Drootkit: Kernel-Level Rootkit Detection and Recovery Based on eBPF

Abstract

The concealment of rootkits makes them a significant security threat. Kernel-level rootkits can be extremely dangerous as they have high system privileges. A typical type of kernel-level rootkits is to hook system calls which are essential for overall system functionality. This paper presents drootkit, a tool to detect kernel-level rootkits that hook system calls. Additionally, drootkit can recover damaged systems. This tool utilizes eBPF technology, ensuring both flexibility and security. When installing new kernel modules, the virtual address range of the initial kernel code will not be affected. In light of this, drootkit conducts bounds checking on all system calls within the system. In the case of system calls being hooked, drootkit can detect and recover them while issuing warning messages. For testing purposes, this paper also implements a malicious kernel module that can hook system calls and run on the arm64 platform. We have conducted an experiment that confirms drootkit’s capability to detect rootkits while also effectively restoring the system. Moreover, drootkit has very low system overhead and does not significantly affect system performance, making it a reliable choice for a backend program that can run for an extended period of time.