!!! THE PROJECT IS NOT FURTHER MAINTAINED AT THE MOMENT !!!

Rootkit Profiler LX

This is the home of Rootkit Profiler LX (RKProfiler LX), an advanced kernel rootkit detection toolkit for Linux.

Overview

RKProfiler LX is divided into two parts: a data collection component called "Rootkit Profiler Module" (RKPmod) and a data interpretation component called "Rootkit Profiler Console" (RKPconsole).

RKPmod is a kernel module that gets loaded on the system that should be checked for the presence of a kernel rootkit. There are other ways to perform data collection, but currently only this approach is publicly available.

RKPconsole is a userland program that can be used to analyze the collected information.

Features

Detection: RKProfiler LX checks the whole kernel code as well as different kernel data sections and cpu registers regarding possible modifications and hidden components:

- Generic kernel code modification
- Syscall table address modification
- Syscall address modification
- Syscall code modification
- Interrupt handler address modification
- Interrupt handler code modification
- Page Fault Handler modification
- Kernel symbol modification
- SYSENTER register modification
- Virtual File System function pointer modification
- Hidden processes and threads
- Hidden kernel modules

Self-protection: RKPmod supports some rudimentary methods to ensure the integrity of itself as well as the integrity of the collected information. The data collection module gets a different name each time it is loaded into the kernel. The collected data is encrypted in the kernel so no unencrypted data will be accessible in userland. Furthermore, the data collection module checks sensitive code parts of itself in memory in order to spot possible runtime in-memory modifications.

Separation of data collection and data interpretation: It is possible to analyze the collected data on a different system than the one the data was collected on. Therefore the data interpretation phase is not manipulable by a possible rootkit. Of course but not advisable the data can also be analyzed on the same system the data was collected on.

Supported operating systems

RKProfiler LX currently supports the following Linux Distributions:

- SUSE Linux Enterprise Server 10 (x86, 32-bit)
- SUSE Linux Enterprise Desktop 10 (x86, 32-bit)
- Ubuntu 7.04 (x86, 32-bit)
- openSUSE 10.2 (x86, 32-bit)

No longer supported Linux Distributions:

- Ubuntu 6.10 Edgy Eft (x86, 32-bit) is no longer supported

Only the standard kernels of these distributions are supported. Self compiled kernels are not supported with the public version of RKProfiler LX.

I try to keep RKProfiler LX up to date with new kernel packages. Please let me know if I missed an update.

Prerequisites

RKPconsole needs libxml2 and zlib to work.

Documentation

RKProfiler LX v0.12 Documentation

Download

RKProfiler LX is freeware but not open source.

RKProfiler LX for SUSE Enterprise Server 10
Version: v0.1
Last update: 2007/04/14
Kernel version: 2.6.16.27-0.9-default
Plattform: x86, 32-bit
Download (works both on native systems as well as inside VMware guest systems)

RKProfiler LX for SUSE Enterprise Desktop 10
Version: v0.1
Last update: 2007/02/12
Kernel version: 2.6.16.21-0.8-default
Plattform: x86, 32-bit
Download (works both on native systems as well as inside VMware guest systems)

RKProfiler LX for Ubuntu 7.04
Version: v0.1
Last update: 2007/04/22
Kernel version: 2.6.20-15-generic
Plattform: x86, 32-bit
Download (native system version, see description below)
Download (VMware guest version, see description below)

Important note: Because of a bug in VMware it is not possible check for hidden kernel modules on some Linux distributions (e.g. Ubuntu). Therefore it is necessary to maintain two different versions of RKProfiler LX for these distributions. The package for native systems supports the check for hidden kernel modules while the package for VMware guest systems doesn't. Do *NOT* load a RKPmod meant for a native system in a VMware guest system. If you do it anyway the system will crash immediately when RKPmod tries to enumerate the loaded kernel modules!

RKProfiler LX for openSUSE 10.2
Version: v0.1
Last update: 2007/04/14
Kernel version: 2.6.18.8-0.1-default
Plattform: x86, 32-bit
Download (works both on native systems as well as inside VMware guest systems)

Important note: This version doesn't support the module memory scan feature. That means, no hidden kernel modules will be identified on openSUSE, neither on a native system nor in a VMware guest system.

Last versions of no longer supported Linux Distributions

RKProfiler LX for Ubuntu 6.10 Edgy Eft
Version: v0.1
Last update: 2007/04/14
Kernel version: 2.6.17-11-generic
Plattform: x86, 32-bit
Download (native system version, see description below)
Download (VMware guest version, see description below)

Important note: Because of a bug in VMware it is not possible check for hidden kernel modules on some linux distributions (e.g. Ubuntu). Therefore it is necessary to maintain two different versions of RKProfiler LX for these distributions. The package for native systems supports the check for hidden kernel modules while the package for VMware guest systems doesn't. Do *NOT* load a RKPmod meant for a native system in a VMware guest system. If you do it anyway the system will crash immediately when RKPmod tries to enumerate the loaded kernel modules!