(nearly) Complete Linux Loadable Kernel Modules, pragmatic/THC
An old but detailed LKM rootkit tutorial:
https://www.thc.org/papers/LKM_HACKING.html
See also Phrack 58:6 and Phrack 59:5 .
Helpful: the cross-referenced Linux code http://lxr.free-electrons.com/ , http://kernelnewbies.org/ .
Runtime kernel kmem patching & Unix ELF parasites and virus, by Silvio Cesare
http://vxheaven.org/lib/vsc01.html
http://vxheaven.org/lib/vsc07.html
The Linux kernel is itself an ELF file and obeys the standard linking conventions (this fact can be. It depends on them for the ability to load modules into the running kernel (the lack of this ability for earlier Windows made necessary the continual reboots after installing software or hardware). With write access to memory, this mechanism can be manipulated, just as any other userland program's address space (compare next link). See Phrack 58:7 for further development of these ideas.
Runtime process infection, Anonymous
Modifying (infecting) one user process from another. In principle, this is not different from what one can do with a good debugger, and indeed the author describes elements of the normal OS support for debugging, but he (she?) also points out the data structures to be patched. Compare this with the _kernel_ modification (above links).
Making System Calls from Kernel Space, Alessandro Rubini
http://www.linux.it/~rubini/docs/ksys/ksys.html
The practicalities of implementing services in the Linux kernel, specifically a fast in-kernel HTTP server, but the same technique can be applied to in-kernel backdoors. More details on in-kernel programming in http://www.linux.it/~rubini/docs/khttpd/khttpd.html
Random links and notes
http://www.cs.dartmouth.edu/~sergey/cs258/rootkits/
http://www.cs.dartmouth.edu/~sergey/cs258/2012/kernel-modules-hooks-and-rootkits.txt
Defensive patches
Kfence.c, ins1der
http://packetstorm.linuxsecurity.com/linux/security/Kfence.c
A hackish ad-hoc 2.4 kernel strengthening patch, installed by patching the live kernel though /dev/kmem in the system call dispatcher procedure. Finds the location of the syscall table by looking up the int80 handler in the Interrupt Descriptor Table (IDT) and inserts its own ad-hoc checks in front of the kernel's entry.S code, written in assembly. For more info on using the IDT: Phrack 59:4 and the follow-up Phrack 59:10.