8. Kcheesewire

8.1. cf. Kstat

Scan /dev/kmem directly:

• fingerprint system calls;
• check loaded LKMs (and scan for them).

8.2. /proc-Processing

Scan/parse /proc:

1. cf. cheesewire::IDM_proc
   
   Cheesewire module...

8.3. Access task_struct Within Kernel

1. cf. Carbonite
   
   See foundstone.com (Resources, Free Tools, Intrusion Detection Tools, Carbonite).
   
   From Carbonite's README:

   Carbonite is a tool used to process the /proc filesystem information in a reliable fashion. It is built upon the work that Dominique Brezinski started with his cryogenic program. Cryogenic is a 'user space' forensic tool to recover live data and process the /proc filesystem on Linux machines. However, current 'rootkit' loadable kernel modules (such as knark and heroin) permit system calls to be intercepted, preventing cryogenic and ps from processing such hidden executables.
   
   Therefore we created Carbonite, a cryogenic, lsof and ps at the kernel level. It queries every process in Linux's task_struct, which is the kernel structure that maintains information on every running process in Linux. There is little doubt in our minds that attacker's will read this code, and find another way to *hide* their processes. This module will at least raise the bar a and provide system administrators with a more reliable method to identify all running processes on the system.

   Carbonite works only for 2.2 Kernels...

8.4. System Call Wrapper

LKM which intercepts some system-calls: logs something then calls the intercepted call...