Skip to content

arec1b0/Rootkit-Detector

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 

Rootkit-Detector

A kernel-based security tool to detect hidden processes, kernel modules, and anomalies in the system's IDT/SSDT. The project includes kernel modules and user-space tools to facilitate rootkit detection and analysis.


Features

  • Kernel Module Checks:

    • Detect hidden kernel modules.
    • Monitor syscall table for tampering.
    • Validate IDT and SSDT integrity.
  • File System Scanning:

    • Identify hidden files in critical directories.
  • Process Scanning:

    • Detect hidden or malicious processes bypassing the /proc filesystem.
  • Modular Design:

    • Kernel modules (.ko files) for various detection mechanisms.
    • User-space Python scripts for seamless interaction and monitoring.

Installation

Prerequisites

  1. A Linux system with kernel headers installed.
    • Fedora:
      sudo dnf install kernel-devel kernel-headers
  2. GCC and make tools:
    • Fedora:
      sudo dnf install gcc make
  3. Python 3 and pip:
    • Fedora:
      sudo dnf install python3 python3-pip

Steps

  1. Clone the repository:

    git clone https://github.com/dkrizhanovskyi/Rootkit-Detector.git
    cd Rootkit-Detector
  2. Build the kernel modules:

    cd kernel
    make
  3. Install the user-space dependencies (if any):

    cd ../user
    pip3 install -r requirements.txt
  4. Load the kernel modules (requires sudo):

    sudo insmod kernel/module_checker.ko
    sudo insmod kernel/process_scanner.ko
    # Add other modules as needed

Usage

Kernel Modules

  1. Load the desired kernel module:

    sudo insmod kernel/module_checker.ko
  2. Check the kernel logs for output:

    dmesg | grep "Detected"
  3. Unload the kernel module after use:

    sudo rmmod module_checker

User-Space Tools

Run the CLI tool for various checks:

python3 user/detector.py scan-processes    # Scan for hidden processes
python3 user/detector.py check-modules    # Check loaded kernel modules
python3 user/detector.py scan-files       # Scan for hidden files
python3 user/detector.py check-idt-ssdt   # Validate IDT and SSDT integrity

Architecture

The project is divided into two main components:

  1. Kernel Modules:

    • Responsible for performing low-level checks in kernel space.
    • Modules include:
      • syscall_checker: Monitors syscalls for tampering.
      • process_scanner: Scans for hidden processes.
      • module_checker: Detects anomalies in kernel modules.
      • idt_ssdt_checker: Checks IDT and SSDT for anomalies.
      • file_scanner: Scans directories for hidden files.
  2. User-Space Tools:

    • Python scripts to load/unload kernel modules and interpret their output.
    • Interact with kernel logs (dmesg) to extract relevant results.

Contributing

We welcome contributions to improve the project! Here’s how you can help:

  1. Fork the repository.
  2. Create a feature branch:
    git checkout -b feature-name
  3. Commit your changes:
    git commit -m "Description of your feature"
  4. Push to your fork:
    git push origin feature-name
  5. Open a pull request on the main repository.

License

This project is licensed under the GPL v3. See the LICENSE file for details.


Acknowledgements

Special thanks to:

  • Linux Kernel Documentation.
  • The open-source community for contributing to kernel module development.

About

Kernel-based rootkit detection tool with modules for detecting hidden processes, files, and kernel anomalies.

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

11 stars

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors