Closed jgru closed 2 years ago
Hi @jgru
Thanks for your contribution. But I've some objections:
1 - The objective of Diamorphine is not to be a full-featured rootkit. Instead, it is only to reproduce the Heroin rootkit made by Runar Jensen back in the '90s[1], therefore the name. Nevertheless, this would be a minor change that I'd probably be ok with it.
2 - I did some tests, and it seems like - at least on Ubuntu 20.04 with kernel 5.11.0-44-generic - the tasks->comm
doesn't come with the full process name when the file/process name is too big, failing to make the process invisible. E.g. for the for a filename diamorphine_secret_test
the content from tasks->comm
was diamorphine_sec
, making the process visible.
Let me know what do you think about it, and feel free to keep your fork with the modification for anyone who wants this feature :)
[1] https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html#A-b
Hi @m0nad,
thanks for your reply.
First of all, I really like the idea of making a up-to-date version of Runar Jensen's Heroin rootkit. Thanks for providing it.
Secondly, you are complete right. task->comm
is limited to 16 bytes. I thought it is nevertheless valuable. To read the full command line of a process, a bunch of more code would be needed I think. Therefore, I'll just keep it in my fork.
Feel free to close this PR.
Thank you!
Dear m0nad,
this PR adds the capability to hide processes whose
comm
-field starts with the stringMAGIC_PREFIX
.Thanks already in advance for considering this PR.
Best regards jgru