Rootkit Profiler LX

Latest Version: v0.1 from 2007 — Current Status: Not further maintained.

This is the home of Rootkit Profiler LX (RKProfiler LX), an advanced kernel rootkit detection toolkit for Linux.

Overview

RKProfiler LX is divided into two parts: a data collection component called "Rootkit Profiler Module" (RKPmod) and a data interpretation component called "Rootkit Profiler Console" (RKPconsole).

RKPmod is a kernel module that gets loaded on the system that should be checked for the presence of a kernel rootkit. There are other ways to perform data collection, but currently only this approach is publicly available.

RKPconsole is a userland program that can be used to analyze the collected information.

Features

Detection: RKProfiler LX checks the whole kernel code as well as different kernel data sections and cpu registers regarding possible modifications and hidden components:

Self-protection: RKPmod supports some rudimentary methods to ensure the integrity of itself as well as the integrity of the collected information. The data collection module gets a different name each time it is loaded into the kernel. The collected data is encrypted in the kernel so no unencrypted data will be accessible in userland. Furthermore, the data collection module checks sensitive code parts of itself in memory in order to spot possible runtime in-memory modifications.

Separation of data collection and data interpretation: It is possible to analyze the collected data on a different system than the one the data was collected on. Therefore the data interpretation phase is not manipulable by a possible rootkit. Of course but not advisable the data can also be analyzed on the same system the data was collected on.

Supported operating systems

RKProfiler LX currently supports the following Linux Distributions:

No longer supported Linux Distributions:

Only the standard kernels of these distributions are supported. Self compiled kernels are not supported with the public version of RKProfiler LX.

I try to keep RKProfiler LX up to date with new kernel packages. Please let me know if I missed an update.

Prerequisites

RKPconsole needs libxml2 and zlib to work.

Documentation

RKProfiler LX v0.12 Documentation

Download

RKProfiler LX is freeware but not open source.

RKProfiler LX for SUSE Enterprise Server 10
Version: v0.1
Last update: 2007/04/14
Kernel version: 2.6.16.27-0.9-default
Plattform: x86, 32-bit
Download (works both on native systems as well as inside VMware guest systems)
SHA-256: D7C9B8754E012F78E14CE26FA71CDAC182F6F3E71F2CD4A974F2D28A7A4C79C7

RKProfiler LX for SUSE Enterprise Desktop 10
Version: v0.1
Last update: 2007/02/12
Kernel version: 2.6.16.21-0.8-default
Plattform: x86, 32-bit
Download (works both on native systems as well as inside VMware guest systems)
SHA-256: 8E93E009D33689AC8B707F68D01EE406B6C68C5282943B0CC6C9EF9CF9C500A1

RKProfiler LX for Ubuntu 7.04
Version: v0.1
Last update: 2007/04/22
Kernel version: 2.6.20-15-generic
Plattform: x86, 32-bit
Download (native system version, see description below)
SHA-256: 917ACA2BFD630C2DE01578010BA14ABFEF6BE542667C00BF9C3C4F562774534E
Download (VMware guest version, see description below)
SHA-256: 6C29137C0DD9A3DD71E70F04E8D3A5D1B844B5690E0F672E9376A2EDA2BA51A4

Important Note: Because of a bug in VMware it is not possible to check for hidden kernel modules on some Linux distributions (e.g., Ubuntu). Therefore it is necessary to maintain two different versions of RKProfiler LX for these distributions. The package for native systems supports the check for hidden kernel modules while the package for VMware guest systems doesn't. Do *NOT* load a RKPmod meant for a native system in a VMware guest system. If you do it anyway the system will crash immediately when RKPmod tries to enumerate the loaded kernel modules!

RKProfiler LX for openSUSE 10.2
Version: v0.1
Last update: 2007/04/14
Kernel version: 2.6.18.8-0.1-default
Plattform: x86, 32-bit
Download (works both on native systems as well as inside VMware guest systems)
SHA-256: A7D272E0564781E036C6284C680A1843D200D8AA64E683DC1711CE47AC43CE1B

Important Note: This version doesn't support the module memory scan feature. That means, no hidden kernel modules will be identified on openSUSE, neither on a native system nor in a VMware guest system.

Last versions of no longer supported Linux Distributions

RKProfiler LX for Ubuntu 6.10 Edgy Eft
Version: v0.1
Last update: 2007/04/14
Kernel version: 2.6.17-11-generic
Plattform: x86, 32-bit
Download (native system version, see description below)
SHA-256: 3F6A7C1F6AFD49559751F0EC81BF6BBFF87308A2EF78CD242EEAEBD39C4A2CA9
Download (VMware guest version, see description below)
SHA-256: 05B265D1025459B65D0DDEAEE5EEBA2ABAA950011D1A06B371AC2F25AC1B49B3

Important Note: Because of a bug in VMware it is not possible to check for hidden kernel modules on some linux distributions (e.g., Ubuntu). Therefore it is necessary to maintain two different versions of RKProfiler LX for these distributions. The package for native systems supports the check for hidden kernel modules while the package for VMware guest systems doesn't. Do *NOT* load a RKPmod meant for a native system in a VMware guest system. If you do it anyway the system will crash immediately when RKPmod tries to enumerate the loaded kernel modules!