/hiding-cryptominers-linux-rootkit

Linux rootkit POC to hide a crypto miner's process and CPU usage.

Primary LanguageCThe UnlicenseUnlicense

hiding-cryptominers-linux-rootkit

Notice: This LKM rootkit is unmaintained. Please use Diamorphine as an alternative.

Related post: https://alfon.xyz/posts/hiding-cryptominers-linux

Features

  • Hide process
  • Hide process CPU usage
  • Hide files that his filename starts with the MAGIC_PREFIX

Rootkit installation

Build

$ git clone https://github.com/alfonmga/hiding-cryptominers-linux-rootkit
$ cd hiding-cryptominers-linux-rootkit/
$ make

Loading LKM:

$ dmesg -C # clears all messages from the kernel ring buffer
$ insmod rootkit.ko
$ dmesg # verify that rootkit has been loaded

Unloading LKM:

$ rmmod rootkit
$ dmesg # verify that rootkit has been unloaded