klint
A Linux kernel integrity scanner that detects rootkits and kernel-level compromises. It works by cross-referencing multiple sources of system information (procfs, sysfs, netlink, MSRs, IDT, kernel symbols) and flagging inconsistencies that indicate tampering.
Features
- Hidden kernel module detection — compares
/proc/modules,/proc/kallsyms, and/sys/moduleto find modules concealed from one or more views. - Hidden process detection — probes PID space with
kill(0)and cross-checks against/procreaddir and cgroup trees to identify processes hidden from directory listings. - Hidden network socket detection — cross-references
/proc/net,ss(netlink), and/proc/*/fdto find sockets missing from any single view. - Syscall table integrity — reads the syscall table from
/proc/kcoreand verifies that every entry points into kernel text, catching inline hooks and table overwrites. - Kernel entrypoint integrity (x86_64) — reads MSRs (
IA32_LSTAR,IA32_CSTAR,IA32_SYSENTER_EIP) and IDT vectors, then validates that entrypoints have not been redirected to module code or trampolines. - Ftrace redirection detection — scans ftrace filter lists for hooks on security-critical kernel functions (35 built-in patterns covering syscall dispatch, VFS, credential, and networking paths).
- Unknown kprobe detection — inspects registered kprobe and kretprobe events for probes targeting sensitive kernel symbols.
- BPF rootkit detection — inventories loaded BPF programs, maps, and links via
bpftool, flagging ownerless or high-risk programs attached to sensitive hooks.
Each scanner runs in an isolated child process with a configurable timeout (default 30 seconds), communicating results back via JSON over a pipe. A dual-snapshot reconciliation strategy distinguishes transient anomalies from persistent ones.
How it works
klint relies on the principle that rootkits must hide from at least one view of the system to be effective, but rarely hide from all views simultaneously. By comparing information from independent kernel interfaces — procfs, sysfs, netlink sockets, MSRs, the IDT, /proc/kcore, and direct syscalls — klint identifies discrepancies that reveal tampering.
Each scanner runs in a separate child process group. If a scanner hangs (as can happen when interacting with a compromised kernel), it is killed after the timeout expires. Results are serialized as JSON over a pipe back to the parent, which assembles the final report.
Symbol resolution uses /proc/kallsyms with automatic KASLR slide detection via anchor symbols, falling back to System.map when needed.
