Created
November 20, 2024 23:47
-
-
Save bahorn/b2ed75066c118bd36419ad4e3b4862a0 to your computer and use it in GitHub Desktop.
Quick and dirty detection script for recent versions of the KoviD LKM rootkit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| PCRtest.py - bah / November 2024 | |
| A quick / dirty test for recent versions of the Kovid LKM rootkit. | |
| If you write to /proc/sys/kernel/tainted, kovid unset a few bits. | |
| You can use resetting behaviour to detect it. | |
| Run this script as root. | |
| """ | |
| import time | |
| with open('/proc/sys/kernel/tainted', 'r') as f: | |
| first = f.read() | |
| with open('/proc/sys/kernel/tainted', 'wb') as f: | |
| f.write(b'64') | |
| time.sleep(6) | |
| with open('/proc/sys/kernel/tainted', 'r') as f: | |
| second = f.read() | |
| if first == second: | |
| print('you have kovid') | |
| else: | |
| print('clean') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I saw some people talking about zeroing out
tainted_maskat intervals. i.e KoviD doing it every 5 seconds in carloslack/KoviD@1bc30baThe problem with this is that you can just write to
/proc/sys/kernel/taintedfrom userland, and see if the bit you set got unset after the interval. In fact, you can just setTAINT_USERat boot, and if it ever gets unset you know the box got kited.The correct design is just to unset the flags you accidentally set while the LKM was loaded (should just be the bit for loading an unsigned module, out of tree can be avoided by
MODULE_INFO(intree, "true");) and don't do anything dumb like cause a page fault.https://matheuzsecurity.github.io/hacking/a-simple-way-to-detect-and-remove-kovid-lkm-rootkit/ is also another nice way to detect it, by disabling ftrace temporarily.