I've tested this on a few distros

[Kabot]

EVERYTHING worked fine on:
Debian 6, 64Bit, 2.6.32-5-amd64
Debian 7, 64Bit, 3.2.0-4-amd64
Ubuntu 10, 64Bit, 2.6.32-46-server
Ubuntu Server 12, 64Bit, 3.5.0-23-generic
Ubuntu 14.1, 64Bit, 3.16.0-28-generic
Fedora 20, 32Bit, 3.11.10-301.fc20.i686+PAE

I've had issues on:
Gentoo 2013.10, 64Bit, 3.10.7-gentoo-r1
ArchLinux 2013.08, 64Bit, 3.10.5-1-ARCH
Centos 6.4, 64Bit, 2.6.32-358.23.2.el6.x86_64

I will do more tests and hopefully push some improvements in the coming days. While I'm at it, can you please make Diamorphine more compile-friendly? It should compile without modifications to Makefile on more distros...

[m0nad]

Thank you for the feedback.

Those issues appear in the last commit? Because some compability problems for the 2.6 kernels have been fixed in the af9a0f4 commit.

[aremai]

works ace on
Red Hat Enterprise Linux Server release 7.2 (Maipo)
3.10.0-327.13.1.el7.x86_64

thanks for writing this rootkit 👍

[aremai]

However, on a CentOS 6.7 I ran into this issue

make -C /lib/modules/2.6.32-573.22.1.el6.centos.plus.x86_64/build M=/root/git/Diamorphine modules
make: *** /lib/modules/2.6.32-573.22.1.el6.centos.plus.x86_64/build: No such file or directory. Stop.
make: *** [all] Error 2

I just cloned it from the master branch...

[m0nad]

Thanks for your feedback @aremai .

Make sure you have kernel-devel and gcc packages installed(yum install kernel-devel gcc).

Regards.

[aremai]

Awesome, thanks so much @m0nad !! Now it also works on CentOS 6.7 with an older kernel (2.6.32-573)

Would you mind mentioning this in the README? This would clear some confusion.... (maybe I'm just dumb) hehe

[aremai]

hi @m0nad ,

sorry it's me again. I came across an odd situation.... I'm on a CentOS release 6.8 box
I've managed to successfully compile (make) diamorphine, however when I want to load the kernel module (insmod diamorphine.ko) it takes a while to run, and all of the sudden I'm kicked off the machine

packet_write_wait: Connection to 10.0.0.123 port 22: Broken pipe

Afterwards these files are zero'd (have 0 bytes)
-rw-r--r--. 1 root root 0 Jul 23 21:42 diamorphine.ko
-rw-r--r--. 1 root root 0 Jul 23 21:42 diamorphine.ko.unsigned
-rw-r--r--. 1 root root 0 Jul 23 21:42 diamorphine.mod.c
-rw-r--r--. 1 root root 0 Jul 23 21:42 diamorphine.mod.o
-rw-r--r--. 1 root root 0 Jul 23 21:42 modules.order
-rw-r--r--. 1 root root 0 Jul 23 21:42 Module.symvers

I know that it worked on another CentOS 6 box just fine a couple of months ago, but on this time I can't seem to load the kernel module.
Any idea what could be blocking it? It's driving me crazy...

[dimitriakos]

This is awesome work, thank you m0nad!

Just on Raspbian (on Raspberry Pi 2 B at least), I had to put the following instead of line 21 in order to make it work:

#ifndef _ASM_X86_SPECIAL_INSNS_H
#define _ASM_X86_SPECIAL_INSNS_H
#ifdef __KERNEL__

unsigned long cr0;

static inline unsigned long native_read_cr0(void)
{
        unsigned long val;
        asm volatile("mov %0, %1\n\t" : "=r" (val) : "r" (cr0));
        return val;
}

static inline void native_write_cr0(unsigned long val)
{
	asm volatile("mov %0, %1\n\t" : "=r" (cr0) : "r" (val));
}

#ifdef CONFIG_PARAVIRT
#include <asm/paravirt.h>
#else

static inline unsigned long read_cr0(void)
{
	return native_read_cr0();
}

static inline void write_cr0(unsigned long x)
{
	native_write_cr0(x);
}

#endif/* CONFIG_PARAVIRT */
#endif /* __KERNEL__ */

#endif /* _ASM_X86_SPECIAL_INSNS_H */

[m0nad]

Thank's for the feedback @dimitriakos, can you do a fork and a pull request for this?

[m0nad]

Commit 4438984 tested on Ubuntu 18.04/20.04 with kernel 5.4.0-42-generic

[m0nad]

Tested in fedora with kernel 5.6.6

[m0nad]

Tested on ubuntu 16.04, kernel 4.15.0-112-generic

[m0nad]

Tested on ubuntu 19.04, kernel 5.0.0-13-generic

[m0nad]

Tested on:
Ubuntu 18.04 Kernel 4.15.0-20-generic
Ubuntu 18.04.1 Kernel 4.15.0-29-generic
Ubuntu 18.04.2 Kernel 4.18.0-15-generic
Ubuntu 18.04.3 Kernel 5.0.0-23-generic
Ubuntu 18.04.4 Kernel 5.3.0-28-generic
Ubuntu 18.04.5 Kernel 5.4.0-42-generic

[m0nad]

Tested on CentOS release 6.4/6.5 with Kernel 2.6.32-754.35.1.el6.x86_64

[m0nad]

Tested on CentOS 8.2 with Kernel 4.18.0-193.28.1.el8_2.x86_64

[m0nad]

Tested on CentOS 7 with Kernel 3.10.0-1160.2.2.el7.x86_64

[m0nad]

Tested on Ubuntu 20.04.3 LTS with Kernel 5.11.0-37-generic

[m0nad]

Tested on Fedora 6.2.14-100.fc36.x86_64

[m0nad]

Tested on Linux fedora 6.4.15-200.fc38.x86_64