📅 Oct 1, 2025 ✍️ Cybernoz 📁 GBHackers 💬 0 ⏱️ 4 min

New FlipSwitch Hooking Method Overcomes Linux Kernel Defenses


A novel rootkit hooking method dubbed FlipSwitch has emerged, circumventing the latest Linux 6.9 kernel dispatch safeguards and reigniting concerns over kernel-level compromise.

By manipulating the machine code of the new syscall dispatcher rather than the deprecated sys_call_table, FlipSwitch restores the classic power of syscall hooking, enabling stealthy interception of critical system calls such as kill and getdents64.

For years, Linux rootkits like Diamorphine and PUMAKIT exploited the sys_call_table—a simple array of function pointers—to reroute syscalls through attacker-controlled functions.

By disabling write protection and overwriting specific entries, an adversary could hide malicious files from ls outputs or thwart process termination attempts.

The release of Linux kernel 6.9, however, dealt a fatal blow to this approach: the kernel replaced the direct array lookup

c// Pre-6.9: Direct array lookup
sys_call_table[__NR_kill](regs);

with a switch-statement dispatch inside x64_sys_call, effectively ignoring any modifications to sys_call_table for actual syscall handling.

FlipSwitch: Rediscovering the Hook

FlipSwitch’s key insight is that the original syscall logic still exists in compiled form behind the switch statement.

Instead of tampering with sys_call_table, FlipSwitch locates and patches the machine-level call instruction within x64_sys_call that invokes the target syscall function. This process unfolds in four stages:

  1. Discover the Original Function Address
    Although the sys_call_table no longer governs dispatch, it still holds valid pointers for compatibility. By reading an entry such as sys_call_table[__NR_kill], FlipSwitch obtains the address of the original sys_kill routine.
  2. Locate kallsyms_lookup_name
    To find kernel symbols programmatically, FlipSwitch uses a kprobe on a known symbol, extracting the address of kallsyms_lookup_name. This enables lookup of any exported syscall function pointer, bypassing direct exports restrictions.
  3. Scan for the Unique Call Instruction
    The x64_sys_call function’s machine code is searched byte by byte for the one-byte opcode 0xe8 followed by the precise 4-byte relative offset that targets sys_kill. This singular signature pinpoints the exact instruction to hijack.
  4. Patch the Dispatcher
    Operating at ring 0, FlipSwitch disables CPU write protection by clearing the WP bit in CR0. It then overwrites the 4-byte offset of the identified call instruction to point to a malicious fake_kill handler. Upon module unload, protections are reenabled and the original offset restored, leaving minimal forensic evidence.

Implications and Defensive Strategies

FlipSwitch underscores the persistent cat-and-mouse dynamic between kernel hardening and adversary innovation. While Linux developers continue to fortify syscall dispatch, attackers adapt by targeting the compiled dispatch logic itself. Mitigations may include:

  • Runtime Integrity Verification: Periodically hashing and validating the machine code of x64_sys_call to detect unauthorized modifications.
  • Enhanced Kprobe Restrictions: Further limiting or auditing use of kprobes for locating critical symbol addresses.
  • Control-Flow Integrity (CFI): Employing CFI techniques within the kernel to enforce that all indirect calls match legitimate targets.

Detecting FlipSwitch with YARA

Maintaining visibility into kernel control flow and leveraging signature-based detection will be essential to stay ahead in the ongoing battle for Linux kernel integrity.

Detecting kernel-level rootkits remains challenging due to their stealthy, in-memory operation. To aid defenders, Elastic Security has published a YARA rule targeting the FlipSwitch proof-of-concept. The rule scans for unique machine-code patterns introduced during the patching process:

textrule Linux_Rootkit_Flipswitch_821f3c9e
{
    meta:
        author = "Elastic Security"
        description = "Detect FlipSwitch rootkit PoC"
        os = "Linux"
        arch = "x86"
    strings:
        $all_a = { FF FF 48 89 45 E8 F0 80 ?? ?? ?? }
        $main_b = { 41 54 53 E8 ?? ?? ?? ?? 48 C7 C7 ?? ?? ?? ?? }
    condition:
        #all_a >= 2 and 1 of ($main_b)
}

By deploying this rule in memory-scanning tools or endpoint protection platforms, security teams can flag the presence of FlipSwitch’s patched dispatcher and respond before significant damage occurs.

As kernel defenses evolve, research like FlipSwitch highlights the critical need for layered protections and proactive monitoring.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.