Search code examples
linuxlinux-kernelmalwaremalware-detection

How to extract features from linux kernel?

I'm working on a project which detects a malware based on Machine Learning techniques. My primary targets are linux devices. My first question is;

  1. How can I extract data about processes from a linux kernel using a kernel driver? I'd like to extract data about running processes by myself for the first time just for proof of concept. Later on I'd like to write a kernel driver to do that automatically and in real time.
  2. Are there any other ways to extract data for running processes such as ProcessName, PID, UID, IS_ROOT and etc.?
Solution

  • To do this from User space:

    ps -U <username/UID> | tr -s ' '| tr ' ' ','| cut -d ',' -f2,5 > out.csv

    From Kernel space, as a module:

    #include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/sched.h>

static int uid=0;

static int procx_init(void){
    struct task_struct *task;
    for_each_process(task)
            printk ("uid=%d, pid=%d, command=%s\n", task->cred->uid, task->pid, task->comm);
    return 0;
}
static void procx_exit(void)
{
    printk("procx destructor\n");
}
module_init(procx_init);
module_exit(procx_exit);
module_param(uid, int, 0);

MODULE_AUTHOR ("[email protected]");
MODULE_DESCRIPTION ("Print process Info");
MODULE_LICENSE("GPL");

    I didn't check for the UID, but you can pass it as module parameter or runtime passer to trigger a kthread