Question 1

How to detect Diamorphine rootkit on Linux?

Accepted Answer

Detection is challenging due to its invisible module feature; tools like lsmod or ps may not show it, but advanced anti-rootkit scanners or kernel integrity checks might reveal manipulations. Research-specific methods often involve analyzing system calls or memory for hooks.

Question 2

Diamorphine vs Reptile rootkit: which is better for learning?

Accepted Answer

Diamorphine is simpler and more focused on basic stealth techniques with signal-based controls, ideal for beginners in rootkit concepts. Reptile offers more advanced features like backdooring but has a steeper learning curve; choose Diamorphine for foundational understanding.

Question 3

How to remove Diamorphine if it's hidden?

Accepted Answer

As per the README, send signal 63 to PID 0 with 'kill -63 0' to make the module visible, then use 'rmmod diamorphine' as root. This relies on the module's toggle feature and requires root access.

Question 4

Is Diamorphine safe to test on virtual machines?

Accepted Answer

Yes, it's recommended to use VMs like VirtualBox or QEMU for isolated testing to prevent host system damage. Always snapshot the VM first, as kernel module errors can corrupt the environment.

Question 5

Can Diamorphine work on kernel 6.x systems like Ubuntu 22.04?

Accepted Answer

Yes, the README states support for kernels up to 6.x, but compatibility may vary with specific distributions; compile and test in a controlled environment to ensure it loads without issues.

Question 6

How to customize the MAGIC_PREFIX for file hiding?

Accepted Answer

Modify the MAGIC_PREFIX definition in the source code before compilation, as the README doesn't provide runtime configuration. Recompile with 'make' after changes to apply the new prefix.

Diamorphine

What is Diamorphine?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions