Linux 2.6 Rootkit Detector
Here is a Rootkit Detector I wrote for CS 558 at USC in the Fall of 2005. It consists mainly of a Linux loadable kernel module that loops through the scheduler task list as well as all open file descriptors attached to the tasks and writes what it finds to a file. Then a python script compares the kernel data to what is reported by lsof. If it finds discrepancies it reports them and alerts the user of a possible rootkit.
It was originally tested by successfully hiding a process with the adore-ng-0.53 rootkit written by Stealth. However, I have not tried this yet on my latest setup.
I’m not sure the detector actually still works, although I got it to build and install on a 2.6.24-19 i386 kernel running on Ubuntu 8.04 today. I had to make a couple of changes to the original code. Namely, I replaced a task_t typedef with the struct task_struct variable since the task_t was removed from the kernel. I also had to add another layer of indirection to get at the file descriptors, since the max_fds and fd members of the srtuct files_struct were moved to struct fdtable in <linux/file.h>.
I was also able to install it with insmod, however I doubt it still works as it was only built for a uniprocessor system almost 3 years ago, and getting this to build was the first bit of kernel hacking I’ve done since then. I also can’t uninstall it without rebooting anymore, although, I haven’t done that yet and my kernel hasn’t crashed 
I still think if updated and expanded it can be a useful tool against both kernel and user level Linux rootkits.
P.S. I know the output format sucks and the python code is a mess, but the goal here was to study rootkits and linux kernel development. If I ever revisit this I will make sure to clean up all that stuff and write a proper parser. But… this is GPLd so feel free to jump in. If there is any interest in it maybe I will setup a google code project and revisit it.
This was the first and only kernel module I’ve ever written and I wrote and tested the whole thing in about a month or so, while reading Robert Love’s Linux Kernel Development and seriously trudging through the kernel source.
Here are some (not so perfect) documents to get you started: