A kernel-based security tool to detect hidden processes, kernel modules, and anomalies in the system's IDT/SSDT. The project includes kernel modules and user-space tools to facilitate rootkit detection and analysis.
-
Kernel Module Checks:
- Detect hidden kernel modules.
- Monitor syscall table for tampering.
- Validate IDT and SSDT integrity.
-
File System Scanning:
- Identify hidden files in critical directories.
-
Process Scanning:
- Detect hidden or malicious processes bypassing the
/proc
filesystem.
- Detect hidden or malicious processes bypassing the
-
Modular Design:
- Kernel modules (
.ko
files) for various detection mechanisms. - User-space Python scripts for seamless interaction and monitoring.
- Kernel modules (
- A Linux system with kernel headers installed.
- Fedora:
sudo dnf install kernel-devel kernel-headers
- Fedora:
- GCC and make tools:
- Fedora:
sudo dnf install gcc make
- Fedora:
- Python 3 and pip:
- Fedora:
sudo dnf install python3 python3-pip
- Fedora:
-
Clone the repository:
git clone https://github.com/dkrizhanovskyi/Rootkit-Detector.git cd Rootkit-Detector
-
Build the kernel modules:
cd kernel make
-
Install the user-space dependencies (if any):
cd ../user pip3 install -r requirements.txt
-
Load the kernel modules (requires
sudo
):sudo insmod kernel/module_checker.ko sudo insmod kernel/process_scanner.ko # Add other modules as needed
-
Load the desired kernel module:
sudo insmod kernel/module_checker.ko
-
Check the kernel logs for output:
dmesg | grep "Detected"
-
Unload the kernel module after use:
sudo rmmod module_checker
Run the CLI tool for various checks:
python3 user/detector.py scan-processes # Scan for hidden processes
python3 user/detector.py check-modules # Check loaded kernel modules
python3 user/detector.py scan-files # Scan for hidden files
python3 user/detector.py check-idt-ssdt # Validate IDT and SSDT integrity
The project is divided into two main components:
-
Kernel Modules:
- Responsible for performing low-level checks in kernel space.
- Modules include:
syscall_checker
: Monitors syscalls for tampering.process_scanner
: Scans for hidden processes.module_checker
: Detects anomalies in kernel modules.idt_ssdt_checker
: Checks IDT and SSDT for anomalies.file_scanner
: Scans directories for hidden files.
-
User-Space Tools:
- Python scripts to load/unload kernel modules and interpret their output.
- Interact with kernel logs (
dmesg
) to extract relevant results.
We welcome contributions to improve the project! Here’s how you can help:
- Fork the repository.
- Create a feature branch:
git checkout -b feature-name
- Commit your changes:
git commit -m "Description of your feature"
- Push to your fork:
git push origin feature-name
- Open a pull request on the main repository.
This project is licensed under the GPL v3. See the LICENSE file for details.
Special thanks to:
- Linux Kernel Documentation.
- The open-source community for contributing to kernel module development.