Skip to content
fy-fy-fy edited this page Jun 12, 2020 · 50 revisions

Detection Tool

This is a simple LKM tool meant to detect LKM rootkits on Linux.

Features

Tested Environments

  • Ubuntu 16.04
    • 4.15.0-45-generic
    • 4.4.0-22-generic (for rootkits only compatible with 4.4)

Installation

NOTE: Ensure SMAP is disabled (most rootkits will not work with it enabled anyway)

git clone https://github.com/lckjosh/DetectionTool.git
cd DetectionTool
make
gcc client.c -o client

Usage

sudo insmod detectiontool.ko
./client [option]

Options:
[-p] detect hidden PIDs
[-f] detect hidden files
[-s] detect hooked functions
[-m] detect hidden modules

Explanation of Functions

Detect Hidden PIDs

Adapted from unhide.

This function compares the outputs of the following system calls:

  • kill
  • getpriority
  • getpgid
  • getsid
  • sched_getaffinity
  • sched_getparam
  • sched_getscheduler
  • sched_rr_get_interval

along with

  • "/proc" entries
  • "ps" command.

Discrepancies in the outputs can provide information on which PIDs were hidden.

Detect Hidden Files

Adapted from inodeyou: http://www.unixist.com/security/detecting-hidden-files/index.html

inodeyou compares the view of the filesystem inodes via the read() syscall, and from the getdent() and stat() syscall. If an inode is discovered by the read() syscall and not from getdent() and stat(), it is likely that either the read(), getdent(), or stat() syscall is hooked by the rootkit, so some entries are hidden by the "ls" command.

However, this may still return many false positives when scanning recursive directories. A false positive occurs when the script incorrectly states that a rootkit is hiding a particular inode when it is not.

The original inodeyou functionality is extended by using integrity-based checks comparing a compromised system with a clean system, which eliminates most of the false positives. Using an integrity-based check also shortens the time it takes for the script to find positives. The Seluth Kit (TSK) commands are also used to reduce further false positives. Other false positives can be placed into a text file (false-positives.txt) which will be ignored by the script.

Dependencies required for this script are:

  • Python 3 (At least version 3.5)
  • The Seluth Kit (TSK)
  • pytsk3 module

Recommended Usage:

python3 script-name.py /dev/sda1 / /

The above python command searches hidden inodes from the root (/) directory recursively, whereby the root is mounted on /dev/sda1. When the LKM is loaded, the script is executed once to form the baseline, and when the user subsequently invokes this script, it will be compared to the baseline.

The script roughly takes around 2 minutes to execute and can take longer depending on the number of inodes hidden by a possible rootkit.

Detect Hooked Functions

This function detects:

  • hooked system calls
  • hooked fops for "/", "/proc" and "/sys"

Hooked system calls

This tool is able to detect hooked system calls in the system call table that are hooked via replacing the address of the original function in the table with the address of a hooked function, or by using inline hooking with the unconditional jmp code of

\x48\xb8\x00\x00\x00\x00\x00\x00\x00\x00\xff\xe0

where the 8 bytes in the middle are replaced with the address of the hooked function.

When the tool is first inserted, a dump of the original system call table is created. When this function is called, the tool compares the addresses in the current system call table with the dump to check for modified addresses. If no difference in address is detected for a particular system call, the first 12 bytes are read and bytes 0,1,10 and 11 are compared with the above unconditional jmp code.

Hooked fops

The fops of "/", "/proc" and "/sys" are sometimes hooked instead of system calls to avoid hook detection in the system call table. This tool scans for the unconditional jmp code in the fops of these directories as well.

Detect Hidden Modules

Adapted from tyton.

This function checks if find_module is able to find the module referenced for each kobj entry. If it is unable to, the module is trying to hide. This function only works if the rootkit has the ability to both hide AND unhide itself.

Testing Results

Ubuntu 16.04

Rootkit Detect Hidden PIDs Detect Hidden Files Detect Hooked Functions Detect Hidden Modules
Diamorphine
LilyOfTheValley
Nuk3Gh0st
Reptile
nurupo/rootkit (4.4 only)
puszek-rootkit (4.4 only) not yet tested

Clone this wiki locally