Detecting Kernel Rootkits

Source: Internet
Author: User

Some methods in the http://www.la-samhna.de/library/rootkits/detect.html are worth reference, especially the last section To get a list of kernel modules, two standard methods can be used: <samp> bash $ </samp> <kbd> lsmod </kbd> <samp> bash $ </samp> <kbd> cat/proc/modules </kbd>
In addition, one can look at the list of symbols exported by modules (/proc/ksyms), where the name of the corresponding module will be listed in square brackets, like the following symbol exported from the snd (sound) module: c85029f4 snd_task_name [snd]
Unfortunately, being a kernel module, an LKM rootkit can easily defeat such efforts by a variety of methods. fortunately, there is a better way to detect an LKM rootkit: In order to replace kernel syscils with their own code, LKM rootkits modify the table which holds the addresses of these syscils, to point to the module's replacement function instead of the original kernel function. now, whenever a kernel is compiled, a map of kernel symbols and their respective addresses in the kernel is generated. this map is called System. map (sometimes with the kernel version appended), and usually install in the same location as the kernel (e.g. /boot ). thus, a straightforward way to detect hijacked kernel syscils is to compare this map against the actual addresses of all syscils, which will show all syscils whose address is different from the original address listed in the map.
4.1. Programs
This is a non-exhaustive list of programs that are useful for the detection of kernel modifications in a running system.

Kern_check.c
Kern_check.c is a small command-line utility (for Linux 2.2.x, 2.4.x) that will compare your System. mapAgainst your kernels syscall table and warn about any inconsistencies (PGP signature kern_check.c.asc ).
<Samp> bash $ </samp> <kbd> gpg -- verify kern_check.c.asc kern_check.c </kbd> <samp> bash $ </samp> <kbd> gcc-O2-Wall-o kern_check kern_check.c </kbd> <samp> bash $ </samp> <kbd> su </kbd> <samp> bash $ </samp> <kbd> kern_check <tt> <i>/path/to/System. map </I> </tt> </kbd>
NOTE
  This will only detect rootkits that modify the syscall table directly. In particle, it will not detect the SucKIT rootkit (see Section 2.2> ).
CheckIDT
CheckIDT, published in Phrack issue 59, article 0 × 04 ("Handling the Interrupt Descriptor Table", by kad) is a utility that can be used to list the Interrupt Descriptor Table (IDT) (see Section 2.2>) and save the current state to check its integrity later on. currently there is no published real rootkit that uses the IDT, only proof-of-concept code.

 

Samhain
Samhain is a file integrity checker that can also check for kernel integrity. samhain performs checks AllOf the points discussed in Section 2.2>.
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.