Hi all,
I'd like to announce the availability of a new kernel rootkit detection too=
lkit for Linux called Rootkit Profiler LX (RKProfiler LX).=20
RKProfiler LX is divided into two parts: a data collection component called=
"Rootkit Profiler Module" (RKPmod) and a data interpretation component cal=
led "Rootkit Profiler Console" (RKPconsole).
RKPmod is a kernel module that gets loaded on the system that should be che=
cked for the presence of a kernel rootkit. There are other ways to perform =
data collection, but currently only this approach is publicly available.
RKPconsole is a userland program that can be used to analyse the collected =
information.
RKProfiler LX checks the whole kernel code as well as different kernel data=
sections and cpu registers regarding possible modifications and hidden com=
ponents:
- Generic kernel code modification
- Syscall table address modification
- Syscall address modification
- Syscall code modification
- Interrupt handler address modification
- Interrupt handler code modification
- Page Fault Handler modification
- Kernel symbol modification
- SYSENTER register modification
- Virtual File System function pointer modification
- Hidden processes and threads
- Hidden kernel modules=20
RKProfiler is available here:
http://www.trapkit.de/research/rkprofiler/
Cheers,
tk