analyzing-linux-kernel-rootkits
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAnalyzing Linux Kernel Rootkits
Linux内核Rootkit分析
Overview
概述
Linux kernel rootkits operate at ring 0, modifying kernel data structures to hide processes, files, network connections, and kernel modules from userspace tools. Detection requires either memory forensics (analyzing physical memory dumps with Volatility3) or cross-view analysis (comparing /proc, /sys, and kernel data structures for inconsistencies). This skill covers using Volatility3 Linux plugins to detect syscall table hooks, hidden kernel modules, and modified function pointers, supplemented by live system scanning with rkhunter and chkrootkit.
Linux内核Rootkit运行在ring 0级别,通过修改内核数据结构,向用户空间工具隐藏进程、文件、网络连接和内核模块。检测这类Rootkit需要使用内存取证(借助Volatility3分析物理内存转储)或跨视图分析(对比/proc、/sys和内核数据结构的不一致性)。本技能涵盖使用Volatility3 Linux插件检测系统调用表挂钩、隐藏的内核模块和被修改的函数指针,同时结合rkhunter和chkrootkit进行实时系统扫描。
When to Use
适用场景
- When investigating security incidents that require analyzing linux kernel rootkits
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
- 调查需要分析Linux内核Rootkit的安全事件时
- 构建该领域的检测规则或威胁狩猎查询时
- SOC分析师需要此类分析的结构化流程时
- 验证相关攻击技术的安全监控覆盖范围时
Prerequisites
前置条件
- Volatility3 installed (pip install volatility3)
- Linux memory dump (acquired via LiME, AVML, or /proc/kcore)
- Volatility3 Linux symbol table (ISF) matching the target kernel version
- rkhunter and chkrootkit for live system scanning
- Reference known-good kernel image for comparison
- 已安装Volatility3(pip install volatility3)
- Linux内存转储文件(通过LiME、AVML或/proc/kcore获取)
- 与目标内核版本匹配的Volatility3 Linux符号表(ISF)
- 用于实时系统扫描的rkhunter和chkrootkit
- 用于对比的已知正常内核镜像
Steps
步骤
Step 1: Acquire Memory Dump
步骤1:获取内存转储
Capture Linux physical memory using LiME kernel module or AVML for cloud instances.
使用LiME内核模块或适用于云实例的AVML捕获Linux物理内存。
Step 2: Analyze with Volatility3
步骤2:使用Volatility3分析
Run linux.check_syscall, linux.lsmod, linux.hidden_modules, and linux.check_idt plugins to detect rootkit artifacts.
运行linux.check_syscall、linux.lsmod、linux.hidden_modules和linux.check_idt插件,检测Rootkit痕迹。
Step 3: Cross-View Analysis
步骤3:跨视图分析
Compare module lists from /proc/modules, lsmod, and /sys/module to identify modules hidden from one view but present in another.
对比/proc/modules、lsmod和/sys/module中的模块列表,识别在某个视图中隐藏但在其他视图中存在的模块。
Step 4: Live System Scanning
步骤4:实时系统扫描
Run rkhunter and chkrootkit to detect known rootkit signatures, suspicious files, and modified system binaries.
运行rkhunter和chkrootkit,检测已知Rootkit签名、可疑文件和被修改的系统二进制文件。
Expected Output
预期输出
JSON report containing detected syscall hooks, hidden kernel modules, modified IDT entries, suspicious /proc discrepancies, and rkhunter findings.
包含检测到的系统调用挂钩、隐藏内核模块、被修改的IDT条目、可疑的/proc差异以及rkhunter扫描结果的JSON报告。
Example Output
示例输出
text
$ sudo python3 rootkit_analyzer.py --memory /evidence/linux-mem.lime --profile Ubuntu2204
Linux Kernel Rootkit Analysis Report
=====================================
Memory Image: /evidence/linux-mem.lime
Kernel Version: 5.15.0-91-generic (Ubuntu 22.04 LTS)
Analysis Time: 2024-01-18 09:15:32 UTC
[+] Scanning syscall table for hooks...
Syscall Table Base: 0xffffffff82200300
Total syscalls checked: 449
HOOKED SYSCALLS DETECTED:
┌─────────┬──────────────────┬──────────────────────┬──────────────────────┐
│ NR │ Syscall │ Expected Address │ Current Address │
├─────────┼──────────────────┼──────────────────────┼──────────────────────┤
│ 0 │ sys_read │ 0xffffffff8139a0e0 │ 0xffffffffc0a12000 │
│ 2 │ sys_open │ 0xffffffff8139b340 │ 0xffffffffc0a12180 │
│ 78 │ sys_getdents64 │ 0xffffffff813f5210 │ 0xffffffffc0a12300 │
│ 62 │ sys_kill │ 0xffffffff8110c4a0 │ 0xffffffffc0a12480 │
└─────────┴──────────────────┴──────────────────────┴──────────────────────┘
WARNING: 4 syscall hooks detected - rootkit behavior confirmed
[+] Checking for hidden kernel modules...
Loaded modules (lsmod): 147
Modules in kobject list: 149
HIDDEN MODULES:
- "netfilter_helper" at 0xffffffffc0a10000 (size: 12288)
- "kworker_sched" at 0xffffffffc0a14000 (size: 8192)
[+] Scanning /proc for discrepancies...
Processes in task_struct list: 234
Processes visible in /proc: 231
HIDDEN PROCESSES:
- PID 31337 cmd: "[kworker/0:3]" (disguised as kernel thread)
- PID 31442 cmd: "rsyslogd" (fake, real rsyslogd is PID 892)
- PID 31500 cmd: "" (unnamed process)
[+] Checking IDT entries...
IDT entries scanned: 256
Modified entries: 0 (clean)
[+] Running rkhunter scan...
Checking for known rootkits: 68 variants checked
Diamorphine rootkit: WARNING - signatures match
System binary checks:
/usr/bin/ps: MODIFIED (SHA-256 mismatch)
/usr/bin/netstat: MODIFIED (SHA-256 mismatch)
/usr/bin/ls: MODIFIED (SHA-256 mismatch)
/usr/sbin/ss: OK
[+] Network analysis...
Hidden connections (not in /proc/net/tcp):
ESTABLISHED 0.0.0.0:0 -> 198.51.100.47:4443 (PID 31337)
ESTABLISHED 0.0.0.0:0 -> 198.51.100.47:8080 (PID 31442)
Summary:
Rootkit Type: Loadable Kernel Module (LKM)
Probable Family: Diamorphine variant
Syscall Hooks: 4 (read, open, getdents64, kill)
Hidden Modules: 2
Hidden Processes: 3
Hidden Connections: 2 (C2: 198.51.100.47)
Modified Binaries: 3 (/usr/bin/ps, netstat, ls)
Risk Level: CRITICALtext
$ sudo python3 rootkit_analyzer.py --memory /evidence/linux-mem.lime --profile Ubuntu2204
Linux Kernel Rootkit Analysis Report
=====================================
Memory Image: /evidence/linux-mem.lime
Kernel Version: 5.15.0-91-generic (Ubuntu 22.04 LTS)
Analysis Time: 2024-01-18 09:15:32 UTC
[+] Scanning syscall table for hooks...
Syscall Table Base: 0xffffffff82200300
Total syscalls checked: 449
HOOKED SYSCALLS DETECTED:
┌─────────┬──────────────────┬──────────────────────┬──────────────────────┐
│ NR │ Syscall │ Expected Address │ Current Address │
├─────────┼──────────────────┼──────────────────────┼──────────────────────┤
│ 0 │ sys_read │ 0xffffffff8139a0e0 │ 0xffffffffc0a12000 │
│ 2 │ sys_open │ 0xffffffff8139b340 │ 0xffffffffc0a12180 │
│ 78 │ sys_getdents64 │ 0xffffffff813f5210 │ 0xffffffffc0a12300 │
│ 62 │ sys_kill │ 0xffffffff8110c4a0 │ 0xffffffffc0a12480 │
└─────────┴──────────────────┴──────────────────────┴──────────────────────┘
WARNING: 4 syscall hooks detected - rootkit behavior confirmed
[+] Checking for hidden kernel modules...
Loaded modules (lsmod): 147
Modules in kobject list: 149
HIDDEN MODULES:
- "netfilter_helper" at 0xffffffffc0a10000 (size: 12288)
- "kworker_sched" at 0xffffffffc0a14000 (size: 8192)
[+] Scanning /proc for discrepancies...
Processes in task_struct list: 234
Processes visible in /proc: 231
HIDDEN PROCESSES:
- PID 31337 cmd: "[kworker/0:3]" (disguised as kernel thread)
- PID 31442 cmd: "rsyslogd" (fake, real rsyslogd is PID 892)
- PID 31500 cmd: "" (unnamed process)
[+] Checking IDT entries...
IDT entries scanned: 256
Modified entries: 0 (clean)
[+] Running rkhunter scan...
Checking for known rootkits: 68 variants checked
Diamorphine rootkit: WARNING - signatures match
System binary checks:
/usr/bin/ps: MODIFIED (SHA-256 mismatch)
/usr/bin/netstat: MODIFIED (SHA-256 mismatch)
/usr/bin/ls: MODIFIED (SHA-256 mismatch)
/usr/sbin/ss: OK
[+] Network analysis...
Hidden connections (not in /proc/net/tcp):
ESTABLISHED 0.0.0.0:0 -> 198.51.100.47:4443 (PID 31337)
ESTABLISHED 0.0.0.0:0 -> 198.51.100.47:8080 (PID 31442)
Summary:
Rootkit Type: Loadable Kernel Module (LKM)
Probable Family: Diamorphine variant
Syscall Hooks: 4 (read, open, getdents64, kill)
Hidden Modules: 2
Hidden Processes: 3
Hidden Connections: 2 (C2: 198.51.100.47)
Modified Binaries: 3 (/usr/bin/ps, netstat, ls)
Risk Level: CRITICAL