modreveal is a small utility that prints the names of hidden LKMs (Linux Kernel Modules) if any exist. It's useful for detecting rootkits that hide themselves from standard tools like lsmod.
- Linux kernel 5.2 or newer (updated for modern kernel API)
- Kernel headers matching your running kernel
- GCC compiler
- libnl-3 and libnl-genl-3 development libraries
sudo pacman -S linux-headers gcc libnlsudo apt-get install linux-headers-$(uname -r) gcc libnl-3-dev libnl-genl-3-devsudo dnf install kernel-devel gcc libnl3-develmake
sudo ./modreveal- Loads a kernel module that uses kprobes to access
kallsyms_lookup_name - Iterates through all kernel modules using the internal
module_ksetstructure - Communicates the complete module list to userspace via generic netlink
- Compares the kernel's internal module list with the output of
lsmod - Reports any modules that exist in the kernel but are hidden from
lsmod
To test the utility, you can use a rootkit that hides itself, such as:
- Diamorphine rootkit (https://github.com/m0nad/Diamorphine)
- Updated for Linux kernel 5.2+ (uses modern generic netlink API)
- Tested on kernel 6.x series
- Should work on any modern Linux distribution with proper dependencies installed