dgoulet / kjackal Goto Github PK

Linux Rootkit Scanner

C 100.00%

kjackal's Introduction

Kjackal project
----------------

NOTICE:

In no situation will we be liable for any loss or damage including without
limitation, indirect or consequential loss or damage, or any loss or damage
whatsoever arising from loss of data or profits arising out of, or in
connection with, the use of the data in this repository.

This is a kernel module so like any other kernel module things can go bad. It
will NOT destroy any data or corrupt your hard drive. At worst, you'll get a
kernel panic and you'll have to reboot. If this happens, PLEASE report it :).

Feel free to check the code, there is NO hidden backdoors or any shenanigans to
install any undesired software on your computer.

ABOUT:

Kjackal is a one time Linux kernel module rootkit scanner. It is *not* a
rootkit AV or any IPS bimbo-blabla system. The purpose of kjackal is to quickly
scan the Linux kernel for rootkit(s).

So commonly, a kernel module rootkit, once loaded, will hijack the syscall
table, the proc fileystem (to hide itself) and TCP4 operations to hide
backdoors' port.

Kjackal uses multiple methods to find hidden modules. Here is the list:

1) Syscall hijack detection.

The primary technique is to iterate over the syscall table and test
every address to see if it is in the core kernel text section where it's
supposed to be. If yes, we'll check for a module "hosting" this address.

2) TCP IPv4 seq_ops hijack detection.

This technique is often used to hide ports or any sensitive information.
The 'seq_ops.show' is checked here to the core kernel text address space.

3) /proc filesystem hijack detection.

Check the readdir ops of /proc.

4) Search for hidden modules

Search for each *hidden* module which tries to remove itself from existence.
kjackal still has some card up his sleeve ;) to get them.

REQUIREMENTS:

Tested on 2.6.32 up to 3.15.0 However, it might work for an older kernel.
Please report if you succeed.

- Linux Kernel Headers 2.6.32 or later

  * Debian: sudo apt-get install linux-headers
  * Redhat: sudo yum install kernel-headers
  * Arch: sudo pacman -S linux-headers
  * Gentoo: sudo emerge linux-headers

COMPILE:

# make

USAGE:

# insmod kjackal.ko
# dmesg

Kjackal prints the report in dmesg.

# rmmod kjackal

TESTS:

The tests/ directory contains three simple kernel modules to test kjackal.
Please read carefully the comments in the .c file before loading one of them.

WHAT'S NEXT:

So time for the fun part.

*IF* kjackal detects a rogue kernel module, please report it so we can
investigate it! There is a feature in src/module.c called "module_dump_memory"
which can be used to dump the entire module memory if detected. It will be
created in /tmp/rootkit-module.dump. Enable this and we'll have fun after that.

Also, PLEASE contribute your ideas/comments/code/bugs to this project to make
it better and more efficient at finding kernel module rookits. Please send me
any rootkit code you came upon to study them or any commercial one would be
really nice also.

kjackal's People

Contributors

Stargazers

Watchers

kjackal's Issues

error when compiling on debian buster with kernel 4.19.0-5-amd64

root@debi:/home/lamer/kjackal# make
Replacing MARKER_SYS_CALL_TABLE symbol by ffffffff81c001e0 in source
Replacing MARKER_MODULE_KSET symbol ffffffff825e6bc8 in source
Replacing MARKER_CORE_KERNEL_TEXT symbol ffffffff8109ea00 in source

make -C "/lib/modules/4.19.0-5-amd64/build" M=/home/lamer/kjackal modules
make[1]: Entering directory '/usr/src/linux-headers-4.19.0-5-amd64'
CC [M] /home/lamer/kjackal/src/common.o
CC [M] /home/lamer/kjackal/src/module.o
/home/lamer/kjackal/src/module.c: In function ‘kj_module_find_hidden_from_addr’:
/home/lamer/kjackal/src/module.c:76:38: error: ‘struct module’ has no member named ‘module_core’
if (addr >= (unsigned long) mk->mod->module_core &&
^~
/home/lamer/kjackal/src/module.c:77:36: error: ‘struct module’ has no member named ‘module_core’
addr < (unsigned long) (mk->mod->module_core + mk->mod->core_size)) {
^~
/home/lamer/kjackal/src/module.c:77:61: error: ‘struct module’ has no member named ‘core_size’; did you mean ‘percpu_size’?
addr < (unsigned long) (mk->mod->module_core + mk->mod->core_size)) {
^~~~~~~~~
percpu_size
In file included from /home/lamer/kjackal/src/module.c:28:
/home/lamer/kjackal/src/module.c:83:55: error: ‘struct module’ has no member named ‘module_core’
KJ_DMESG("Address space from 0x%p to 0x%p", mk->mod->module_core,
^~
/home/lamer/kjackal/src/common.h:23:64: note: in definition of macro ‘KJ_DMESG’
efine KJ_DMESG(fmt, args...) printk("kjackal: " fmt "\n", ## args);
^~~~

/home/lamer/kjackal/src/module.c:84:13: error: ‘struct module’ has no member named ‘module_core’
mk->mod->module_core + mk->mod->core_size);
^~
/home/lamer/kjackal/src/common.h:23:64: note: in definition of macro ‘KJ_DMESG’
efine KJ_DMESG(fmt, args...) printk("kjackal: " fmt "\n", ## args);
^~~~

/home/lamer/kjackal/src/module.c:84:38: error: ‘struct module’ has no member named ‘core_size’; did you mean ‘percpu_size’?
mk->mod->module_core + mk->mod->core_size);
^~~~~~~~~
/home/lamer/kjackal/src/common.h:23:64: note: in definition of macro ‘KJ_DMESG’
efine KJ_DMESG(fmt, args...) printk("kjackal: " fmt "\n", ## args);
^~~~

/home/lamer/kjackal/src/module.c: In function ‘kj_module_find_all_hidden’:
/home/lamer/kjackal/src/module.c:140:56: error: ‘struct module’ has no member named ‘module_core’
KJ_DMESG("Address space from 0x%p to 0x%p", mk->mod->module_core,
^~
/home/lamer/kjackal/src/common.h:23:64: note: in definition of macro ‘KJ_DMESG’
efine KJ_DMESG(fmt, args...) printk("kjackal: " fmt "\n", ## args);
^~~~

/home/lamer/kjackal/src/module.c:141:14: error: ‘struct module’ has no member named ‘module_core’
mk->mod->module_core + mk->mod->core_size);
^~
/home/lamer/kjackal/src/common.h:23:64: note: in definition of macro ‘KJ_DMESG’
efine KJ_DMESG(fmt, args...) printk("kjackal: " fmt "\n", ## args);
^~~~

/home/lamer/kjackal/src/module.c:141:39: error: ‘struct module’ has no member named ‘core_size’; did you mean ‘percpu_size’?
mk->mod->module_core + mk->mod->core_size);
^~~~~~~~~
/home/lamer/kjackal/src/common.h:23:64: note: in definition of macro ‘KJ_DMESG’
efine KJ_DMESG(fmt, args...) printk("kjackal: " fmt "\n", ## args);
^~~~

/home/lamer/kjackal/src/module.c: In function ‘kj_module_list_symbols’:
/home/lamer/kjackal/src/module.c:156:47: error: ‘struct module’ has no member named ‘num_symtab’; did you mean ‘num_syms’?
KJ_DMESG("%d internal symbol(s) found", mod->num_symtab);
^~~~~~~~~~
/home/lamer/kjackal/src/common.h:23:64: note: in definition of macro ‘KJ_DMESG’
efine KJ_DMESG(fmt, args...) printk("kjackal: " fmt "\n", ## args);
^~~~

/home/lamer/kjackal/src/module.c:159:23: error: ‘struct module’ has no member named ‘num_symtab’; did you mean ‘num_syms’?
for (i = 1; i < mod->num_symtab; i++) {
^~~~~~~~~~
num_syms
/home/lamer/kjackal/src/module.c:160:23: error: ‘struct module’ has no member named ‘strtab’; did you mean ‘state’?
printk("%s ", &mod->strtab[mod->symtab[i].st_name]);
^~~~~~
state
/home/lamer/kjackal/src/module.c:160:35: error: ‘struct module’ has no member named ‘symtab’; did you mean ‘syms’?
printk("%s ", &mod->strtab[mod->symtab[i].st_name]);
^~~~~~
syms
/home/lamer/kjackal/src/module.c: In function ‘kj_module_dump_memory’:
/home/lamer/kjackal/src/module.c:193:41: error: ‘struct module’ has no member named ‘module_init’
bytes_written = fp->f_op->write(fp, mod->module_init, mod->init_size,
^~
/home/lamer/kjackal/src/module.c:193:59: error: ‘struct module’ has no member named ‘init_size’
ytes_written = fp->f_op->write(fp, mod->module_init, mod->init_size,
^~

/home/lamer/kjackal/src/module.c:196:26: error: ‘struct module’ has no member named ‘init_size’
if (bytes_written != mod->init_size) {
^~
In file included from /home/lamer/kjackal/src/module.c:28:
/home/lamer/kjackal/src/module.c:198:23: error: ‘struct module’ has no member named ‘init_size’
bytes_written, mod->init_size);
^~
/home/lamer/kjackal/src/common.h:23:64: note: in definition of macro ‘KJ_DMESG’
efine KJ_DMESG(fmt, args...) printk("kjackal: " fmt "\n", ## args);
^~~~

/home/lamer/kjackal/src/module.c:205:41: error: ‘struct module’ has no member named ‘module_core’
bytes_written = fp->f_op->write(fp, mod->module_core, mod->core_size,
^~
/home/lamer/kjackal/src/module.c:205:61: error: ‘struct module’ has no member named ‘core_size’; did you mean ‘percpu_size’?
tes_written = fp->f_op->write(fp, mod->module_core, mod->core_size,
^~~~~~~~~
percpu_size
/home/lamer/kjackal/src/module.c:208:28: error: ‘struct module’ has no member named ‘core_size’; did you mean ‘percpu_size’?
if (bytes_written != mod->core_size) {
^~~~~~~~~
percpu_size
In file included from /home/lamer/kjackal/src/module.c:28:
/home/lamer/kjackal/src/module.c:210:25: error: ‘struct module’ has no member named ‘core_size’; did you mean ‘percpu_size’?
bytes_written, mod->core_size);
^~~~~~~~~
/home/lamer/kjackal/src/common.h:23:64: note: in definition of macro ‘KJ_DMESG’
efine KJ_DMESG(fmt, args...) printk("kjackal: " fmt "\n", ## args);
^~~~

make[4]: *** [/usr/src/linux-headers-4.19.0-5-common/scripts/Makefile.build:309: /home/lamer/kjackal/src/module.o] Error 1
make[3]: *** [/usr/src/linux-headers-4.19.0-5-common/Makefile:1539: module/home/lamer/kjackal] Error 2
make[2]: *** [Makefile:146: sub-make] Error 2
make[1]: *** [Makefile:8: all] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.19.0-5-amd64'
make: *** [Makefile:26: default] Error 2

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs

Jooble