Skip to content
Joshua Lim edited this page Jun 11, 2020 · 50 revisions

Detection Tool

This is a simple LKM tool meant to detect LKM rootkits on Linux.

Features

Tested Environments

  • Ubuntu 16.04 (4.15.0-45-generic)

Installation

NOTE: Ensure SMAP is disabled (most rootkits will not work with it enabled anyway)

git clone https://github.com/lckjosh/DetectionTool.git
cd DetectionTool
make
gcc client.c -o client

Usage

sudo insmod detectiontool.ko
./client [option]

Options:
[-p] detect hidden PIDs
[-f] detect hidden files
[-s] detect hooked functions
[-m] detect hidden modules

Explanation of Functions

Detect Hidden PIDs

Adapted from unhide.

This function compares the outputs of the following system calls:

  • kill
  • getpriority
  • getpgid
  • getsid
  • sched_getaffinity
  • sched_getparam
  • sched_getscheduler
  • sched_rr_get_interval

along with

  • "/proc" entries
  • "ps" command.

Discrepancies in the outputs can provide information on which PIDs were hidden.

Detect Hidden Files

// TODO

Detect Hooked Functions

This function detects:

  • hooked system calls
  • hooked fops for "/", "/proc" and "/sys"

Hooked system calls

This tool is able to detect hooked system calls in the system call table that are hooked via replacing the address of the original function in the table with the address of a hooked function, or by using inline hooking with the unconditional jmp code of

\x48\xb8\x00\x00\x00\x00\x00\x00\x00\x00\xff\xe0

where the 8 bytes in the middle are replaced with the address of the hooked function.

When the tool is first inserted, a dump of the original system call table is created. When this function is called, the tool compares the addresses in the current system call table with the dump to check for modified addresses. If no difference in address is detected for a particular system call, the first 12 bytes are read and bytes 0,1,10 and 11 are compared with the above unconditional jmp code.

Hooked fops

The fops of "/", "/proc" and "/sys" are sometimes hooked instead of system calls to avoid hook detection in the system call table. This tool scans for the unconditional jmp code in the fops of these directories as well.

Detect Hidden Modules

Adapted from tyton.

This function checks if find_module is able to find the module referenced for each kobj entry. If it is unable to, the module is trying to hide. This function only works if the rootkit has the ability to both hide AND unhide itself.

Testing Results

Ubuntu 16.04 (4.15.0-45-generic)

Rootkit Detect Hidden PIDs Detect Hidden Files Detect Hooked Functions Detect Hidden Modules
Diamorphine
LilyOfTheValley
Nuk3gh0st
Reptile

Clone this wiki locally