daisy
Reputation: 23581
Ripping out the hidden kernel module by reading kernel memory directly?
Is it possible to find hidden kernel modules by reading kernel memory directly?
By hiding I mean a LKM that removes itself from the kernel module list.
If so, what structure should I expect, or what document should I read?
Upvotes: 4
Views: 2768
Answers (1)
ytliu
Reputation: 589
following @Eugene, I find a way to read kernel memory directly to find the so called not-so-clever hidden module: just compare the module from both procfs perspective and sysfs perspective:
static int detect_hidden_mod_init(void)
{
char *procfs_modules[MAX_MODULE_SIZE];
char *sysfs_modules[MAX_MODULE_SIZE];
int proc_module_index = 0, sys_module_index = 0;
struct module *mod;
struct list_head *p;
// get modules from procfs perspective
list_for_each(p, &__this_module.list){
mod = list_entry(p, struct module, list);
procfs_modules[proc_module_index++] = mod->name;
}
// get modules from sysfs perspective
struct kobject *kobj;
struct kset *kset = __this_module.mkobj.kobj.kset;
list_for_each(p, &kset->list) {
kobj = container_of(p, struct kobject, entry);
sysfs_modules[sys_module_index++] = kobj->k_name;
}
//compare the procfs_modules and sysfs_modules
...
}
Actually it can detect most of current module-hidden rootkit, however as Eugene said, "A clever rootkit could try to hide that data as well". So it is not a perfect way.
Upvotes: 1
Related Questions
- Linux kernel module - accessing memory mapping
- Kernel Module memory access
- Memory Isolation in new Linux Kernels, or what?
- System Call Interception (Hijacking) with Linux Loadable Kernel Module
- How do I directly access reserved memory with a kernel module?
- Linux kernel modules - security risk?
- Searching for hidden modules reading virtual kernel memory?
- Android: possible to access kernel modules directly without rooting the phone?
- Reading kernel memory using a module
- How can I access memory at known physical address inside a kernel module?