1. 5

  2. 1

    I wonder how hard it would be to make a rootkit immune to this.

    1. 4

      As with pretty much any such “trying to detect a compromised kernel after the fact” sort of situation, I’m pretty sure the answer is “not at all”. Looking at the implementation of this one, it looks like all you’d need to do is have your malicious module unlink its own entry from module_kset’s list of kobjects after initializing itself (all your nefarious code and such remains loaded of course).

      1. 2

        It’s a cat and mouse game. It’s nearly always possible to evade detection, and it’s nearly always possible to detect. Of course, there are exceptions, and sometimes the method is not feasable because of some various factors (e.g. too expensive).

        This is a good introduction short article: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

        (Ken Thompson’s “Reflections on Trusting Trust”, 1984)