analyzing-linux-kernel-rootkits

Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "analyzing-linux-kernel-rootkits" with this command: npx skills add mukul975/anthropic-cybersecurity-skills/mukul975-anthropic-cybersecurity-skills-analyzing-linux-kernel-rootkits

Analyzing Linux Kernel Rootkits

Overview

Linux kernel rootkits operate at ring 0, modifying kernel data structures to hide processes, files, network connections, and kernel modules from userspace tools. Detection requires either memory forensics (analyzing physical memory dumps with Volatility3) or cross-view analysis (comparing /proc, /sys, and kernel data structures for inconsistencies). This skill covers using Volatility3 Linux plugins to detect syscall table hooks, hidden kernel modules, and modified function pointers, supplemented by live system scanning with rkhunter and chkrootkit.

Prerequisites

  • Volatility3 installed (pip install volatility3)
  • Linux memory dump (acquired via LiME, AVML, or /proc/kcore)
  • Volatility3 Linux symbol table (ISF) matching the target kernel version
  • rkhunter and chkrootkit for live system scanning
  • Reference known-good kernel image for comparison

Steps

Step 1: Acquire Memory Dump

Capture Linux physical memory using LiME kernel module or AVML for cloud instances.

Step 2: Analyze with Volatility3

Run linux.check_syscall, linux.lsmod, linux.hidden_modules, and linux.check_idt plugins to detect rootkit artifacts.

Step 3: Cross-View Analysis

Compare module lists from /proc/modules, lsmod, and /sys/module to identify modules hidden from one view but present in another.

Step 4: Live System Scanning

Run rkhunter and chkrootkit to detect known rootkit signatures, suspicious files, and modified system binaries.

Expected Output

JSON report containing detected syscall hooks, hidden kernel modules, modified IDT entries, suspicious /proc discrepancies, and rkhunter findings.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

analyzing-certificate-transparency-for-phishing

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975
Security

analyzing-android-malware-with-apktool

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975
Security

analyzing-network-traffic-with-wireshark

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975
Security

analyzing-api-gateway-access-logs

No summary provided by upstream source.

Repository SourceNeeds Review
8-mukul975