hiddenkernelmodulesextremwayreborn_g1inko2024

Finding hidden kernel modules (extrem way reborn): 20 years later

by g1inko (2024)

Notes
Linux kernel
LKM
LKM rootkit
rootkit
hidden kernel module
linked list
procfs
lsmod, rmmod
anti-forensics
LIST_POISON1, LIST_POISON2 - Kernel 2.5.71
KoviD LKM
/sys/module
Volatility
sysfs
sysfs_remove_file()
MODULE_STATE_UNFORMED
__module_address()
rkspotter
module_hunter - madsys
module struct
kernel patch
i386, x86_64
vlalloc()
persistence
MODULE_STATE_LIVE
MODULE_STATE_COMING
MODULE_STATE_GOING
MODULE_STATE_UNFORMED
brute force
MODULES_VADDR, MODULES_END macros
pgd_present()
p4d_present()
pvd_present()
pmd_present()
pte_present
MMU
mm_struct structure
C
kern_addr_valid()
dump_pagetable()
spurious_kernel_fault()
mm_find_pmd()
CONFIG_PGTABLE_LEVELS
CONFIG_X86_5LEVEL
nitara2.c
cleanup_module()
proc_create_data()
MODULE_LICENSE()
dmesg command

References
http://phrack.org/issues/61/3.html#article
Abuse of the Linux Kernel for Fun and Profit http://phrack.org/archives/issues/50/5.txt
https://github.com/carloslack/KoviD
https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference#linux_check_modules
https://github.com/linuxthor/rkspotter
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.118
https://www.kernel.org/doc/Documentation/x86/x86_64/mm.txt
https://wiki.osdev.org/Paging
https://www.kernel.org/doc/html/v6.5/mm/page_tables.html
https://lore.kernel.org/lkml/Y05fQrd4TYaOnks%2F@infradead.org/
https://github.com/torvalds/linux/commit/b8504058a06bd19286c8b59539eebfda69d1ecb5
https://lwn.net/Articles/716324/
https://www.kernel.org/doc/html/v5.9/x86/x86_64/5level-paging.html#enabling-5-level-paging
https://www.kernel.org/doc/html/v6.5/arch/arm64/memory.html
https://github.com/ksen-lin/nitara2

Recent Posts