ksentinel - Kernel Syscalls Integrity Monitor

<img src="https://i.imgur.com/iUDmCVJ.png" alt="Singularity Rootkit" width="600"/>

Overview

ksentinel monitors critical kernel functions and the syscall table for unauthorized modifications. It detects common syscalls that are targeted by most rootkits including ftrace hooks, kprobes, and syscall table hijacking.

Features

• Function prologue integrity checking (FNV-1a hash-based)
• System call table monitoring (512 entries)
• LSTAR MSR verification (x86_64 syscall entry point)
• Anti-unload protection with unlock key mechanism
• Continuous monitoring with configurable intervals

NOTE: ksentinel is in its initial version; more improvements will come in future commits.

Monitored Functions

VFS Layer:

• filldir, filldir64, do_getdents64, vfs_read, vfs_write, vfs_open

Network Stack:

• tcp4_seq_show, tcp6_seq_show, udp4_seq_show, udp6_seq_show

Credentials:

• commit_creds, prepare_kernel_cred

Module System:

• load_module, free_module

Tracing Infrastructure:

• register_kprobe, register_ftrace_function, ftrace_set_filter

Plus 500+ additional syscall wrappers via prefix matching.

Building

make

During compilation, a random 32-character unlock key is generated and displayed. Write it down immediately. This key is embedded in the compiled module and is not stored externally.

Keep it secure if anti-unload protection is enabled.

Installation

sudo make install

The module loads hidden from lsmod with anti-unload protection enabled by default.

Usage

Manual Loading

sudo insmod ksentinel.ko

Using Manager Script

sudo ./ksentinel-manager.sh load      # load module
sudo ./ksentinel-manager.sh status    # check status
sudo ./ksentinel-manager.sh watch     # monitor live
sudo ./ksentinel-manager.sh violations # view alerts

Monitoring Logs

dmesg -wT | grep ksentinel

Unlocking Module

When anti-unload is enabled, the module must be unlocked before removal:

echo "your_32char_key" > /proc/.ksctl

Or use the manager:

sudo ./ksentinel-manager.sh unlock

Removing Module

sudo rmmod ksentinel

Module Parameters

| Parameter | Type | Default | Description | |-----------|------|---------|-------------| | period_ms | uint | 2000 | Integrity check interval in milliseconds | | sym_prefixes | string | "sys_,x64_sys,do_sys,ksys_" | Comma-separated symbol prefixes to monitor | | extra_syms | string | "" | Additional specific symbols to watch | | anti_unload | bool | true | Enable anti-unload protection |

Example with custom parameters:

sudo insmod ksentinel.ko period_ms=5000 anti_unload=false

Performance Considerations

ksentinel performs periodic integrity checks based on the period_ms parameter.

Lower intervals provide faster detection but increase CPU usage. Default interval (2000ms) has minimal impact on modern systems.

Detection Examples

Inline Hook Detected

ksentinel: [CHANGE - HOOK PATTERN] sys_getdents64 @ 0xffffffff81234567
  baseline=1234567890abcdef  current=fedcba0987654321
  bytes: e9 ab cd ef 12 90 90 90 ...
  flags: JMP/CALL_DETECTED ENDBR64_PREFIX

Syscall Table Hook

ksentinel: [SCT HOOK] syscall[78] expected=0xffffffff81111111 got=0xffffffffa0222222 (fake_getdents+0x0)

LSTAR Tampering

ksentinel: [LSTAR TAMPERED] baseline=0xffffffff81800000 now=0xffffffffa0300000 (evil_syscall_entry+0x0)

Known Rootkit Detection

ksentinel can detect modifications made by:

• PUMAKIT - ftrace-based hooking (18 syscalls)
• Diamorphine - syscall table patching
• KoviD - kprobes-based hiding

Detection depends on loading ksentinel before the rootkit.

Requirements

Kernel Configuration:

• CONFIG_KALLSYMS=y
• CONFIG_KPROBES=y
• CONFIG_MODULES=y

Supported Kernels:

• Linux 5.4 through 6.12+
• x86_64 architecture (LSTAR checking)
• ARM64 support (without LSTAR checks)

Limitations

1. Detection Only - Does not prevent or remove rootkits
2. Baseline Assumption - Assumes kernel is clean at module load time
3. Race Condition - Rootkits loaded before ksentinel cannot be detected
4. Evasion - Sophisticated rootkits can target monitoring code itself

Security Considerations

• Load ksentinel as early as possible during boot
• Store unlock key securely offline

Troubleshooting

Module Won't Load

Check kernel configuration:

grep -E "KALLSYMS|KPROBES" /boot/config-$(uname -r)

Module Won't Unload

The module is hidden with anti-unload protection. Unlock first:

sudo ./ksentinel-manager.sh unlock

Development

make clean          # clean build artifacts
make                # compile module
make install        # load module
make uninstall      # unload module

Contributing

Contributions welcome. Maintain code style and add tests for new features.

License

GPL-2.0-only

This program is free software licensed under GPL version 2.0. Any modifications must preserve attribution to the original author and be distributed under the same license.

See LICENSE file for full terms.

Author

MatheuZSecurity

Rootkit Researchers community: https://discord.gg/66N5ZQppU7

Disclaimer

This tool is for security research and system administration. Use responsibly. The author is not responsible for misuse or damage caused by this software.