{"id":17965833,"url":"https://github.com/matheuzsecurity/detect-lkm-rootkit-cheatsheet","last_synced_at":"2026-03-02T02:45:38.054Z","repository":{"id":259950120,"uuid":"879384530","full_name":"MatheuZSecurity/detect-lkm-rootkit-cheatsheet","owner":"MatheuZSecurity","description":"Cheat sheet to detect and remove linux kernel rootkit","archived":false,"fork":false,"pushed_at":"2024-12-16T14:37:35.000Z","size":1093,"stargazers_count":41,"open_issues_count":0,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-09T10:29:17.819Z","etag":null,"topics":["cheat","detect","forensics","ftrace","hook","kernel","linux","lkm","procfs","remove","rootkit","sheet","syscall","sysfs","tracefs"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MatheuZSecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-27T18:59:42.000Z","updated_at":"2025-01-08T22:34:21.000Z","dependencies_parsed_at":"2024-12-03T22:22:49.478Z","dependency_job_id":"88f7419c-3a08-4d2e-8af7-6a564b4b0537","html_url":"https://github.com/MatheuZSecurity/detect-lkm-rootkit-cheatsheet","commit_stats":{"total_commits":14,"total_committers":1,"mean_commits":14.0,"dds":0.0,"last_synced_commit":"a8655088b137358ad5b71856128c1fbd5d6f1800"},"previous_names":["matheuzsecurity/detect-lkm-rootkit-cheatsheet"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2Fdetect-lkm-rootkit-cheatsheet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2Fdetect-lkm-rootkit-cheatsheet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2Fdetect-lkm-rootkit-cheatsheet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2Fdetect-lkm-rootkit-cheatsheet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MatheuZSecurity","download_url":"https://codeload.github.com/MatheuZSecurity/detect-lkm-rootkit-cheatsheet/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240906685,"owners_count":19876680,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cheat","detect","forensics","ftrace","hook","kernel","linux","lkm","procfs","remove","rootkit","sheet","syscall","sysfs","tracefs"],"created_at":"2024-10-29T13:05:38.885Z","updated_at":"2025-10-14T12:04:34.473Z","avatar_url":"https://github.com/MatheuZSecurity.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"#  Cheat sheet for detect and remove linux kernel rootkits\n\n\u003e  Created by @MatheuzSecurity\n- https://br.linkedin.com/in/matheus-alves-212775208\n- More rootkit / malware content in rootkit researchers group\n\u003e  Join: https://discord.gg/66N5ZQppU7\n\nNowadays, rootkits are becoming increasingly sophisticated and stealthy, so detecting them and especially removing them is an extremely difficult task.\n\nIn this cheat sheet I include several techniques to help with this\n\n## Detect Linux Kernel Rootkits\n\n### Finding rootkits in sysfs/tracing\n\n- `/sys/kernel/tracing/available_filter_functions` # Lists kernel functions that can be filtered for tracing.\n- `/sys/debug/kernel/tracing/available_filter_functions` # Alternative for listing filterable functions, in debug mode.\n- `/sys/kernel/tracing/available_filter_functions_addrs` # Lists filterable functions with addresses, only in kernel 6.5+\n- `/sys/debug/kernel/tracing/available_filter_functions_addrs` # Like the previous one, but in debug mode, kernel 6.5+\n- `/sys/kernel/tracing/enabled_functions` # Lists kernel functions currently enabled for tracing\n- `/sys/debug/kernel/tracing/enabled_functions` # alternative list of tracked functions, in debug mode\n- `/sys/kernel/debug/tracing/trace` # Where tracking events are recorded in real time\n- `/sys/kernel/tracing/trace` # Like the previous one, it allows you to view the trace, does not require debug mode\n- `/sys/kernel/debug/dynamic_debug/control` # enable/disable real-time kernel debug messages for specific modules\n- `/sys/kernel/tracing/touched_functions` # shows all functions that was every traced by ftrace or a direct trampoline (only for kernel 6.4+)\n- `/sys/fs/bpf/*` # Directory for BPF (eBPF) maps and programs, used for tracking and security\n- `/sys/module/*` # Contains information about loaded kernel modules, such as parameters and states\n- `/sys/kernel/tracing/kprobe_events` # Contains kprobes events\n\n\n### Finding rootkits in procfs\n\n- `/proc/kallsyms` # Lists all kernel symbols, including function and variable addresses\n- `/proc/modules` # Displays modules loaded in the kernel, with information such as size, usage, etc.\n- `/proc/vmallocinfo` # Shows memory usage allocated by vmalloc\n- `/proc/sys/kernel/tainted` # Indicates the \"contamination\" state of the kernel, signaling modifications or errors.\n\n### Logs\n\n- `/var/log/dmesg*` # Kernel messages logs, captured by the dmesg command\n- `/var/log/kern.log` # Stores logs of kernel events and messages, useful for monitoring and debugging\n- `/dev/kmsg` # Interface for sending and reading kernel messages in real time\n- `dmesg` # Command to view kernel logs messages and boot\n- `journalctl -k` # Shows kernel logs captured by systemd-journald\n\n### Tools open source\n\n- [Nitara2](https://github.com/ksen-lin/nitara2)\n- [Tracee](https://github.com/aquasecurity/tracee)\n- [bpf-hookdetect](https://github.com/pathtofile/bpf-hookdetect)\n\n## Making ftrace based rootkit useless\n\nMost rootkits that still work for the most recent kernel use the famous ftrace hooking based method, as hijacking the syscall table has become old and non-functional for most of the most recent kernels, precisely because of protections. and changes that the kernel underwent.\n\nSo since most current rootkits use ftrace, why not disable it?\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"brokepkg.png\"\u003e\u003c/p\u003e\n\nYou can do this to search for PIDs, hidden directories for example. By disabling ftrace you basically make any ftrace hook useless, but if you enable it again, the hooks will work again. (remembering that there are ways to protect your rootkit that uses ftrace from being bypassed in this way).\n\n```\necho 0 \u003e /proc/sys/kernel/ftrace_enabled\nor\nsysctl kernel.ftrace_enabled=0\n```\n\n## Removing LKM Rootkits \n\n### [Imperius](https://github.com/MatheuZSecurity/Imperius)\n\nYou can use a combination of tracing to obtain the address of a function, for example `module_show` from diamorphine, with imperius, basically imperius will call this function, adding it back to lsmod, and making the LKM rootkit visible.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"imperius.png\"\u003e\u003c/p\u003e\n\n### [ModTracer](https://github.com/MatheuZSecurity/ModTracer)\n\nModTracer aims to find LKM rootkits that are hidden inside the system and make them visible again.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"modtracer.png\"\u003e\u003c/p\u003e\n\n# Contribution\n\nIf you want to contribute to this repository with more tricks to detect or remove Linux Kernel Rootkit, please contact me.\n\nNOTE: More things coming soon\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatheuzsecurity%2Fdetect-lkm-rootkit-cheatsheet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmatheuzsecurity%2Fdetect-lkm-rootkit-cheatsheet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatheuzsecurity%2Fdetect-lkm-rootkit-cheatsheet/lists"}