Build doesn't work on Kali GNU/Linux Rolling (9.16.12-Debian - Linux 5.10.0-kali4-amd64 Kernel)

[TheThingGoesSkra]

Hello, I installed linux-headers-(uname -r) and build-essential and I got this error message when I try to build diamorphine:

make -C /lib/modules/5.10.0-kali4-amd64/build M=/opt/infra/install_scripts/install_scripts.d/Diamorphine modules
make[1] : on entre dans le répertoire « /usr/src/linux-headers-5.10.0-kali4-amd64 »
  MODPOST /opt/infra/install_scripts/install_scripts.d/Diamorphine/Module.symvers
ERROR: modpost: "kallsyms_lookup_name" [/opt/infra/install_scripts/install_scripts.d/Diamorphine/diamorphine.ko] undefined!
make[3]: *** [/usr/src/linux-headers-5.10.0-kali4-common/scripts/Makefile.modpost:111 : /opt/infra/install_scripts/install_scripts.d/Diamorphine/Module.symvers] Erreur 1
make[3]: *** Suppression du fichier « /opt/infra/install_scripts/install_scripts.d/Diamorphine/Module.symvers »
make[2]: *** [/usr/src/linux-headers-5.10.0-kali4-common/Makefile:1717 : modules] Erreur 2
make[1]: *** [/usr/src/linux-headers-5.10.0-kali4-common/Makefile:185 : __sub-make] Erreur 2
make[1] : on quitte le répertoire « /usr/src/linux-headers-5.10.0-kali4-amd64 »
make: *** [Makefile:7 : all] Erreur 2

However the process exist :

cat /proc/kallsyms | grep kallsyms_lookup_name
0000000000000000 T module_kallsyms_lookup_name
0000000000000000 T kallsyms_lookup_name

Do you know what the problem is, please?

[loresuso]

Hi, the kallsyms_lookup_name function is unexported in recent kernel versions according to this.

Workaround: as suggested in the article, you can make use of kprobes. See this repository.

[awerv]

@TheThingGoesSkra to get valid addresses from that file, you must run cat as the root user, otherwise you get zeros.

Possible (long term) solutions of this issue:

• generate a header using /proc/kallsyms, suitable when the rootkit is compiled on the machine where it will be used, also requires root
• generate a header using a System.map file, more suitable when compiled on an other device, but some systems might not have this file
• the krpobe trick, seems nice, as long as kprobe is supported by the target kernel

Both solutions with header generation suffer from the same issue: if KASLR/KAISER is enabled, only offsets are stored, the base address of the kernel must be determined as well.

[m0nad]

It should be fixed now, based on the work from @zizzu0 (https://github.com/zizzu0/LinuxKernelModules/blob/main/FindKallsymsLookupName.c) and @xcellerator (https://xcellerator.github.io/posts/linux_rootkits_11/)