Linux Rootkit Scanner
C
Switch branches/tags
Nothing to show
Clone or download
dgoulet Update README, compiles and works on 3.15.0 kernel
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
Latest commit ad45c33 Jun 16, 2014

README

Kjackal project
----------------

NOTICE:

In no situation will we be liable for any loss or damage including without
limitation, indirect or consequential loss or damage, or any loss or damage
whatsoever arising from loss of data or profits arising out of, or in
connection with, the use of the data in this repository.

This is a kernel module so like any other kernel module things can go bad. It
will NOT destroy any data or corrupt your hard drive. At worst, you'll get a
kernel panic and you'll have to reboot. If this happens, PLEASE report it :).

Feel free to check the code, there is NO hidden backdoors or any shenanigans to
install any undesired software on your computer.

ABOUT:

Kjackal is a one time Linux kernel module rootkit scanner. It is *not* a
rootkit AV or any IPS bimbo-blabla system. The purpose of kjackal is to quickly
scan the Linux kernel for rootkit(s).

So commonly, a kernel module rootkit, once loaded, will hijack the syscall
table, the proc fileystem (to hide itself) and TCP4 operations to hide
backdoors' port.

Kjackal uses multiple methods to find hidden modules. Here is the list:

1) Syscall hijack detection.

The primary technique is to iterate over the syscall table and test
every address to see if it is in the core kernel text section where it's
supposed to be. If yes, we'll check for a module "hosting" this address.

2) TCP IPv4 seq_ops hijack detection.

This technique is often used to hide ports or any sensitive information.
The 'seq_ops.show' is checked here to the core kernel text address space.

3) /proc filesystem hijack detection.

Check the readdir ops of /proc.

4) Search for hidden modules

Search for each *hidden* module which tries to remove itself from existence.
kjackal still has some card up his sleeve ;) to get them.

REQUIREMENTS:

Tested on 2.6.32 up to 3.15.0 However, it might work for an older kernel.
Please report if you succeed.

- Linux Kernel Headers 2.6.32 or later

  * Debian: sudo apt-get install linux-headers
  * Redhat: sudo yum install kernel-headers
  * Arch: sudo pacman -S linux-headers
  * Gentoo: sudo emerge linux-headers

COMPILE:

# make

USAGE:

# insmod kjackal.ko
# dmesg

Kjackal prints the report in dmesg.

# rmmod kjackal

TESTS:

The tests/ directory contains three simple kernel modules to test kjackal.
Please read carefully the comments in the .c file before loading one of them.

WHAT'S NEXT:

So time for the fun part.

*IF* kjackal detects a rogue kernel module, please report it so we can
investigate it! There is a feature in src/module.c called "module_dump_memory"
which can be used to dump the entire module memory if detected. It will be
created in /tmp/rootkit-module.dump. Enable this and we'll have fun after that.

Also, PLEASE contribute your ideas/comments/code/bugs to this project to make
it better and more efficient at finding kernel module rookits. Please send me
any rootkit code you came upon to study them or any commercial one would be
really nice also.