Kernel Rootkits for Dummies

by Anthraxx
Feb. 2009
Version 0.1

An introduction to kernel rootkits and kernel hacking.
With a comic.
U seen right.
U never seen that before, right?


The computer is devided into two parts: Userspace and Kernelspace.
Every program (Firefox, VI, bash, gimp...) runs in userspace. But it can not access any data, the only way to send/save or receive/open data is the kernel (more exactly, the syscall interface). It's indicated by the guy standing in the room, with walls all around him.

The Kernel is mightier than root, but barely does something on its own, it's like a slave to the userspace. He has all the access, eg, can read and write to any hardware (graphic card, network card, harddisc, dvd etc...).


A hacked, or tainted, Kernel (indicated by the red trousers) can hide everything he wants from userspace. There is no easy way to tell he is lying or omits truth.

Antivirus (Avira, MCAffee, etc..) use the Kernel to list and read files to scan for virus. A Kernel Rootkit can easily hide secret data from everybody, or do not list the files at all.