remove LKM rootkits on the fly

 I 've write a program that can force LKM rootkits to uninstall.I had tested it on 2.4.20 with adore 0.42&stealthadore and it works just fine.It can be ported very easily on other kernel versions.

It is avaible at http://ss.pub.ro/~mirc/vmallocu.c

compile it with something like this:
gcc -c -I/usr/src/linux-2.4.20/include vmallocu.c insmod vmallocu.o

and the use dmesg(or watch in /var/log/messages) to view the results.

If you have kernel 2.4.x (x!=20) then you'll have to folllow the next steps to port the program on 2.4.x :

gdb -q vmlinux-2.4.x
print &__vmalloc
note with y this address
print &vmlist
note with t1 this address
print &vmlist_lock
note with t2 this address

offset1=t1-y;
offset2=t2-y;

Then insert something like these lines in vmallocu.c :

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

offset[2][0]=offsetul1;
offset[2][1]=offsetul2;

if (strcmp("2.4.x",UTS_RELEASE)==0) kernel_version=2;

Now should works on 2.4.x.

This program should manage to remove on the fly most of the LKM rootkits avaible at the moment. Received on Fri May 2 14:23:24 2003