for i in {1..8}; do while true; do /bin/echo Hello > /dev/null; done & done
gcc -g -pthread -o testproc testproc.c
./testproc > /dev/null
(... Few seconds after running the loops above ...)
WARNING: Program is taking 1 sec. to respond.
WARNING: Program is taking 2 sec. to respond.
WARNING: Program is taking 3 sec. to respond.
WARNING: Program is taking 4 sec. to respond.
(...)
#0 0x00007f8f83b9b334 in __getdents64 () from /lib64/libc.so.6
#1 0x00007f8f83b9af11 in readdir64 () from /lib64/libc.so.6
#2 0x00000000004009bb in list_dir (dirname=0x7ffe3a11ff10 "/proc/31244",
depth=0) at testproc.c:22
#3 0x00000000004009af in list_dir (dirname=0x400c91 "/proc", depth=1)
at testproc.c:31
#4 0x0000000000400b5b in main (argc=1, argv=0x7ffe3a121038)
at testproc.c:88
Hope this helps find the cause of the bug.
Thank you.
Dear Author,
I hope this message finds you well.
I am writing to report an issue I encountered while attempting to compile your Diamorphine module.
Here is the specific error message:
ERROR: modpost: "kallsyms_lookup_name" [/root/Diamorphine/Diamorphine.ko] undefined!
make[2]: *** [../scripts/Makefile.modpost:186: /root/Diamorphine/Module.symvers] Error 1
make[1]: *** [../Makefile:2009: modpost] Error 2
make[1]: Leaving directory '/root/android-kernel/6.1/common/out'
make: *** [Makefile:10: all] Error 2
It seems to be related to an undefined symbol named "kallsyms_lookup_name". I am using the LLVM compiler suite (including clang, ld.lld, llvm-objcopy, etc.) and have specified the ARCH=arm64 parameter during compilation.
I have ensured that my Android kernel source code is located in the '/root/android-kernel/6.1/common/out' directory, and the Diamorphine source code is in the '/root/Diamorphine' directory.
Could you please provide some guidance to help me resolve this compilation issue? I am looking forward to successfully compiling and running your module.
Thank you for your assistance!
Best regards,
[Hualanxi]
I'm getting a bunch of "undefined syscall number" errors.
diamorphine.c: In function ‘get_syscall_table_bf’:
diamorphine.c:46: error: ‘__NR_close’ undeclared (first use in this function)
diamorphine.c:46: error: (Each undeclared identifier is reported only once
diamorphine.c:46: error: for each function it appears in.)
diamorphine.c: In function ‘diamorphine_init’:
diamorphine.c:299: error: ‘__NR_getdents’ undeclared (first use in this function)
diamorphine.c:300: error: ‘__NR_getdents64’ undeclared (first use in this function)
diamorphine.c:301: error: ‘__NR_kill’ undeclared (first use in this function)
diamorphine.c: In function ‘diamorphine_cleanup’:
diamorphine.c:316: error: ‘__NR_getdents’ undeclared (first use in this function)
diamorphine.c:317: error: ‘__NR_getdents64’ undeclared (first use in this function)
diamorphine.c:318: error: ‘__NR_kill’ undeclared (first use in this function)
Am I missing any packages?
Kernel 2.6.18-308.16.1.el5
gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-52)
Look forward to your soonest reply!
Hi, i have two questions.
First,i created a file named MAGIC_PREFIX-test.py。But it can be found .
Second, how ti hide tcp port.
Thanks!
Running on 4.9.140-tegra kernel, I cannot get this rootkit to initialize properly. The device is an Nvidia Jetson NX, on an arm64 architecture. I understand that it is a custom kernel which is likely what is causing the issues, but wanted to see if there's anything I can do.
"make" runs just fine, but when trying to run "insmod diamorphine.ko", I always get "Segmentation fault (core dumped)". Running both commands with sudo does not help. I tried installing generic arm64 linux headers for 4.15.0, and built with that by running "make -C /lib/modules/4.15.0-38-generic/build", which worked fine, but then running insmod now gives me "could not insert module diamorphine.ko: Invalid module format".
I wanted to see if trying to install this on an Nvidia Jetson running L4T is a deadend, or if I'm just doing something wrong. Also, the current L4T is based on an Ubuntu 18.04 LTS image, and I was able to install diamorphine on that version of Ubuntu without any issues before trying on the Jetson.
Any help would be appreciated, thanks!
how Hide/unhide any process?
Hello there ;)
I was curious to know what is the real useful uses cases of such modules, apart the obvious malicious one that use team
of kids such as TeamTNT ?
Thanks
Hello!
I am writing a kernel module that patches a kernel function on ARM64 (android).
The problem is that as I write the 8 bytes I need to write, kernel crashes and reboots.
I have seen you are using update_mapping_prot but I don't understand how to use it to make RW the function code.
For example, let's say I want to change 8 bytes in function ip_forward.
I get the address to modify in a variable like this:
unsigned long *ff;
..........
ff=findcode();
printk("Found code at: %lx\n",ff);
to write it I do:
ff[0]=0xd503201fd503201f; // two nops
or
*ff = 0xd503201fd503201f; // two nops
how can I make the kernel code section where ip_forward is RW before the write?
Hi my friend, great repo!
Just to clarify:
Never mind, figured it out
My process runs on nvidia GPU.
[centos@wenyangmao01 ~]$ kill -31 87315
[centos@wenyangmao01 ~]$ ps aux|grep 87315
centos 87354 0.0 0.0 112724 988 pts/1 S+ 02:44 0:00 grep --color=auto 87315
[centos@wenyangmao01 ~]$ nvidia-smi
Wed Jun 26 02:44:30 2019
+-----------------------------------------------------------------------------+
| NVIDIA-SMI 410.48 Driver Version: 410.48 |
|-------------------------------+----------------------+----------------------+
| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC |
| Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. |
|===============================+======================+======================|
| 0 Tesla V100-DGXS... Off | 00000000:82:00.0 Off | 0 |
| N/A 38C P0 49W / 300W | 449MiB / 32478MiB | 0% Default |
+-------------------------------+----------------------+----------------------+
+-----------------------------------------------------------------------------+
| Processes: GPU Memory |
| GPU PID Type Process name Usage |
|=============================================================================|
| 0 87315 C ./CUDA-Z-0.10.251-64bit.run 439MiB |
+-----------------------------------------------------------------------------+
I'd be willing to donate 0.2 BTC if you can make it hide CPU usage of specified process as well and another 0.1 BTC for capability to run a file every X hours.
Centos8 zhōng kernel wèi 4.18. Zhíxíng kill -63 0 hòu biāoqiān yè bèi guānbì, mókuài wèi xiǎnshì. Érqiě kill 31 PID yǐncáng jìnchéng hòu wúfǎ huīfù, tíshì gāi jìnchéng ID bù cúnzài.
80/5000
The kernel in centos8 is 4.18. After executing kill -63 0, the tab page is closed and the module is not displayed. And the kill 31 PID cannot be recovered after hiding the process, indicating that the process ID does not exist.
I'm trying to use this module inside of another shell that don't implement the kill
built-in command (nash). What is happening: if I call kill
would be using the kill
command stored at /bin/kill and not the kill built-in as bash and zsh does.
Some colleagues said to me that maybe Diamorphine scale for the current process PID of /bin/kill and die early after signal is called. Would be possible scale root-privileged permissions for a given PID? Because with that we can use this with /bin/kill -64 $PID
, that means the same stuff will work pretty ok inside of nash.
❯ pacman -Qo /bin/kill
/usr/bin/kill is owned by util-linux 2.31.1-1
please add for hidding tcp connection
Development tools are installed on a 64 bit Fedora based machine.
Diamorphine]$ make
make -C /lib/modules/4.9.51-10.52.amzn1.x86_64/build M=/home/ec2-user/maK_it-Linux-Rootkit/Diamorphine modules
make: *** /lib/modules/4.9.51-10.52.amzn1.x86_64/build: No such file or directory. Stop.
make: *** [all] Error 2
[ec2-user@ip-172-31-15-233 Diamorphine]$ uname -r
4.9.51-10.52.amzn1.x86_64
What is the point in the give_root function to become root when you have to be root anywya to load LKMs? I don't get it sorry. Can you please explain it to me as i have seen this idea used in many other rootkits...
Thanks.
I also enjoyed your talk on rootkits on YT :)
Link to thc.org for LKM article is stale.
Suggested Alternatives:
http://www.ouah.org/LKM_HACKING.html
Archived Link
Linux localhost 4.14.180-perf-g75d251435f84 #1 SMP PREEMPT Fri Dec 3 02:11:21 CST 2021 aarch64
system crashes and reboots on module insertion.
:)
what is the signal to get root?
EVERYTHING worked fine on:
Debian 6, 64Bit, 2.6.32-5-amd64
Debian 7, 64Bit, 3.2.0-4-amd64
Ubuntu 10, 64Bit, 2.6.32-46-server
Ubuntu Server 12, 64Bit, 3.5.0-23-generic
Ubuntu 14.1, 64Bit, 3.16.0-28-generic
Fedora 20, 32Bit, 3.11.10-301.fc20.i686+PAE
I've had issues on:
Gentoo 2013.10, 64Bit, 3.10.7-gentoo-r1
ArchLinux 2013.08, 64Bit, 3.10.5-1-ARCH
Centos 6.4, 64Bit, 2.6.32-358.23.2.el6.x86_64
I will do more tests and hopefully push some improvements in the coming days. While I'm at it, can you please make Diamorphine more compile-friendly? It should compile without modifications to Makefile on more distros...
Centos
2.6.32-431.el6.x86_64
/sbin/insmod diamorphine.ko insmod: error inserting 'diamorphine.ko': -1 Unknown symbol in module
Hi, I'm running your project on my ubuntu16.04 perfectly!,
Could you please add a new feature to hide tcp connections?
Hi,
It would be great to add a hide/unhide files and directories feature.
Thank You.
Hello,
I installed linux-headers-(uname -r)
and build-essential
and I got this error message when I try to build diamorphine:
make -C /lib/modules/5.10.0-kali4-amd64/build M=/opt/infra/install_scripts/install_scripts.d/Diamorphine modules
make[1] : on entre dans le répertoire « /usr/src/linux-headers-5.10.0-kali4-amd64 »
MODPOST /opt/infra/install_scripts/install_scripts.d/Diamorphine/Module.symvers
ERROR: modpost: "kallsyms_lookup_name" [/opt/infra/install_scripts/install_scripts.d/Diamorphine/diamorphine.ko] undefined!
make[3]: *** [/usr/src/linux-headers-5.10.0-kali4-common/scripts/Makefile.modpost:111 : /opt/infra/install_scripts/install_scripts.d/Diamorphine/Module.symvers] Erreur 1
make[3]: *** Suppression du fichier « /opt/infra/install_scripts/install_scripts.d/Diamorphine/Module.symvers »
make[2]: *** [/usr/src/linux-headers-5.10.0-kali4-common/Makefile:1717 : modules] Erreur 2
make[1]: *** [/usr/src/linux-headers-5.10.0-kali4-common/Makefile:185 : __sub-make] Erreur 2
make[1] : on quitte le répertoire « /usr/src/linux-headers-5.10.0-kali4-amd64 »
make: *** [Makefile:7 : all] Erreur 2
However the process exist :
cat /proc/kallsyms | grep kallsyms_lookup_name
0000000000000000 T module_kallsyms_lookup_name
0000000000000000 T kallsyms_lookup_name
Do you know what the problem is, please?
linux-headers-6.8.0-31-generic dont'work.
diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
index de753403cdafbd..9c581d6da843a3 100644
--- a/kernel/trace/trace_syscalls.c
+++ b/kernel/trace/trace_syscalls.c
@@ -556,7 +556,7 @@ static int perf_call_bpf_enter(struct trace_event_call *call, struct pt_regs *re
{
struct syscall_tp_t {
struct trace_entry ent;
unsigned long syscall_nr;
int syscall_nr;
unsigned long args[SYSCALL_DEFINE_MAXARGS];
unsigned long syscall_nr;
int syscall_nr;
unsigned long ret;
diff --git a/arch/x86/entry/syscall_32.c b/arch/x86/entry/syscall_32.c
index 8cfc9bc73e7f8b..c2235bae17ef66 100644
--- a/arch/x86/entry/syscall_32.c
+++ b/arch/x86/entry/syscall_32.c
@@ -18,8 +18,25 @@
#include <asm/syscalls_32.h>
#undef __SYSCALL
+/*
-__visible const sys_call_ptr_t ia32_sys_call_table[] = {
+const sys_call_ptr_t sys_call_table[] = {
#include <asm/syscalls_32.h>
};
+#undef __SYSCALL
+#endif
+
+#define __SYSCALL(nr, sym) case nr: return _ia32##sym(regs);
+
+long ia32_sys_call(const struct pt_regs *regs, unsigned int nr)
+{
diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c
index be120eec1fc9f9..33b3f09e6f151e 100644
--- a/arch/x86/entry/syscall_64.c
+++ b/arch/x86/entry/syscall_64.c
@@ -11,8 +11,23 @@
#include <asm/syscalls_64.h>
#undef __SYSCALL
+/*
-asmlinkage const sys_call_ptr_t sys_call_table[] = {
+const sys_call_ptr_t sys_call_table[] = {
#include <asm/syscalls_64.h>
};
+#undef __SYSCALL
+
+#define __SYSCALL(nr, sym) case nr: return _x64##sym(regs);
+
+long x64_sys_call(const struct pt_regs *regs, unsigned int nr)
+{
linux 6.3 can support?
When inserted, VM crashes; crash logs indicate that protect_memory caused the issue.
Hi
I hope to support the ability to hide the listening port And hide all network links to this port.
thank you.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.