Rootkit Profiler LX
Hi all,
I'd like to announce the availability of a new kernel rootkit detection toolkit
for Linux called Rootkit Profiler LX (RKProfiler LX).
RKProfiler LX is divided into two parts: a data collection component called
"Rootkit Profiler Module" (RKPmod) and a data interpretation component called
"Rootkit Profiler Console" (RKPconsole).
RKPmod is a kernel module that gets loaded on the system that should be checked
for the presence of a kernel rootkit. There are other ways to perform data
collection, but currently only this approach is publicly available.
RKPconsole is a userland program that can be used to analyse the collected
information.
RKProfiler LX checks the whole kernel code as well as different kernel data
sections and cpu registers regarding possible modifications and hidden
components:
- Generic kernel code modification
- Syscall table address modification
- Syscall address modification
- Syscall code modification
- Interrupt handler address modification
- Interrupt handler code modification
- Page Fault Handler modification
- Kernel symbol modification
- SYSENTER register modification
- Virtual File System function pointer modification
- Hidden processes and threads
- Hidden kernel modules
RKProfiler is available here:
http://www.trapkit.de/research/rkprofiler/
Cheers,
tk