Kernel Rootkits for Dummies
An introduction to kernel rootkits and kernel hacking.
With a comic.
U seen right.
U never seen that before, right?
The computer is devided into two parts: Userspace and Kernelspace.
Every program (Firefox, VI, bash, gimp...) runs in userspace. But it can not access
any data, the only way to send/save or receive/open data is the kernel (more exactly,
the syscall interface). It's indicated by the guy standing in the room, with walls
all around him.
The Kernel is mightier than root, but barely does something on its own, it's like
a slave to the userspace. He has all the access, eg, can read and write to any
hardware (graphic card, network card, harddisc, dvd etc...).
A hacked, or tainted, Kernel (indicated by the red trousers) can hide everything
he wants from userspace. There is no easy way to tell he is lying or omits truth.
Antivirus (Avira, MCAffee, etc..) use the Kernel to list and read files to scan
for virus. A Kernel Rootkit can easily hide secret data from everybody, or do not
list the files at all.