A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool).
Questions tagged [rootkit]
56 questions
15
votes
2 answers
Linux Kernel Rootkit samples
I'm working on some new techniques for Linux Kernel Rootkit Detections as my thesis. I need some sample of rootkits to test my method and also do some machine learning tests.
But not the old-dusty ones in packetstorm that could be found in computer…
Shayan
- 548
- 6
- 24
11
votes
2 answers
Linux kernel module: re-hijacking the iterate function of the virtual filesystem
A popular way of hiding the processes from the user is to hijack the iterate function for the /proc directory. This can be done as follows:
struct file *filep = filp_open("/proc", O_RDONLY, 0));
filep->f_op->iterate = p // We swap the pointer with…
AlexSee
- 322
- 3
- 16
9
votes
2 answers
What is the Dragon Book for Rootkits on Linux?
I recently came across this book called The Rootkit Aresenal by Bill Blunden that gives a detailed (I mean it!) description of the basics underlying rootkits and also goes about on how to design them for Windows (so it requires some basic…
Legend
- 113,822
- 119
- 272
- 400
6
votes
0 answers
Understanding rkhunter warnings
I got paranoid and ran both chkrootkit and rkhunter to scan for rootkits. Doesn't look like chkrootkit found anything, but rkhunter returned some warnings. I think many might be false positives, but I'm mostly worried about the 'possible rootkit…
ljhan
- 61
- 1
- 3
5
votes
2 answers
Windows 7: Taking advantage of auto-elevation to elevate my own process?
From a July 2009 Technet article entitled Inside Windows 7 User Account Control, Mark Russinovish describes that it's possible for an application running as standard user to silently elevate and gain administrative rights:
...it's possible for…
Ian Boyd
- 246,734
- 253
- 869
- 1,219
3
votes
1 answer
Kernel module crash when reading system call table function address
I am studying rootkits and trying to hook the system call table. As i can already dynamically retrieve the table's address from /boot/System.map-$(uname -r), i traced and isolated the problematic part of the code into an independent, simpler module,…
Caio Joca
- 80
- 6
3
votes
1 answer
Kernel Panic -- Failed copy_from_user, kmalloc?
I am writing a rootkit for my OS class (the teacher is okay with me asking for help here). My rootkit hooks the sys_read system call to hide "magic" ports from the user. When I copy the user buffer *buf (one of the arguments of sys_read) to kernel…
Josh Imhoff
- 6,746
- 3
- 13
- 10
2
votes
1 answer
Do UEFI DXE Drivers operate in real-mode? What about "ring -2" or "ring -3" code?
I asked a question referencing a mode sometimes referred to as ring -2 (System Management Mode) which can be exploited to create rootkits. There's also even a rootkit candidate referred to as ring -3 (Intel Management Engine). Alternatively, there's…
J.Todd
- 707
- 1
- 12
- 34
2
votes
0 answers
Could I find all kernel modules that are running even they are hide?
I am starting to develop kernel modules and I wonder about all methods to know which modules are running in order to remove them (include modules that they are hide).
E.g. The following module has two lines in order to hide him. (It is a typical…
sinkmanu
- 1,034
- 1
- 12
- 24
2
votes
1 answer
How to Detect a Hidden Process in Linux
I have read somewhere that rootkits hide a process by dropping off its links in task list.First my question is when it is dropped off task list, how it can be scheduled in kernel 3.*? In fact I want to detect hidden processes by comparing running…
Peggy
- 639
- 9
- 28
2
votes
1 answer
Getting the address of a function in C?
I'm getting a segfault when running this code as root in userspace. I don't understand why. I believe I have a rootkit and I want to check if the addresses are the same as the ones as in /boot/System.map-3.2.0-4-amd64
unsigned long hex;
unsigned…
elaine
- 119
- 5
2
votes
1 answer
Need direction with a Win32 API Interception Project
Okay first a little context. I have started working on a project in my uni, one of the goals of which are to develop a module that will log when a process tries to:
-create, delete or modify a file (filesystem activity basically)
-create, detete or…
user1831704
- 245
- 1
- 10
2
votes
1 answer
loopback on tcp port from localhost to localhost
I've seen running netstat that there are two strange tcp connection opened:
tcp4 0 0 localhost.49153 localhost.1023 ESTABLISHED
tcp4 0 0 localhost.1023 localhost.49153 ESTABLISHED
I wonder if it is normal. Can someone…
Jayyrus
- 12,961
- 41
- 132
- 214
2
votes
3 answers
Detect And Remove Rootkit
What is the best (hopefully free or cheap) way to detect and then, if necessary, remove a rootkit found on your machine?
Taptronic
- 5,129
- 9
- 44
- 59
1
vote
0 answers
Hooking keyboard interrupt on windows IDT
I've read that in some XP systems the keyboard interrupt is located at 0x31 in IDT, but the only way to know for sure is parsing hall.dll to see what vector is tied to IRQ 1. I've been searching on the internet more information about this and I've…
Luis Rossell
- 105
- 11