Security Adviser | Roger A. Grimes » New Linux Rootkit detector-Rootkit Profiler

February 20, 2007 | Comments: (0)

New Linux Rootkit detector-Rootkit Profiler

TAGS: None

New Linux rootkit detector.

Read and download it here.

RKProfiler LX is divided into two parts: a data collection component called "Rootkit Profiler Module" (RKPmod) and a data interpretation component called "Rootkit Profiler Console" (RKPconsole).

RKPmod is a kernel module that gets loaded on the system that should be checked for the presence of a kernel rootkit. There are other ways to perform data collection, but currently only this approach is publicly available.

RKPconsole is a userland program that can be used to analyse the collected information.

RKProfiler LX checks the whole kernel code as well as different kernel data sections and cpu registers regarding possible modifications and hidden components:

- Generic kernel code modification
- Syscall table address modification
- Syscall address modification
- Syscall code modification
- Interrupt handler address modification
- Interrupt handler code modification
- Page Fault Handler modification
- Kernel symbol modification
- SYSENTER register modification
- Virtual File System function pointer modification
- Hidden processes and threads
- Hidden kernel modules

Posted by Roger Grimes on February 20, 2007 10:58 AM

RATE THIS ARTICLE: