Analyzing Linux Kernel Rootkits Overview Linux kernel rootkits operate at ring 0, modifying kernel data structures to hide processes, files, network connections, and kernel modules from userspace tools. Detection requires either memory forensics (analyzing physical memory dumps with Volatility3) or cross-view analysis (comparing /proc, /sys, and kernel data structures for inconsistencies). This skill covers using Volatility3 Linux plugins to detect syscall table hooks, hidden kernel modules, and modified function pointers, supplemented by live system scanning with rkhunter and chkrootkit. Pre…

| sort -n) \\\n \u003c(ps -eo pid --no-headers | sort -n)\n```\n\n### References\n\n- Volatility3 Linux Plugins: https://volatility3.readthedocs.io/en/latest/volatility3.plugins.linux.html\n- LiME: https://github.com/504ensicsLabs/LiME\n- rkhunter: http://rkhunter.sourceforge.net/\n- MITRE T1014 Rootkit: https://attack.mitre.org/techniques/T1014/\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":2592,"content_sha256":"d233a7260a5199d5c1ab171defc9be9af612bc9a65605ef98fe4d8b6c148cd6b"},{"filename":"scripts/agent.py","content":"#!/usr/bin/env python3\n\"\"\"Linux Kernel Rootkit Detection Agent - analyzes memory dumps with Volatility3 and live system with rkhunter.\"\"\"\n\nimport json\nimport argparse\nimport logging\nimport subprocess\nimport os\nfrom collections import defaultdict\nfrom datetime import datetime\n\nlogging.basicConfig(level=logging.INFO, format=\"%(asctime)s [%(levelname)s] %(message)s\")\nlogger = logging.getLogger(__name__)\n\n\ndef run_vol3_plugin(memory_dump, plugin, isf_url=None):\n \"\"\"Run a Volatility3 Linux plugin and return parsed output.\"\"\"\n cmd = [\"vol\", \"-f\", memory_dump, plugin, \"-r\", \"json\"]\n if isf_url:\n cmd.extend([\"--isf\", isf_url])\n result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)\n try:\n return json.loads(result.stdout) if result.stdout else []\n except json.JSONDecodeError:\n logger.error(\"Volatility3 %s output parse failed\", plugin)\n return []\n\n\ndef check_syscall_hooks(memory_dump, isf_url=None):\n \"\"\"Detect hooked system calls using linux.check_syscall.\"\"\"\n results = run_vol3_plugin(memory_dump, \"linux.check_syscall.Check_syscall\", isf_url)\n hooked = []\n for entry in results:\n row = entry.get(\"__children\", [entry]) if isinstance(entry, dict) else [entry]\n for item in row:\n symbol = item.get(\"Symbol\", item.get(\"symbol\", \"\"))\n module = item.get(\"Module\", item.get(\"module\", \"\"))\n if module and module != \"kernel\":\n hooked.append({\n \"syscall_number\": item.get(\"Index\", item.get(\"index\", \"\")),\n \"expected_handler\": symbol,\n \"actual_module\": module,\n \"severity\": \"critical\",\n \"indicator\": \"syscall_hook\",\n })\n return hooked\n\n\ndef detect_hidden_modules(memory_dump, isf_url=None):\n \"\"\"Detect hidden kernel modules using cross-view analysis.\"\"\"\n lsmod_results = run_vol3_plugin(memory_dump, \"linux.lsmod.Lsmod\", isf_url)\n hidden_results = run_vol3_plugin(memory_dump, \"linux.hidden_modules.Hidden_modules\", isf_url)\n lsmod_names = set()\n for entry in lsmod_results:\n name = entry.get(\"Name\", entry.get(\"name\", \"\"))\n if name:\n lsmod_names.add(name)\n hidden = []\n for entry in hidden_results:\n name = entry.get(\"Name\", entry.get(\"name\", \"\"))\n if name:\n hidden.append({\n \"module_name\": name,\n \"in_lsmod\": name in lsmod_names,\n \"severity\": \"critical\",\n \"indicator\": \"hidden_kernel_module\",\n \"detail\": f\"Module '{name}' hidden from standard listing\",\n })\n return hidden\n\n\ndef check_idt_hooks(memory_dump, isf_url=None):\n \"\"\"Check Interrupt Descriptor Table for hooks.\"\"\"\n results = run_vol3_plugin(memory_dump, \"linux.check_idt.Check_idt\", isf_url)\n hooked = []\n for entry in results:\n module = entry.get(\"Module\", entry.get(\"module\", \"\"))\n if module and module != \"kernel\":\n hooked.append({\n \"interrupt\": entry.get(\"Index\", \"\"),\n \"handler_module\": module,\n \"severity\": \"critical\",\n \"indicator\": \"idt_hook\",\n })\n return hooked\n\n\ndef run_rkhunter():\n \"\"\"Run rkhunter rootkit scanner on live system.\"\"\"\n cmd = [\"rkhunter\", \"--check\", \"--skip-keypress\", \"--report-warnings-only\", \"--nocolors\"]\n result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)\n findings = []\n for line in result.stdout.split(\"\\n\"):\n line = line.strip()\n if \"Warning:\" in line or \"[ Warning ]\" in line:\n findings.append({\n \"tool\": \"rkhunter\",\n \"finding\": line.replace(\"Warning:\", \"\").strip(),\n \"severity\": \"high\",\n })\n return findings\n\n\ndef check_proc_sys_discrepancy():\n \"\"\"Compare /proc/modules with /sys/module for hidden modules.\"\"\"\n findings = []\n proc_modules = set()\n sys_modules = set()\n try:\n with open(\"/proc/modules\") as f:\n for line in f:\n proc_modules.add(line.split()[0])\n except (FileNotFoundError, PermissionError):\n return findings\n try:\n sys_modules = set(os.listdir(\"/sys/module\"))\n except (FileNotFoundError, PermissionError):\n return findings\n only_in_sys = sys_modules - proc_modules\n for mod in only_in_sys:\n if not os.path.exists(f\"/sys/module/{mod}/initstate\"):\n continue\n findings.append({\n \"module\": mod, \"indicator\": \"proc_sys_discrepancy\",\n \"severity\": \"high\",\n \"detail\": f\"Module '{mod}' in /sys/module but missing from /proc/modules\",\n })\n return findings\n\n\ndef generate_report(syscall_hooks, hidden_mods, idt_hooks, rkhunter_findings, proc_findings, source):\n all_findings = syscall_hooks + hidden_mods + idt_hooks + rkhunter_findings + proc_findings\n critical = sum(1 for f in all_findings if f.get(\"severity\") == \"critical\")\n return {\n \"timestamp\": datetime.utcnow().isoformat(),\n \"analysis_source\": source,\n \"syscall_hooks\": syscall_hooks,\n \"hidden_modules\": hidden_mods,\n \"idt_hooks\": idt_hooks,\n \"rkhunter_warnings\": rkhunter_findings,\n \"proc_sys_discrepancies\": proc_findings,\n \"total_findings\": len(all_findings),\n \"critical_findings\": critical,\n \"rootkit_detected\": critical > 0,\n }\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"Linux Kernel Rootkit Detection Agent\")\n parser.add_argument(\"--memory-dump\", help=\"Path to Linux memory dump for Volatility3 analysis\")\n parser.add_argument(\"--isf-url\", help=\"Volatility3 ISF symbol table URL\")\n parser.add_argument(\"--live-scan\", action=\"store_true\", help=\"Run rkhunter + /proc analysis on live system\")\n parser.add_argument(\"--output\", default=\"rootkit_detection_report.json\")\n args = parser.parse_args()\n\n syscall_hooks, hidden_mods, idt_hooks = [], [], []\n rkhunter_findings, proc_findings = [], []\n source = \"none\"\n if args.memory_dump:\n source = f\"memory_dump:{args.memory_dump}\"\n syscall_hooks = check_syscall_hooks(args.memory_dump, args.isf_url)\n hidden_mods = detect_hidden_modules(args.memory_dump, args.isf_url)\n idt_hooks = check_idt_hooks(args.memory_dump, args.isf_url)\n if args.live_scan:\n source = \"live_system\" if source == \"none\" else source + \"+live_system\"\n rkhunter_findings = run_rkhunter()\n proc_findings = check_proc_sys_discrepancy()\n report = generate_report(syscall_hooks, hidden_mods, idt_hooks, rkhunter_findings, proc_findings, source)\n with open(args.output, \"w\") as f:\n json.dump(report, f, indent=2, default=str)\n logger.info(\"Rootkit scan: %d findings (%d critical), rootkit detected: %s\",\n report[\"total_findings\"], report[\"critical_findings\"], report[\"rootkit_detected\"])\n print(json.dumps(report, indent=2, default=str))\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":7060,"content_sha256":"ddc7d4cf7f0b6ea8ddc5a23b4a9654fb9ae7766ff4ac9a0d5796e7693ac64bc9"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Analyzing Linux Kernel Rootkits","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"Linux kernel rootkits operate at ring 0, modifying kernel data structures to hide processes, files, network connections, and kernel modules from userspace tools. Detection requires either memory forensics (analyzing physical memory dumps with Volatility3) or cross-view analysis (comparing /proc, /sys, and kernel data structures for inconsistencies). This skill covers using Volatility3 Linux plugins to detect syscall table hooks, hidden kernel modules, and modified function pointers, supplemented by live system scanning with rkhunter and chkrootkit.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Volatility3 installed (pip install volatility3)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Linux memory dump (acquired via LiME, AVML, or /proc/kcore)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Volatility3 Linux symbol table (ISF) matching the target kernel version","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"rkhunter and chkrootkit for live system scanning","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Reference known-good kernel image for comparison","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Steps","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Acquire Memory Dump","type":"text"}]},{"type":"paragraph","content":[{"text":"Capture Linux physical memory using LiME kernel module or AVML for cloud instances.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Analyze with Volatility3","type":"text"}]},{"type":"paragraph","content":[{"text":"Run linux.check_syscall, linux.lsmod, linux.hidden_modules, and linux.check_idt plugins to detect rootkit artifacts.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Cross-View Analysis","type":"text"}]},{"type":"paragraph","content":[{"text":"Compare module lists from /proc/modules, lsmod, and /sys/module to identify modules hidden from one view but present in another.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Live System Scanning","type":"text"}]},{"type":"paragraph","content":[{"text":"Run rkhunter and chkrootkit to detect known rootkit signatures, suspicious files, and modified system binaries.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Expected Output","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"JSON report containing detected syscall hooks, hidden kernel modules, modified IDT entries, suspicious /proc discrepancies, and rkhunter findings.","type":"text"}]}]},"metadata":{"date":"2026-06-05","name":"analyzing-linux-kernel-rootkits","tags":["rootkit","linux","kernel","volatility3","memory-forensics","malware-analysis","rkhunter","forensics"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":5,"repo_name":"community-skills","origin_url":"https://github.com/autohandai/community-skills/blob/HEAD/analyzing-linux-kernel-rootkits/SKILL.md","repo_owner":"autohandai","body_sha256":"f8bda104c9aafc713b251576b335ce9b5cf49e599c3b5003996e6d7ae24e3d7f","cluster_key":"cd1883337ed8fb3904b712a5b6d166beb28b222a568f20191bf667c6fec3ca19","clean_bundle":{"format":"clean-skill-bundle-v1","source":"autohandai/community-skills/analyzing-linux-kernel-rootkits/SKILL.md","attachments":[{"id":"65c46a3e-6620-5b71-a927-552465fc239e","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/65c46a3e-6620-5b71-a927-552465fc239e/attachment.md","path":"references/api-reference.md","size":2592,"sha256":"d233a7260a5199d5c1ab171defc9be9af612bc9a65605ef98fe4d8b6c148cd6b","contentType":"text/markdown; charset=utf-8"},{"id":"6eca13aa-e648-50ef-8cf3-21f4a96285f5","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/6eca13aa-e648-50ef-8cf3-21f4a96285f5/attachment.py","path":"scripts/agent.py","size":7060,"sha256":"ddc7d4cf7f0b6ea8ddc5a23b4a9654fb9ae7766ff4ac9a0d5796e7693ac64bc9","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"4852999861f1fe8ee69edc3352651921970d57477a8b504db0ec9f3d553c36c2","attachment_count":2,"text_attachments":2,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"analyzing-linux-kernel-rootkits/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"Apache-2.0","version":"v1","category":"security","subdomain":"digital-forensics","import_tag":"clean-skills-v1","description":"Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures."}},"renderedAt":1782986366298}

Analyzing Linux Kernel Rootkits Overview Linux kernel rootkits operate at ring 0, modifying kernel data structures to hide processes, files, network connections, and kernel modules from userspace tools. Detection requires either memory forensics (analyzing physical memory dumps with Volatility3) or cross-view analysis (comparing /proc, /sys, and kernel data structures for inconsistencies). This skill covers using Volatility3 Linux plugins to detect syscall table hooks, hidden kernel modules, and modified function pointers, supplemented by live system scanning with rkhunter and chkrootkit. Pre…