make linux-x86_64 // or linux-x86 for 32bit environments
sudo insmod kerokid.ko
Results can be accessed via dmesg (available on all kernel versions) or /proc/kerokid (requires Kernel 3.10 or newer)
The system is rescanned whenever a new kernel module is loaded.
Alternatively, you can initialize a rescan by writing to /proc/kerokid/rescan as root. (requires Kernel 3.10 or newer)
echo '1' > /proc/kerokid/rescan
This can be used for periodic automated rescans via cron jobs.
Kernel Level Rootkits use different techniques to hide themselves, e.g.:
- remove themselves from the kernel module list
- unregister their /sys/module entry
- overwrite their module structures
- extract their code to the kernel heap (the space allocated with kmalloc or vmalloc)
Nevertheless, these rootkits need space in memory. Therefore KEROKID uses memory forensics to detect rootkits in the kernel's heap or module space. In addition, rootkits must react to user or system activity and therefore use hooks or subscribe themselves to notifiers. KEROKID detects such suspicious calls originating from:
- system call hooks
- inline hooks
- notifier subscriptions
results and further information can be accessed through /proc/kerokid
- /proc/kerokid/results contains the results for each area
- /proc/kerokid/memory lists the addresses of modules, syscalls and allocated memory
- the folder /proc/kerokid/notifiers contains the results for each notifier chain
- the folder /proc/kerokid/modules contains information on each module
This is a sample output showing a hidden module that manipulated five syscall table entries. The addresses are the destinations of the manipulated syscalls.
[ 421.296881] KEROKID: Started
[ 421.302176] KEROKID: Check for syscall table hooks...
[ 421.302176] KEROKID: ALERT: Jump to hidden module: ffffffffa0002010
[ 421.302176] KEROKID: ALERT: Jump to hidden module: ffffffffa0002050
[ 421.302176] KEROKID: ALERT: Jump to hidden module: ffffffffa0002020
[ 421.302176] KEROKID: ALERT: Jump to hidden module: ffffffffa0002040
[ 421.302176] KEROKID: ALERT: Jump to hidden module: ffffffffa0002000
[ 421.302176] KEROKID: Check for inline hooks...
[ 421.304729] KEROKID: Check notifier_subscriptions...
[ 421.304729] KEROKID: -> Check keyboard notifier chain...
[ 421.308363] KEROKID: -> Check module notifier chain...
[ 421.308363] KEROKID: -> Check netdevice notifier chain...
[ 421.308363] KEROKID: -> Check netevent notifier chain...
- syscall table entries directing to module space or kernel heap: determines if module is present at destination or not
- inline hooking of syscall functions: determines if module is present at destination or not
- notifier entries to module space or kernel heap: determines if module is present at destination or not
- module structure of hidden modules in memory [in progress]
- notifiers registered with highest priority
- Debugging Hooks as described in: http://phrack.org/issues/65/8.html
- Interrupt Descriptor Table (IDT) manipulation
- Inline hook detection covers only ONE way. Significant improvement required. (see inline hook detection paragraph)
x86
- Debian-7.7.0-i386 3.2.0-4-486
- Fedora-Desktop-i686-20-1 3.11.10-301.fc20.i686
- Ubuntu 14.04 i686 3.13.0-32-generic
x86_64
- recent vanilla kernels
- Debian 7.7.0 3.2.0-4-amd64, 3.16-0.bpo.2-amd64
- Fedora Desktop 3.11.10.301-fc20.x86_64
- Gentoo Linux 3.17.7-gentoo (genkernel)
- Kali Linux 1.0.9a x86_64 3.14.5-1kali1
- Mageia-4.1 3.12.21-desktop-2.mga4
- OpenSUSE 13.2 3.16.6-2-2-desktop
- Ubuntu 14.10 3.16.0-23-generic
- Ubuntu 14.04 3.13.0-generic
- Ubuntu 12.04.5 LTS x86_64 3.2.0-33-generic, 3.2.64, 3.13.0-32-generic
Debug features can be enabled by:
make linux-x86_64 DEBUG=y
At the moment you can only dump unhidden modules. As root use the following command to get a list of loaded modules:
cat /proc/kerokid/modules_list
Pick the NUMBER of the corresponding Module and type:
echo "NUMBER" > /proc/kerokid/dump_module
The module binary can now be copied from /proc/kerokid/MODULNAME to wherever you want.
- checks all functions referenced in the System Call Table by comparing the first bytes of the function with a list of known hooks
- looks for suspicious jumps (especially jumps to modules and dynamically allocated memory)
- hooks are specified in inlineHooks.c (currently only the hooks used by Suterusu)
- the hook definitions consist of the (hexadecimal) code, it's size and the (address) offset
- works with 32- and 64-bit architecture hooks