Abstract: This paper analyzes the principles of the existing Rootkit detection technology on Linux system, and further proposes a detection technology using Kprobe. The detection method collects the information of objects hidden by Rootkit by inserting probe points into the critical path in low-level kernel, and then compares the underlying information and the results from audit tools with cross-view validation principle to get the hided objects. The experiments are conducted to verify this detection method on several popular Rootkits. The results show that this technique has a good reliability.

Key words: Rootkit detection, Kprobe, kernel, audit tool, cross-view vaildation

摘要： 对现有Linux系统下Rootkit检测技术的原理进行分析，并提出了基于Kprobe的Rootkit检测技术。通过在关键路径下插入探测点，在内核底层收集Rootkit所要隐藏的对象信息，最后通过底层收集的信息与系统中审计工具所得的结果进行交叉视图的比对得到被隐藏对象。在实验阶段选择几种现有流行的Rootkit安装，采用了基于Kprobe的检测方法，通过实验结果表明该机制具有良好的可靠性。

关键词: Rootkit检测, Kprobe, 内核, 审计工具, 交叉视图比对