Abstract: Rootkit is a common technology used by hackers to keep backdoors on the compromised system. There is no method to automatically detect and recover from kernel level rootkits at present. This paper analyzes the principle of kernel level rootkits, and proposes a method to automatically detect and recover from kernel level rootkits. This method is useful to the existing rootkits and the rootkits that may appear in future.

Key words: Operating system kernel; System call; Loadable kernel module; Linux; Rootkit

摘要： Rootkit 是黑客入侵系统后保留后门常用的一项技术。目前不存在一种能自动检测内核级rookit 并恢复系统的方法。该文在详细剖析内核级rootkit 原理的基础上，提出了一种自动检测内核级rootkit 并恢复系统的方法。该方法不仅对目前出现的所有内核级rootkit 有效，而且考虑了将来可能出现的更高级的rootkit。

关键词: 操作系统内核；系统调用；可加载内核模块；Linux；Rootkit