Rootkit detection program targeted at detecting Reptile rootkit by f0rb1dd3n https://github.com/f0rb1dd3n/Reptile and Diamoprhine rootkit by wazuh https://github.com/wazuh/Diamorphine. This tool was developed for educational purposes.
- Hidden module detection (module_detection.c)
- Hidden process detection (process_detection.c)
- System call hook detection (syscall_detection.c)
- Interrupt hook detection (interrupt_detection.c)
module_detection.c, syscall_detection.c and interrupt_detection.c are Loadable Kernel Modules
that outputs their results to the system log. They can be read using the dmesg command.
process_detection.c is a C program that is compiled with GCC and outputs hidden PIDs to the console.
The detection methods were adapted from Tyton https://github.com/nbulischeck/tyton.
sudo apt update
sudo apt install kmod linux-headers-$(uname -r)
sudo apt install git
sudo apt install build-essential
git clone https://github.com/Fieash/InternshipProject.git
make
Hidden module detection
sudo insmod module_detection.ko
sudo rmmod module_detection.ko
dmesg
An alternative to read the output: tail -f /var/log/syslog
Hidden process detection
At line 46, modify the program according to your system's max PID found in
the /proc/sys/kernel/pid_max file.
40 int main(int argc, char *argv[])
41 {
42 printf("==== rootkit detection start (hidden_process_detection.c)\n");
43 // first parameter should be your system's max PID,
44 // found at /proc/sys/kernel/pid_max
45 // 0 for a second check (leave it as 0)
46 brute(131072, 0);
47 return 0;
48 }
Then compile it as a regular C program and run it with sudo.
gcc process_detection.c
sudo ./a.out
sudo insmod syscall_detection.ko
sudo rmmod syscall_detection.ko
dmesg
sudo insmod interrupt_detection.ko
sudo rmmod interrupt_detection.ko
dmesg
It is able to detect the reptile module as well as processes hidden by Reptile.
It is able to detect the diamorphine module, processes hidden by Diamorphine as well as system calls hooked by Diamorphine (kill, getdents, and getdents64).