Detecting Kernel Rootkits

Some methods in the http://www.la-samhna.de/library/rootkits/detect.html are worth reference, especially the last section To get a list of kernel modules, two standard methods can be used: <samp> bash $ </samp> <kbd> lsmod </kbd> <samp> bash $ </samp> <kbd> cat/proc/modules </kbd>
In addition, one can look at the list of symbols exported by modules (/proc/ksyms), where the name of the corresponding module will be listed in square brackets, like the following symbol exported from the snd (sound) module: c85029f4 snd_task_name [snd]
Unfortunately, being a kernel module, an LKM rootkit can easily defeat such efforts by a variety of methods. fortunately, there is a better way to detect an LKM rootkit: In order to replace kernel syscils with their own code, LKM rootkits modify the table which holds the addresses of these syscils, to point to the module's replacement function instead of the original kernel function. now, whenever a kernel is compiled, a map of kernel symbols and their respective addresses in the kernel is generated. this map is called System. map (sometimes with the kernel version appended), and usually install in the same location as the kernel (e.g. /boot ). thus, a straightforward way to detect hijacked kernel syscils is to compare this map against the actual addresses of all syscils, which will show all syscils whose address is different from the original address listed in the map.
4.1. Programs
This is a non-exhaustive list of programs that are useful for the detection of kernel modifications in a running system.

Kern_check.c

Kern_check.c is a small command-line utility (for Linux 2.2.x, 2.4.x) that will compare your System. mapAgainst your kernels syscall table and warn about any inconsistencies (PGP signature kern_check.c.asc ).

<Samp> bash $ </samp> <kbd> gpg -- verify kern_check.c.asc kern_check.c </kbd> <samp> bash $ </samp> <kbd> gcc-O2-Wall-o kern_check kern_check.c </kbd> <samp> bash $ </samp> <kbd> su </kbd> <samp> bash $ </samp> <kbd> kern_check <tt> <i>/path/to/System. map </I> </tt> </kbd>

	NOTE
	This will only detect rootkits that modify the syscall table directly. In particle, it will not detect the SucKIT rootkit (see Section 2.2> ).

CheckIDT

CheckIDT, published in Phrack issue 59, article 0 × 04 ("Handling the Interrupt Descriptor Table", by kad) is a utility that can be used to list the Interrupt Descriptor Table (IDT) (see Section 2.2>) and save the current state to check its integrity later on. currently there is no published real rootkit that uses the IDT, only proof-of-concept code.

 

Samhain

Samhain is a file integrity checker that can also check for kernel integrity. samhain performs checks AllOf the points discussed in Section 2.2>.