Skip to content

Add linux kernel rootkit rules #1039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add linux kernel rootkit rules #1039

wants to merge 3 commits into from

Conversation

@hafizfarhad
Copy link
Contributor

@hafizfarhad hafizfarhad commented Apr 12, 2025

Addresses #998
Hi @mike-hunhoff

I am working on linux rootkit detection rules.

I started with Netfilter hooks detection since it doesn’t require offsets. I’m also trying to learn more about rootkits, so I thought this would be a straightforward approach.

However, I have a few questions:

  1. I initially tried using API-based feature detection instead of string/substring matching, but the rule didn’t trigger (tested against this rootkit code that uses Netfilter hooks). I switched to substring detection as a workaround. Can we proceed with this approach, or might it introduce false positives?
  2. Also, Is it acceptable to temporarily add these rules to the nursery directory until we develop 7–8 robust rules? If not, should they go under anti-analysis/linux/rootkits/, or do you recommend another location?

@hafizfarhad hafizfarhad changed the title Add rule: linux-rootkit-netfilter-hooks Add linux kernel rootkit rules Apr 13, 2025
@mike-hunhoff
Copy link
Collaborator

mike-hunhoff commented May 12, 2025

Addresses #998 Hi @mike-hunhoff

I am working on linux rootkit detection rules.

I started with Netfilter hooks detection since it doesn’t require offsets. I’m also trying to learn more about rootkits, so I thought this would be a straightforward approach.

However, I have a few questions:

  1. I initially tried using API-based feature detection instead of string/substring matching, but the rule didn’t trigger (tested against this rootkit code that uses Netfilter hooks). I switched to substring detection as a workaround. Can we proceed with this approach, or might it introduce false positives?
  2. Also, Is it acceptable to temporarily add these rules to the nursery directory until we develop 7–8 robust rules? If not, should they go under anti-analysis/linux/rootkits/, or do you recommend another location?

Hi @hafizfarhad ,

  1. Do you know why the API detection is not working? e.g. do the api features show when running https://github.com/mandiant/capa/blob/master/scripts/show-features.py against the target sample? This could be a bug in capa if we expect the corresponding api features to be present...so it's worth investigating further.
  2. We only add rules to to the nursery directory when we don't have an example file for the rule. In this case, do you have an example file? If yes, you should open a PR to https://github.com/mandiant/capa-testfiles with your example file and add your rules to the capa directory that matches the namespace for each rule. If no, you can add the rules to the nursery directory until we find a good example file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hafizfarhad @mike-hunhoff