This module appears to use a simple brute force method for uncovering the address of the system call table, as opposed to hardcoding from System.map. There's another more elegant solution that could be of interest to readers: http://www.elliotbradbury.com/linux-syscall-hooking-interrup...
On the other hand, if you're looking for a guide on understanding LKMs from the ground up and how they can apply to rootkits, I strongly recommend Joseph Kong's excellent book Designing BSD Rootkits. It's FreeBSD-specific and dates to 2007, but it's not still outdated AFAIR: http://www.nostarch.com/rootkits.htm
This doesn't attack gcc or python, it's just a trivial kernel module that interposes SYS_read. There's no germline persistence a la trusting trust. e.g. if I compile gcc, compile the Linux kernel, and compile python all on a system with this "rootkit" installed, and put the newly built kernel and toolchains on a new system, that system is clean.
This isn't really anything other than a Hello World kernel module.
Hmmm, well, no, it's not a full on "Trusting Trust" attack; though it has a similar outcome insofar as producing dirty binaries from clean source goes.
The module is simple, with the only tricky part being replacing a system call. My goal here was to play around with the idea of modifying source code en route to a compiler/interpreter in a sneaky way. Nothing more sophisticated than that. :]
> if I compile gcc, compile the Linux kernel, and compile python all on a system with this "rootkit" installed, and put the newly built kernel and toolchains on a new system, that system is clean.
Umm, not necessarily. Instances of "World!" in your compiled kernel, toolchain and python have been replaced with "Mrrgan".
If you're looking for deeper case studies on Linux rootkits, the Suterusu rootkit is an interesting PoC: http://poppopret.org/2013/01/07/suterusu-rootkit-inline-kern...
On the other hand, if you're looking for a guide on understanding LKMs from the ground up and how they can apply to rootkits, I strongly recommend Joseph Kong's excellent book Designing BSD Rootkits. It's FreeBSD-specific and dates to 2007, but it's not still outdated AFAIR: http://www.nostarch.com/rootkits.htm