Skip to content

Kernel-based rootkit detection tool with modules for detecting hidden processes, files, and kernel anomalies.

License

Notifications You must be signed in to change notification settings

dkrizhanovskyi/Rootkit-Detector

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 

Rootkit-Detector

A kernel-based security tool to detect hidden processes, kernel modules, and anomalies in the system's IDT/SSDT. The project includes kernel modules and user-space tools to facilitate rootkit detection and analysis.


Features

  • Kernel Module Checks:

    • Detect hidden kernel modules.
    • Monitor syscall table for tampering.
    • Validate IDT and SSDT integrity.
  • File System Scanning:

    • Identify hidden files in critical directories.
  • Process Scanning:

    • Detect hidden or malicious processes bypassing the /proc filesystem.
  • Modular Design:

    • Kernel modules (.ko files) for various detection mechanisms.
    • User-space Python scripts for seamless interaction and monitoring.

Installation

Prerequisites

  1. A Linux system with kernel headers installed.
    • Fedora:
      sudo dnf install kernel-devel kernel-headers
  2. GCC and make tools:
    • Fedora:
      sudo dnf install gcc make
  3. Python 3 and pip:
    • Fedora:
      sudo dnf install python3 python3-pip

Steps

  1. Clone the repository:

    git clone https://github.com/dkrizhanovskyi/Rootkit-Detector.git
    cd Rootkit-Detector
  2. Build the kernel modules:

    cd kernel
    make
  3. Install the user-space dependencies (if any):

    cd ../user
    pip3 install -r requirements.txt
  4. Load the kernel modules (requires sudo):

    sudo insmod kernel/module_checker.ko
    sudo insmod kernel/process_scanner.ko
    # Add other modules as needed

Usage

Kernel Modules

  1. Load the desired kernel module:

    sudo insmod kernel/module_checker.ko
  2. Check the kernel logs for output:

    dmesg | grep "Detected"
  3. Unload the kernel module after use:

    sudo rmmod module_checker

User-Space Tools

Run the CLI tool for various checks:

python3 user/detector.py scan-processes    # Scan for hidden processes
python3 user/detector.py check-modules    # Check loaded kernel modules
python3 user/detector.py scan-files       # Scan for hidden files
python3 user/detector.py check-idt-ssdt   # Validate IDT and SSDT integrity

Architecture

The project is divided into two main components:

  1. Kernel Modules:

    • Responsible for performing low-level checks in kernel space.
    • Modules include:
      • syscall_checker: Monitors syscalls for tampering.
      • process_scanner: Scans for hidden processes.
      • module_checker: Detects anomalies in kernel modules.
      • idt_ssdt_checker: Checks IDT and SSDT for anomalies.
      • file_scanner: Scans directories for hidden files.
  2. User-Space Tools:

    • Python scripts to load/unload kernel modules and interpret their output.
    • Interact with kernel logs (dmesg) to extract relevant results.

Contributing

We welcome contributions to improve the project! Here’s how you can help:

  1. Fork the repository.
  2. Create a feature branch:
    git checkout -b feature-name
  3. Commit your changes:
    git commit -m "Description of your feature"
  4. Push to your fork:
    git push origin feature-name
  5. Open a pull request on the main repository.

License

This project is licensed under the GPL v3. See the LICENSE file for details.


Acknowledgements

Special thanks to:

  • Linux Kernel Documentation.
  • The open-source community for contributing to kernel module development.

About

Kernel-based rootkit detection tool with modules for detecting hidden processes, files, and kernel anomalies.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published