<<< Date Index >>>     <<< Thread Index >>>

Rootkit Profiler LX



Hi all,

I'd like to announce the availability of a new kernel rootkit detection toolkit 
for Linux called Rootkit Profiler LX (RKProfiler LX). 

RKProfiler LX is divided into two parts: a data collection component called 
"Rootkit Profiler Module" (RKPmod) and a data interpretation component called 
"Rootkit Profiler Console" (RKPconsole).

RKPmod is a kernel module that gets loaded on the system that should be checked 
for the presence of a kernel rootkit. There are other ways to perform data 
collection, but currently only this approach is publicly available.

RKPconsole is a userland program that can be used to analyse the collected 
information.

RKProfiler LX checks the whole kernel code as well as different kernel data 
sections and cpu registers regarding possible modifications and hidden 
components:

- Generic kernel code modification
- Syscall table address modification
- Syscall address modification
- Syscall code modification
- Interrupt handler address modification
- Interrupt handler code modification
- Page Fault Handler modification
- Kernel symbol modification
- SYSENTER register modification
- Virtual File System function pointer modification
- Hidden processes and threads
- Hidden kernel modules 

RKProfiler is available here:

http://www.trapkit.de/research/rkprofiler/

Cheers,
tk