Rootkit Detection Mechanisms for Linux Systems

In order to enhance the detection of Rootkits present in the Linux system, this study conducted an in-depth analysis of existing Rootkit principles and proposed a precise Rootkit detection mechanism based on Kprobe technology. This mechanism utilizes instrumentation at relevant function execution points within the Linux kernel to obtain a reliable and accurate kernel-level view. Additionally, it combines audit tools to obtain a user-level view, allowing for the detection of hidden Rootkit presence through cross-view comparison. During the experimental phase, mainstream Rootkits were employed to test the effectiveness of this mechanism. The experimental results demonstrated outstanding detection capabilities of the proposed mechanism.