CoursesAdvanced Linux securityPersistence & rootkits

Kernel rootkits & detection

When you cannot trust the kernel.

Advanced14 min · lesson 8 of 17

The deepest hiding place is the kernel itself. A kernel rootkit — usually a malicious loadable kernel module — runs with full kernel privileges and can intercept the system calls that every tool ultimately relies on, so it hides files, processes, network connections, and even itself from everything running in userspace. Where LD_PRELOAD fools dynamically-linked programs, a kernel rootkit fools the kernel’s answers to everyone, which is why it is the hardest to detect from the running system and the reason the hardening course was so insistent about controlling module loading.

terminal
# indicators a kernel rootkit may be present (all fallible if the kernel is subverted):
$ lsmod # an unfamiliar module — but a good rootkit hides itself here too
$ cat /proc/modules # cross-check against lsmod for discrepancies
$ dmesg | grep -i taint # a tainted kernel can indicate an out-of-tree/unsigned module
$ cat /proc/sys/kernel/tainted # non-zero after loading unsigned modules

Detecting what hides from you

You cannot reliably ask a compromised kernel whether it is compromised, so detection leans on discrepancies and outside views. Compare what the host reports against ground truth gathered elsewhere: a process the host does not show but that is making network connections your firewall or a network sensor sees; files present when you mount the disk from a trusted rescue system but absent to the live host; memory forensics (analyzing a RAM capture offline) that reveals hidden modules and hooks. Tools like chkrootkit and rkhunter check known signatures, but the durable method is comparing the suspect system to an independent source of truth.

Detecting a kernel rootkit: compare views
1the live host
may be lying
2network sensor
sees hidden connections
3offline disk
mounted from rescue media
4memory image
reveals hidden modules
A rootkit hides from the host it controls, not from independent observers. Discrepancies between views are the detection.

Prevention is far easier than detection

Because a kernel rootkit is so hard to find once installed, the leverage is in prevention — which is exactly the module-control hardening from the previous course. Requiring signed modules (kernel lockdown / module signature enforcement) means the kernel refuses to load an unsigned rootkit; disabling module loading after boot (kernel.modules_disabled=1) means nothing new loads at all; and auditing init_module/finit_module records any load attempt. A host where an attacker with root still cannot load a kernel module is a host where the deepest hiding place is closed.

Suspected kernel compromise = rebuild, not clean
If you have real evidence of a kernel rootkit, you cannot trust anything the host tells you and you cannot reliably remove it in place — the safe response is to capture evidence (memory and disk images) for analysis, then rebuild the host from known-good media rather than attempting to disinfect it. And rotate every credential the box could have touched. Trying to "clean" a kernel-rootkitted host is how attackers keep a foothold through your remediation; prevention and rebuild are the honest answers.