Kjetil Kristoffer Solberg

Linux: Is Keyboard Rootkitted?

I created a keyboard SMM rootkitted detector that consist of a Linux Loadable Kernel Module (LKM), a /proc/is-kbd-rkt file and a simple app that outputs the result. The app looks something like this:

In order to try it out you first need:

to have installed g++, gcc and make
and need to have the linux-headers-`uname -r`

Then you should do a:


                        git clone https://github.com/sith-ikjetil/is-kbd-rkt.git

Then you need to build the LKM (lkm subdirectory):
(you might need to do this twice)


                        make

To create the cryptograhic key first run:


                        sudo -i

then run:
mkdir /root/module-signing
cd /root/module-signing
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500
chmod 600 MOK.priv
mokutil --import /root/module-signing/MOK.der
openssl rsa -in MOK.priv -out new.MOK.priv

Now in the lkm directory as current directory, execute (ubuntu/fedora):
sudo ./sign_ko.sh ./is-kbd-rkt.ko
sudo ./cp_ko_to_extra.sh ./is-kbd-rkt.ko
sudo depmod

The install the LKM (.ko file) into the kernel:


                        sudo insmod ./is-kbd-rkt.ko

You might need to disable secure boot or sign the LKM first.
Then build the app iskbdrkt (app subdirectory):


                        ./build-debug.sh

Now all you have to do is run the application (app subdirectory):


                        ./iskbdrkt

or see the contents of the /proc/is-kbd-rkt file:


                        cat /proc/is-kbd-rkt

Good luck :)