关键词: Rootkit检测, Kprobe, 内核, 审计工具, 交叉视图比对

Abstract: This paper analyzes the principles of the existing Rootkit detection technology on Linux system, and further proposes a detection technology using Kprobe. The detection method collects the information of objects hidden by Rootkit by inserting probe points into the critical path in low-level kernel, and then compares the underlying information and the results from audit tools with cross-view validation principle to get the hided objects. The experiments are conducted to verify this detection method on several popular Rootkits. The results show that this technique has a good reliability.

Key words: Rootkit detection, Kprobe, kernel, audit tool, cross-view vaildation