Rootkits and Backdoors

LKM & Kernel Patching

This paper written by dalai explores the mysterious virtue of kernel modification, with particular regard toward LKMs and their use in the subject. Kernel hacking is no easy task, but well worth the trouble of learning it. The author assumes that the reader is an experienced Unix user, is fairly familiar with kernel principles and semantics, and is a C programmer.
This article written by Jan K. Rutkowski presents a technique based on counting executed instructions in some system calls, which can be used to detect various kernel rootkits. This includes programs like SucKIT or prrf which do not modify syscall table. It focuses on Linux kernel 2.4, running on Intel 32-bit Family processor.
The goal of this paper written by truff is to describe a new technique used to hide lkm's and to ensure us that they will be reloaded after a reboot. The article explains how to infect a kernel module used by the system. It focuses on Linux kernel x86 2.4.x series but this technique can be applied to other operating systems that use the ELF format.
In this paper, sd explains a method that can be used in order to abuse the Linux kernel (syscalls mostly), without help of module support or System.map. This article assumes that the reader already has a basic knowledge about what a LKM is, how a LKM is loaded into kernel...
This paper documents "on the fly" kernel patching on a running system under Linux, using direct access to kernel memory. The article provides examples of kernel patching, shows how to remove a lkm's visibility to lsmod, and explains how to add ernel code ala loadable kernel modules (lkm) to a running system without native lkm support.