ROOTKIT MEASUREMENT METHOD, APPARATUS, AND SERVER

摘要

Disclosed by the embodiments of the present invention are a rootkit measurement method, apparatus, and server; said method can be applied to a Linux system; said Linux system comprises a secure backup area which is backed up with a system call table; the Linux system is divided into a ring3 state and a ring0 state. The method comprises: if it is detected that a Linux system is running, then loading a kernel module pre-deployed in the Linux system, and triggering an obtain program in the kernel module to obtain a current system call table in the ring0 state; obtaining the system call table, which has been backed up beforehand, from the secure backup area, and calling a comparison program in the ring3 state to determine whether the backed-up system call table is consistent with the current system call table; if not, then determining that the ring0 state of the Linux system has been attacked by the rootkit. The embodiments of the present invention are advantageous to improving the accuracy of rootkit detection.