Linux Rootkits

(nearly) Complete Linux Loadable Kernel Modules, pragmatic/THC

An old but detailed LKM rootkit tutorial:

See also Phrack 58:6 and Phrack 59:5 .

Helpful: the cross-referenced Linux code , .

Runtime kernel kmem patching & Unix ELF parasites and virus, by Silvio Cesare

The Linux kernel is itself an ELF file and obeys the standard linking conventions (this fact can be. It depends on them for the ability to load modules into the running kernel (the lack of this ability for earlier Windows made necessary the continual reboots after installing software or hardware). With write access to memory, this mechanism can be manipulated, just as any other userland program's address space (compare next link). See Phrack 58:7 for further development of these ideas.

Runtime process infection, Anonymous

Phrack 59:8

Modifying (infecting) one user process from another. In principle, this is not different from what one can do with a good debugger, and indeed the author describes elements of the normal OS support for debugging, but he (she?) also points out the data structures to be patched. Compare this with the _kernel_ modification (above links).

Making System Calls from Kernel Space, Alessandro Rubini

The practicalities of implementing services in the Linux kernel, specifically a fast in-kernel HTTP server, but the same technique can be applied to in-kernel backdoors. More details on in-kernel programming in

Random links and notes

Defensive patches

Kfence.c, ins1der

A hackish ad-hoc 2.4 kernel strengthening patch, installed by patching the live kernel though /dev/kmem in the system call dispatcher procedure. Finds the location of the syscall table by looking up the int80 handler in the Interrupt Descriptor Table (IDT) and inserts its own ad-hoc checks in front of the kernel's entry.S code, written in assembly. For more info on using the IDT: Phrack 59:4 and the follow-up Phrack 59:10.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License