Rootkit List
Contact Us

Click Flag for Translation

Subscribe to the Antirootkit Newsletter
Enter Email Address


Home > Software

Rootkit Profiler LX

RKProfiler LX is divided into two parts: a data collection component called "Rootkit Profiler Module" (RKPmod) and a data interpretation component called "Rootkit Profiler Console" (RKPconsole).

RKPmod is a kernel module that gets loaded on the system that should be checked for the presence of a kernel rootkit. There are other ways to perform data collection, but currently only this approach is publicly available.

RKPconsole is a userland program that can be used to analyse the collected information.

Detection: RKProfiler LX checks the whole kernel code as well as different kernel data sections and cpu registers regarding possible modifications and hidden components:

- Generic kernel code modification
- Syscall table address modification
- Syscall address modification
- Syscall code modification
- Interrupt handler address modification
- Interrupt handler code modification
- Page Fault Handler modification
- Kernel symbol modification
- SYSENTER register modification
- Virtual File System function pointer modification
- Hidden processes and threads
- Hidden kernel modules

Self-protection: The public version of RKPmod supports some rudimentary methods to ensure the integrity of itself as well as the integrity of the collected information. The data collection module gets a different name each time it is loaded into the kernel. The collected data is encrypted in the kernel so no unencrypted data will be accessible in userland. Futhermore, the data collection module checks sensitive code parts of itself in memory in order to spot possible runtime in-memory modifications. As already stated, these features are not very hard to circumvent in the public version of RKPmod. See Customized version for more info.

Separation of data collection and data interpretation: It is possible to analyse the collected data on a different system than the one the data was collected on. Therefore the data interpretation phase is not manipulable by a possible rootkit. Of course but not advisable the data can also be analysed on the same system the data was collected on.

Supported operating systems
RKProfiler LX currently supports the following Linux Distributions:

- SUSE Linux Enterprise Server 10 (x86, 32-bit)
- SUSE Linux Enterprise Desktop 10 (x86, 32-bit)
- Ubuntu 6.10 Edgy Eft (x86, 32-bit)
- openSUSE 10.2 (x86, 32-bit)

Only the standard kernels of these distributions are supported. Self compiled kernels are not supported with the public version of RKProfiler LX.

RKPconsole needs libxml2 and zlib to work.

Download below.

More Details

If you have any problems or questions about RKProfiler LX you can ask for help in the our Forum.

©2005 Antirootkit.com