creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d547391908f2912b7ac06dd0577c8a40cb04f9fc
Anthropic-Cybersecurity-Skills/skills/analyzing-linux-kernel-rootkits/SKILL.md
T

2.2 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license
name description domain subdomain tags version author license
analyzing-linux-kernel-rootkits Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures. cybersecurity digital-forensics
rootkit
linux
kernel
volatility3
memory-forensics
malware-analysis
rkhunter
forensics
1.0 mahipal Apache-2.0

Analyzing Linux Kernel Rootkits

Overview

Linux kernel rootkits operate at ring 0, modifying kernel data structures to hide processes, files, network connections, and kernel modules from userspace tools. Detection requires either memory forensics (analyzing physical memory dumps with Volatility3) or cross-view analysis (comparing /proc, /sys, and kernel data structures for inconsistencies). This skill covers using Volatility3 Linux plugins to detect syscall table hooks, hidden kernel modules, and modified function pointers, supplemented by live system scanning with rkhunter and chkrootkit.

Prerequisites

  • Volatility3 installed (pip install volatility3)
  • Linux memory dump (acquired via LiME, AVML, or /proc/kcore)
  • Volatility3 Linux symbol table (ISF) matching the target kernel version
  • rkhunter and chkrootkit for live system scanning
  • Reference known-good kernel image for comparison

Steps

Step 1: Acquire Memory Dump

Capture Linux physical memory using LiME kernel module or AVML for cloud instances.

Step 2: Analyze with Volatility3

Run linux.check_syscall, linux.lsmod, linux.hidden_modules, and linux.check_idt plugins to detect rootkit artifacts.

Step 3: Cross-View Analysis

Compare module lists from /proc/modules, lsmod, and /sys/module to identify modules hidden from one view but present in another.

Step 4: Live System Scanning

Run rkhunter and chkrootkit to detect known rootkit signatures, suspicious files, and modified system binaries.

Expected Output

JSON report containing detected syscall hooks, hidden kernel modules, modified IDT entries, suspicious /proc discrepancies, and rkhunter findings.

Reference in New Issue View Git Blame Copy Permalink