Hello! I want to thank you for very cool and useful module to detect hidden kernel modules. I'm making a project to scan malware and rootkit on Linux (the scope is to replace rkhunter and chkrootkit which mostly use absolute file and dir paths check). I would like to reuse your code in my project for the LKM modules (which can't be trusted by user's land applications). I have some questions:
- I didn't do kernel module programming. And readme didn't have explaination so I would like to ask to understand the method this module uses. Is this some kind of check kernel's symbols and compare to find hidden modules?
- Let say that attacker added the module to the system. Is there any possible way to find the location of the file?
- I am thinking about a possible way to unload the rootkit's module and possibly allow a scanner (I'm using Yara) to scan with rules / signatures. Do you think it can be done, considering rootkit's module blocks applications from reading the module file to hide itself.
Hello! I want to thank you for very cool and useful module to detect hidden kernel modules. I'm making a project to scan malware and rootkit on Linux (the scope is to replace rkhunter and chkrootkit which mostly use absolute file and dir paths check). I would like to reuse your code in my project for the LKM modules (which can't be trusted by user's land applications). I have some questions: