Static analysis tool for Linux kernel modules.
KOAUDIT inspects compiled Linux kernel modules (.ko) and reports suspicious behaviors commonly associated with kernel rootkits, insecure drivers, and malicious modules. Analysis is performed statically — modules are never loaded or executed.
- Static analysis of Linux kernel modules (
.ko) - ELF validation and metadata inspection
- Detection of common kernel hook patterns
- Detection of write-protection bypasses
- Detection of credential manipulation APIs
- Detection of custom IOCTL interfaces
- Detection of dynamic symbol resolution
- Detection of suspicious module metadata
- JSON and HTML report output
- Lightweight with no external services
git clone https://github.com/AnonNeo77/koaudit.git
cd koaudit
pip install -r requirements.txtpython3 koaudit.py module.koVerbose output:
python3 koaudit.py --verbose module.koJSON report:
python3 koaudit.py --json module.koHTML report:
python3 koaudit.py --html module.ko- Write-protection bypasses
- Kernel tracing hooks
- Credential manipulation APIs
- Custom IOCTL interfaces
- Dynamic symbol resolution
- Module metadata anomalies
- Static analysis only.
- Modules are not executed.
- A clean result does not guarantee a module is safe.
- Detection is based on implemented heuristics and may not identify every technique.