Linux-Rootkit-Kernel-Modules-1

Let me give you a comprehensive guide on kernel module development, just like the exploitation writeup!

---

Part 1: Understanding Kernel Modules

1.1 What Are Kernel Modules?

Think of the Linux kernel as a smartphone operating system, and kernel modules as apps you can install.

┌─────────────────────────────────────────────┐
│         Userspace Applications              │
│  (bash, firefox, your programs)             │
└─────────────────────────────────────────────┘
                  ↕ System Calls
┌─────────────────────────────────────────────┐
│           Linux Kernel Core                 │
│  • Process Management                       │
│  • Memory Management                        │
│  • File Systems                             │
└─────────────────────────────────────────────┘
                  ↕
┌─────────────────────────────────────────────┐
│        Kernel Modules (Loadable)            │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐ │
│  │ USB      │  │ Graphics │  │  Your    │ │
│  │ Driver   │  │ Driver   │  │ Module   │ │
│  └──────────┘  └──────────┘  └──────────┘ │
└─────────────────────────────────────────────┘
                  ↕
┌─────────────────────────────────────────────┐
│              Hardware                        │
│  (CPU, RAM, USB devices, GPU)               │
└─────────────────────────────────────────────┘

Kernel modules are pieces of code that can be:

• Loaded into the kernel while it's running (no reboot needed)

• Unloaded when no longer needed

• Run with full kernel privileges (Ring 0)

1.2 Why Use Modules Instead of Built-in Code?

Without modules:

• Every driver compiled into kernel

• Kernel becomes huge (100+ MB)

• Need to reboot for every change

• Wasted memory for unused drivers

With modules:

• Load only what you need

• Kernel stays small (~10-20 MB)

• Add/remove features on-the-fly

• Easy testing and development

Real-world example: When you plug in a USB device, the kernel loads the appropriate module automatically. When you remove it, the module can be unloaded.

1.3 What Can Kernel Modules Do?

• Device drivers: Control hardware (USB, graphics cards, network cards)

• Filesystems: Add support for new filesystem types (ext4, NTFS, FAT32)

• Network protocols: Implement new networking features

• Security modules: Add security features (SELinux, AppArmor)

• System monitoring: Watch system events

• And yes... rootkits! (malicious modules that hide themselves)

---

Part 2: Your First Kernel Module - "Hello World"

2.1 The Simplest Possible Module

Let's create a module that just prints "Hello, Kernel!" when loaded and "Goodbye, Kernel!" when unloaded.

Create a file called hello.c:

#include <linux/module.h>      // Core header for modules
#include <linux/kernel.h>      // For printk()
#include <linux/init.h>        // For __init and __exit macros

// This function runs when the module is loaded
static int __init hello_init(void) {
    printk(KERN_INFO "Hello, Kernel! Module loaded.\n");
    return 0;  // 0 means success, negative means error
}

// This function runs when the module is unloaded
static void __exit hello_exit(void) {
    printk(KERN_INFO "Goodbye, Kernel! Module unloaded.\n");
}

// Tell the kernel which functions are init and exit
module_init(hello_init);
module_exit(hello_exit);

// Module metadata
MODULE_LICENSE("GPL");              // License type
MODULE_AUTHOR("Your Name");         // Who wrote it
MODULE_DESCRIPTION("A simple hello world module");
MODULE_VERSION("1.0");              // Version number

2.2 Understanding Each Part

Header Files:

#include <linux/module.h>  // Defines module_init(), module_exit()
#include <linux/kernel.h>  // Defines printk() (kernel's printf)
#include <linux/init.h>    // Defines __init and __exit macros

These are kernel headers, not standard C library headers. You can't use printf(), malloc(), or other libc functions in kernel code!

The __init Macro:

static int __init hello_init(void)

• static: Function is private to this file

• __init: Tells kernel this code runs once at load time, then can be freed from memory

• Returns int: 0 for success, negative error code for failure

The __exit Macro:

static void __exit hello_exit(void)

• __exit: This code runs once at unload time

• Returns void: Exit functions don't return values

Registration Macros:

module_init(hello_init);  // "When loading, call hello_init()"
module_exit(hello_exit);  // "When unloading, call hello_exit()"

These macros tell the kernel which functions to call.

Module Metadata:

MODULE_LICENSE("GPL");           // Required! Must specify license
MODULE_AUTHOR("Your Name");      // Optional
MODULE_DESCRIPTION("...");       // Optional
MODULE_VERSION("1.0");           // Optional

MODULE_LICENSE() is mandatory. Without it, the module won't load properly!

Common licenses:

• "GPL" - GNU General Public License

• "GPL v2" - GPL version 2

• "Dual MIT/GPL" - Can be used under either license

• "Proprietary" - Closed source (taints the kernel)

2.3 printk() - The Kernel's printf()

In userspace, you use printf(). In kernel space, you use printk().

Format:

printk(KERN_LEVEL "message with %d format specifiers", value);

Log Levels:

KERN_EMERG    // System is unusable (0)
KERN_ALERT    // Action must be taken immediately (1)
KERN_CRIT     // Critical conditions (2)
KERN_ERR      // Error conditions (3)
KERN_WARNING  // Warning conditions (4)
KERN_NOTICE   // Normal but significant (5)
KERN_INFO     // Informational (6)
KERN_DEBUG    // Debug-level messages (7)

Examples:

printk(KERN_INFO "Module loaded successfully\n");
printk(KERN_ERR "Failed to allocate memory!\n");
printk(KERN_DEBUG "Variable x = %d\n", x);

Where does printk() output go?

Not to your terminal! It goes to the kernel log buffer. View it with:

dmesg           # Show entire kernel log
dmesg | tail    # Show last 10 lines
dmesg -w        # Watch in real-time (like tail -f)

---

Part 3: Compiling Kernel Modules - The Makefile

3.1 Why We Need a Special Makefile

You can't compile kernel modules with just gcc hello.c -o hello.ko. Kernel modules need:

• Special compilation flags

• Kernel headers

• Symbol resolution

• Proper linking

The kernel build system handles all this.

3.2 The Basic Makefile

Create a file called Makefile (exact name, capital M) in the same directory as hello.c:

obj-m += hello.o

all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

3.3 Understanding the Makefile

Line 1: obj-m += hello.o

• obj-m: List of modules to build

• hello.o: Object file (will be compiled from hello.c)

• The .o becomes .ko (kernel object) automatically

If you had multiple source files:

obj-m += mymodule.o
mymodule-objs := file1.o file2.o file3.o

The 'all' target:

make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

Let's break this down:

• make -C <directory>: Change to that directory and run make

• /lib/modules/$(shell uname -r)/build: Kernel build directory

  • $(shell uname -r): Current kernel version (e.g., 5.15.0-generic)

  • This directory contains kernel headers

• M=$(PWD): Tell kernel build system where our module source is

• modules: Target to build modules

The 'clean' target:

make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Same structure, but calls the clean target to remove build files.

3.4 Important Makefile Notes

Use TABS, not spaces!

Makefiles require actual TAB characters for indentation. If you copy-paste and it doesn't work, it's probably spaces instead of tabs.

Check if kernel headers are installed:

# Ubuntu/Debian
sudo apt install linux-headers-$(uname -r)

# Fedora/RHEL
sudo dnf install kernel-devel

# Arch
sudo pacman -S linux-headers

# Verify installation
ls /lib/modules/$(uname -r)/build

---

Part 4: Building and Loading Your Module

4.1 Compilation

# Navigate to your module directory
cd ~/my_module

# Compile the module
make
```

**What happens:**
```
make[1]: Entering directory '/usr/src/linux-headers-5.15.0-generic'
  CC [M]  /home/user/my_module/hello.o
  MODPOST /home/user/my_module/Module.symvers
  CC [M]  /home/user/my_module/hello.mod.o
  LD [M]  /home/user/my_module/hello.ko
make[1]: Leaving directory '/usr/src/linux-headers-5.15.0-generic'

Files created:

ls
# hello.c          - Your source code
# hello.o          - Compiled object file
# hello.ko         - Kernel module (this is what you load!)
# hello.mod.o      - Module metadata object
# hello.mod.c      - Generated module info
# Module.symvers   - Symbol version info
# modules.order    - Build order
# .hello*.cmd      - Build commands (hidden files)

The important file: hello.ko - This is your loadable kernel module!

4.2 Checking Module Information

Before loading, you can inspect the module:

# View module info
modinfo hello.ko
```

**Output:**
```
filename:       /home/user/my_module/hello.ko
version:        1.0
description:    A simple hello world module
author:         Your Name
license:        GPL
srcversion:     ABC123DEF456
depends:        
retpoline:      Y
name:           hello
vermagic:       5.15.0-generic SMP mod_unload

4.3 Loading the Module

Method 1: insmod (Insert Module)

# Load the module
sudo insmod hello.ko

# Check if it loaded
lsmod | grep hello
```

**Output:**
```
hello                  16384  0

This shows:

• Module name: hello

• Size: 16384 bytes

• Used by: 0 other modules

Check kernel log:

dmesg | tail
```

**Output:**
```
[12345.678901] Hello, Kernel! Module loaded.

Success! Your module is running in kernel space!

4.4 Listing Loaded Modules

# List all loaded modules
lsmod

# Search for specific module
lsmod | grep hello

# Alternative: check /proc
cat /proc/modules | grep hello

# Or check /sys
ls /sys/module/hello

4.5 Unloading the Module

# Unload the module
sudo rmmod hello

# Verify it's gone
lsmod | grep hello

# Check kernel log
dmesg | tail
```

**Output:**
```
[12346.789012] Goodbye, Kernel! Module unloaded.
```

### 4.6 The Module Lifecycle
```
┌─────────────────────────────────────────┐
│  1. Write source code (hello.c)         │
└─────────────────────────────────────────┘
                 ↓
┌─────────────────────────────────────────┐
│  2. Compile with make                   │
│     (produces hello.ko)                 │
└─────────────────────────────────────────┘
                 ↓
┌─────────────────────────────────────────┐
│  3. Load with insmod                    │
│     • hello_init() is called            │
│     • Module enters kernel memory       │
└─────────────────────────────────────────┘
                 ↓
┌─────────────────────────────────────────┐
│  4. Module is active                    │
│     • Runs in kernel space (Ring 0)     │
│     • Has full system access            │
└─────────────────────────────────────────┘
                 ↓
┌─────────────────────────────────────────┐
│  5. Unload with rmmod                   │
│     • hello_exit() is called            │
│     • Module removed from memory        │
└─────────────────────────────────────────┘

---

Part 5: Common Issues and Troubleshooting

5.1 "Module not found" Error

sudo insmod hello.ko
# Error: could not insert module hello.ko: Invalid module format

Cause: Module compiled for different kernel version

Check:

# Your kernel version
uname -r

# Module's kernel version
modinfo hello.ko | grep vermagic

Solution:

# Install correct headers
sudo apt install linux-headers-$(uname -r)

# Recompile
make clean
make

5.2 "Operation not permitted"

sudo insmod hello.ko
# Error: Operation not permitted

Possible causes:

1. Secure Boot enabled - Disable in BIOS or sign your module

2. Missing MODULE_LICENSE() - Add to your code

3. Kernel lockdown mode - Check with cat /sys/kernel/security/lockdown

5.3 Module Won't Unload

sudo rmmod hello
# Error: Module hello is in use

Cause: Something is using your module

Debug:

# Check usage count
lsmod | grep hello
# hello    16384  1    ← The "1" means it's in use

# See what's using it
lsof | grep hello

Force unload (dangerous!):

sudo rmmod -f hello

5.4 Compilation Errors

Error: "linux/module.h: No such file or directory"

# Install kernel headers
sudo apt install linux-headers-$(uname -r)

Error: "Makefile:2: *** missing separator. Stop."

• You have spaces instead of TAB in Makefile

• Re-type the indentation with TAB key

---

Part 6: Module Parameters

6.1 What Are Module Parameters?

Parameters let you customize module behavior at load time without recompiling.

Example: A network driver might take parameters for IP address, port, etc.

6.2 Adding Parameters

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/moduleparam.h>  // For module parameters

// Declare a parameter
static int number = 42;
static char *name = "World";

// Make them module parameters
module_param(number, int, 0644);
module_param(name, charp, 0644);

// Document the parameters
MODULE_PARM_DESC(number, "An integer value");
MODULE_PARM_DESC(name, "A string value");

static int __init hello_init(void) {
    printk(KERN_INFO "Hello, %s! Number is %d\n", name, number);
    return 0;
}

static void __exit hello_exit(void) {
    printk(KERN_INFO "Goodbye, %s!\n", name);
}

module_init(hello_init);
module_exit(hello_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Your Name");

6.3 Using Parameters

Loading with default values:

sudo insmod hello.ko
dmesg | tail
# Output: Hello, World! Number is 42

Loading with custom values:

sudo insmod hello.ko number=100 name="Linux"
dmesg | tail
# Output: Hello, Linux! Number is 100

Viewing parameters:

# See parameter values
cat /sys/module/hello/parameters/number
cat /sys/module/hello/parameters/name

# List all parameters
ls /sys/module/hello/parameters/

Changing parameters (if writable):

# Only works if parameter permission allows writing (e.g., 0644)
echo 200 | sudo tee /sys/module/hello/parameters/number

6.4 Parameter Types

// Integer
static int myint = 0;
module_param(myint, int, 0644);

// Boolean
static bool mybool = false;
module_param(mybool, bool, 0644);

// String (character pointer)
static char *mystring = "default";
module_param(mystring, charp, 0644);

// Array of integers
static int myarray[3] = {1, 2, 3};
static int arr_count = 0;
module_param_array(myarray, int, &arr_count, 0644);

Permission values:

• 0000: No one can read/write

• 0444: Everyone can read, no one can write

• 0644: Owner read/write, others read-only

• 0666: Everyone read/write

---

Part 7: Debugging Kernel Modules

7.1 Using printk() for Debugging

Good debugging practices:

static int __init hello_init(void) {
    printk(KERN_DEBUG "hello_init: Starting initialization\n");
    
    int result = some_function();
    printk(KERN_DEBUG "hello_init: Result = %d\n", result);
    
    if (result < 0) {
        printk(KERN_ERR "hello_init: Initialization failed!\n");
        return result;
    }
    
    printk(KERN_INFO "hello_init: Successfully initialized\n");
    return 0;
}

7.2 Controlling Log Verbosity

# Check current log level
cat /proc/sys/kernel/printk
# Output: 4  4  1  7
#         ^  Current console log level
#            (only messages < 4 show on console)

# Set to show all messages (including KERN_DEBUG)
echo 8 | sudo tee /proc/sys/kernel/printk

# Now KERN_DEBUG messages appear in dmesg

7.3 Dynamic Debug

For more control, use dynamic debugging:

// Instead of printk()
pr_debug("This is a debug message: %d\n", value);

Enable dynamic debug:

# Enable all debug messages for your module
echo 'module hello +p' | sudo tee /sys/kernel/debug/dynamic_debug/control

# Disable
echo 'module hello -p' | sudo tee /sys/kernel/debug/dynamic_debug/control
```

### 7.4 Kernel Crashes (Oops)

If your module crashes the kernel, you'll see an "Oops" message:
```
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
Oops: 0002 [#1] SMP
RIP: 0010:hello_init+0x15/0x30 [hello]

Common causes:

• NULL pointer dereference: Accessing *ptr when ptr = NULL

• Invalid memory access: Accessing freed memory or wrong address

• Stack overflow: Too much recursion or huge local variables

How to avoid:

// Always check pointers!
void *ptr = kmalloc(100, GFP_KERNEL);
if (!ptr) {
    printk(KERN_ERR "Failed to allocate memory\n");
    return -ENOMEM;
}

// Use it safely
*ptr = value;

// Don't forget to free!
kfree(ptr);

---

Part 8: Practical Example - A Counter Module

Let's build something more useful: a module that counts how many times it's been accessed.

8.1 The Code

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/proc_fs.h>
#include <linux/uaccess.h>

#define PROC_NAME "counter"

static int counter = 0;
static struct proc_dir_entry *proc_entry;

// Called when someone reads /proc/counter
static ssize_t counter_read(struct file *file, char __user *buf,
                           size_t count, loff_t *ppos) {
    char message[50];
    int len;
    
    // Prevent multiple reads
    if (*ppos > 0)
        return 0;
    
    // Increment counter
    counter++;
    
    // Format message
    len = snprintf(message, sizeof(message),
                   "Counter: %d\n", counter);
    
    // Copy to userspace
    if (copy_to_user(buf, message, len))
        return -EFAULT;
    
    *ppos = len;
    return len;
}

static const struct proc_ops counter_fops = {
    .proc_read = counter_read,
};

static int __init counter_init(void) {
    printk(KERN_INFO "Counter module loaded\n");
    
    // Create /proc/counter
    proc_entry = proc_create(PROC_NAME, 0444, NULL, &counter_fops);
    
    if (!proc_entry) {
        printk(KERN_ERR "Failed to create /proc/%s\n", PROC_NAME);
        return -ENOMEM;
    }
    
    printk(KERN_INFO "Created /proc/%s\n", PROC_NAME);
    return 0;
}

static void __exit counter_exit(void) {
    // Remove /proc entry
    proc_remove(proc_entry);
    
    printk(KERN_INFO "Counter module unloaded. Final count: %d\n", counter);
}

module_init(counter_init);
module_exit(counter_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Your Name");
MODULE_DESCRIPTION("A simple counter module");

8.2 Testing the Counter

# Compile
make

# Load
sudo insmod counter.ko

# Check it created the proc entry
ls -l /proc/counter
# -r--r--r-- 1 root root 0 Dec  2 10:00 /proc/counter

# Read it (increments counter each time)
cat /proc/counter
# Counter: 1

cat /proc/counter
# Counter: 2

cat /proc/counter
# Counter: 3

# Unload
sudo rmmod counter

# Check final count
dmesg | tail
# Counter module unloaded. Final count: 3

8.3 What This Demonstrates

• Creating /proc entries for user interaction

• Handling read operations

• Copying data to userspace safely (copy_to_user())

• Maintaining state (the counter variable)

• Proper cleanup in exit function

---

Part 9: Best Practices

9.1 Error Handling

Always check return values:

static int __init mymodule_init(void) {
    void *ptr;
    int ret;
    
    // Allocate memory
    ptr = kmalloc(1024, GFP_KERNEL);
    if (!ptr) {
        printk(KERN_ERR "Failed to allocate memory\n");
        return -ENOMEM;
    }
    
    // Do something that might fail
    ret = some_operation();
    if (ret < 0) {
        printk(KERN_ERR "Operation failed: %d\n", ret);
        kfree(ptr);  // Clean up before returning!
        return ret;
    }
    
    // Success
    return 0;
}

9.2 Resource Cleanup

Always clean up in reverse order:

static int __init mymodule_init(void) {
    // Allocate resource A
    resource_a = allocate_a();
    if (!resource_a)
        goto fail_a;
    
    // Allocate resource B
    resource_b = allocate_b();
    if (!resource_b)
        goto fail_b;
    
    // Allocate resource C
    resource_c = allocate_c();
    if (!resource_c)
        goto fail_c;
    
    return 0;

fail_c:
    free_b(resource_b);
fail_b:
    free_a(resource_a);
fail_a:
    return -ENOMEM;
}

static void __exit mymodule_exit(void) {
    // Free in reverse order
    free_c(resource_c);
    free_b(resource_b);
    free_a(resource_a);
}

9.3 Naming Conventions

Use prefixes to avoid conflicts:

// Good: Module-specific prefix
static int mymodule_counter = 0;
static void mymodule_do_something(void);

// Bad: Generic names (might conflict)
static int counter = 0;
static void do_something(void);

9.4 Static vs. Global

Make things static unless they need to be exported:

// Private to this file (good)
static int my_function(void) {
    // ...
}

// Visible to other modules (only if needed)
int my_exported_function(void) {
    // ...
}
EXPORT_SYMBOL(my_exported_function);

---

Part 10: Common Commands Reference

10.1 Module Management

# Load module
sudo insmod mymodule.ko

# Load with parameters
sudo insmod mymodule.ko param1=value1 param2=value2

# Unload module
sudo rmmod mymodule

# Force unload (dangerous!)
sudo rmmod -f mymodule

# List loaded modules
lsmod

# Search for specific module
lsmod | grep mymodule

# Module information
modinfo mymodule.ko

# Module dependencies
modprobe --show-depends mymodule

10.2 Debugging Commands

# View kernel log
dmesg

# View last 20 lines
dmesg | tail -20

# Watch in real-time
dmesg -w

# Clear kernel log
sudo dmesg -C

# Filter by module
dmesg | grep mymodule

# Check if module is loaded
lsmod | grep mymodule
cat /proc/modules | grep mymodule
ls /sys/module/mymodule

10.3 Build Commands

# Compile module
make

# Clean build files
make clean

# Verbose build (see all commands)
make V=1

# Check kernel version
uname -r

# Check if headers are installed
ls /lib/modules/$(uname -r)/build