artoflinuxkernelrootkit-tmpout4-matheuzsec_humzak711

2025-04-11

The Art of Linux Kernel Rootkit

by Matheuzsec and Humzak711

March 2025

tmp.Out Volume 4, article 10.

Notes
rootkit
kernel
syscall
userland rootkit
LKM rootkit
kernel land rootkit
ftrace
kprobe
eBPF
rootkit detection
sysfs
procfs
logs
eBPF tracepoint
/proc/kallsyms
persistence
mitigation
operating system
device driver
kernel module
LKM
userland/userspace
C
hello world
strace
sys_write
fd/file descriptor
stdout
sys_rename
LD_PRELOAD
/etc/ld.so.preload
shared object
sys_kill
signal
magic signal
privilege escalation
syscall hooking
module_init
module_exit
ftrace to hook syscalls
insmod
rmmod
lsmod
sys_call_table
VFS hooking
xcellerator ftrace_helper.h
tcp4_seq_show, tcp6_seq_show
sock structure
TCP
Kretprobes
debugging
profiling
detection
kprobe: pre_handler, post_handler
kretprobe: entry_handler, handler
__x64_sys_setuid
setuid
dmesg
LSM hooks
fentry/fexit hooks
unlinkat
bpf ring buffer
ring buffer
ecc ttps://github.com/eunomia-bpf/eunomia-bpf
Diamorphine
rkhunter
chkrootkit
many rootkit hunting tools are terrible
sysfs
KoviD
Basilisk
tracefs
/sys/kernel/tracing/available_filter_functions
/sys/kernel/tracing/available_filter_functions_addrs
/sys/kernel/debug/dynamic_debug/control
/sys/kernel/tracing/enabled_functions
/sys/kernel/tracing/touched_functions
/proc/kallsyms
procfs
trampoline
/proc/sys/kernel/tainted
tainted kernel
log deletion
/dev/kmsg
dmesg -C
/var/log/kern.log
journalctl -k
systemd-journald
bpftrace
bpftrace -l
calling an LKM’s cleanup_module() function to unload/decloak it
MODULE_LICENSE
MODULE_AUTHOR
MODULE_DESCRIPTION
MODULE_VERSION
linked list
/proc/sys/kernel/ftrace_enabled
sysctl kernel.ftrace_enabled=0\|1
/sys/kernel/debug/kprobes/enabled
static function
notrace function
persistence
/etc/modules-load.d directory
depmod
/usr/lib/modules
ModTracer https://github.com/MatheuZSecurity/ModTracer
nitara2
finit_module
hooking init functions to prevent additional modules from loading
Aqua Security: tracee https://github.com/aquasecurity/tracee
bpf-hookdetect https://github.com/pathtofile/bpf-hookdetect

Links
https://www.kernel.org/doc/html/v6.5/trace/index.html
https://docs.kernel.org/admin-guide/tainted-kernels.html
https://xcellerator.github.io/tags/rootkit/
https://blog.convisoappsec.com/linux-rootkits-hooking-syscalls/
http://www.ouah.org/LKM_HACKING.html
https://filippo.io/linux-syscall-table/
https://www.ime.usp.br/~kon/MAC211/syscalls.html
https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/

Resources
https://github.com/MatheuZSecurity/detect-lkm-rootkit-cheatsheet
https://github.com/ksen-lin/nitara2
https://github.com/MatheuZSecurity/ModTracer
https://github.com/MatheuZSecurity/Rootkit
https://github.com/MatheuZSecurity/Imperius
https://rezaduty-1685945445294.hashnode.dev/ebpf-cheatsheet
Finding hidden kernel modules (extrem way reborn): 20 years later
https://xcellerator.github.io/tags/rootkit/
https://github.com/DualHorizon/blackpill
https://github.com/rphang/evilBPF
https://github.com/a13xp0p0v/kernel-hardening-checker
https://github.com/gianlucaborello/libprocesshider
https://github.com/hackerschoice/bpfhacks
https://github.com/carloslack/KoviD
https://github.com/m0nad/Diamorphine
Rootkit Researchers Discord https://discord.gg/66N5ZQppU7

artoflinuxkernelrootkit-tmpout4-matheuzsec_humzak711

2025-04-11

Links to this note

Recent Posts

Linux Persistence: Modular Software

2025-04-17 DFIR CTF persistence linux persistence apache asterisk

Linux Persistence: Web Shells

2025-04-16 DFIR persistence webshell linux persistence webshell apache nginx PHP

Linux Persistence: Rootkits

2025-04-15 DFIR persistence rootkit LKM linux persistence LKM rootkit LD_PRELOAD kprobe ftrace ld.so hooking

Linux Persistence: Processes

2025-04-11 DFIR persistence processes linux persistence processes

Defanging Linux LKM Rootkits With cleanup_module()

2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit