Draft:Kernel Splitting

Submission declined on 16 November 2025 by Aesurias (talk). Your draft shows signs of having been generated by a large language model, such as ChatGPT. Wikipedia guidelines prohibit the use of LLMs to write articles from scratch. In addition, LLM-generated articles usually have multiple quality issues, to include: Promotional tone, editorializing and other words to watch Vague, generic, and speculative statements extrapolated from similar subjects Essay-like writing Hallucinations (plausible-sounding, but false information) and non-existent references Close paraphrasing Please address these issues. The best way is usually to read reliable sources and summarize them, instead of using a large language model. See our help page on large language models. This submission reads more like an essay than an encyclopedia article. Submissions should summarise information in secondary, reliable sources and not contain opinions or original research. Please write about the topic from a neutral point of view in an encyclopedic manner. If you would like to continue working on the submission, click on the "Edit" tab at the top of the window. If you have not resolved the issues listed above, your draft will be declined again and potentially deleted. If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors. Please do not remove reviewer comments or this notice until the submission is accepted. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs Declined by Aesurias 2 months ago. Last edited by Renamed user d4b8363fa67ac00fe7d3111b27a89617 2 months ago. Reviewer: Inform author. Resubmit Please note that if the issues are not fixed, the draft will be declined again.

Kernel Splitting (Penetration Testing Technique)

Kernel Splitting is an advanced penetration testing and hacking technique in which segments of a kernel are programmatically split and replaced with pseudo-functions. These pseudo-functions intercept, manipulate, or redirect system calls and kernel-level operations, enabling an attacker or security researcher to subvert the intended behavior of applications and the operating system itself. The primary objectives of Kernel Splitting are to facilitate privilege escalation, evade Endpoint Detection and Response (EDR) systems, and enable stealthy manipulation of system internals. While the term "Kernel Splitting" is not widely standardized in literature, the concept closely overlaps with established techniques such as kernel hooking, syscall redirection, rootkit deployment, and Direct Kernel Object Manipulation (DKOM).^[1].

At its core, Kernel Splitting involves segmenting or isolating specific kernel functions or code paths and substituting them with attacker-controlled logic. This is typically achieved by patching function pointers, modifying syscall dispatchers, or employing inline hooks and trampolines. The pseudo functions act as intermediaries, capturing system calls or kernel events and either altering their behavior or redirecting execution to malicious routines. By doing so, attackers can cause applications to unknowingly execute code of their choosing, bypassing security controls and achieving persistence or privilege escalation.

The technique is particularly relevant in modern threat landscapes, where kernel-level defenses such as PatchGuard, SMEP/SMAP, and driver signing have raised the bar for attackers. Kernel Splitting, by leveraging low-level manipulation and stealth, remains a potent tool for both offensive security professionals and adversaries seeking to evade detection and maintain control over compromised systems.

Kernel Splitting is conceptually rooted in the broader family of kernel manipulation techniques. Kernel hooking refers to the interception of kernel functions or system calls by redirecting execution flow to custom handlers. This can be achieved through various means, including modifying the system call table, patching function prologues (inline hooks), or leveraging dynamic instrumentation frameworks such as kprobes and eBPF.

Syscall redirection is a specific form of hooking where the system call dispatcher is altered to route certain syscalls to attacker-controlled code. Traditionally, this was accomplished by overwriting entries in the sys_call_table (on Linux) or the System Service Descriptor Table (SSDT) on Windows. However, modern kernels have introduced mitigations that complicate direct table overwrites, prompting attackers to develop more sophisticated approaches such as dispatcher patching and code cave exploitation.

Rootkits are malicious software components that operate at the kernel level to conceal their presence and activities. They often employ kernel splitting-like techniques to hide processes, files, or network connections, and to intercept or manipulate system calls. Direct Kernel Object Manipulation (DKOM) is another related technique, wherein attackers directly modify kernel data structures (such as process lists) to achieve stealth and persistence without relying on hooks or patches ^[2].

The technical implementation of Kernel Splitting typically involves one or more of the following mechanisms:

• Inline Patching: Overwriting the prologue of a kernel function with a jump instruction that redirects execution to a pseudo function. The original instructions are preserved in a trampoline, allowing the pseudo function to optionally invoke the original logic if needed. This approach requires careful handling of instruction boundaries and memory protections, as improper patching can lead to system instability or crashes .
• Trampoline Hooks: Creating a trampoline function that contains the original bytes overwritten by the hook, followed by a jump back to the remainder of the original function. The pseudo function can call the trampoline to maintain normal system behavior or to selectively alter execution flow ^[3].
• Dispatcher Modification: Altering the system call dispatcher itself, such as the x64_sys_call function in modern Linux kernels, to redirect specific syscalls to pseudo functions. This may involve scanning the dispatcher’s machine code for call instructions targeting the original syscall handlers and patching their offsets to point to attacker-controlled routines. The FlipSwitch technique is a recent example of this approach, enabling precise and stealthy syscall redirection even in hardened kernels.
• Replacing Kernel Functions with Pseudo Functions: In some cases, kernel developers or attackers may design the kernel to use function pointers for critical operations. By exporting these pointers (e.g., via EXPORT_SYMBOL in Linux), it becomes possible to dynamically replace the implementation of a function at runtime, effectively splitting the kernel’s logic and inserting pseudo functions as desired ^[4].

Each of these mechanisms enables the attacker or researcher to intercept kernel-level operations, manipulate arguments or return values, and optionally restore original behavior to minimize forensic artifacts. The choice of mechanism depends on the target kernel version, available symbols, and desired level of stealth.

The FlipSwitch rootkit, first observed in late 2025, exemplifies the evolution of kernel splitting techniques in response to kernel hardening. With the release of Linux kernel 6.9, the traditional sys_call_table-based hooking became obsolete, as the kernel switched to a compiled switch-statement dispatcher (x64_sys_call). FlipSwitch circumvents this by scanning the dispatcher’s machine code for the call instruction to the target syscall (e.g., sys_kill), then patching the relative offset to point to a malicious callback. This is accomplished by temporarily disabling write protection (clearing the WP bit in CR0), overwriting the offset, and restoring protections. The loader module is then unloaded, leaving only the modified dispatcher in memory. This approach is highly stealthy, as it leaves minimal forensic traces and does not alter kernel data structures ^[5].

Recent advances in kernel observability and security have introduced dynamic instrumentation frameworks such as eBPF (extended Berkeley Packet Filter) and kprobes. While primarily intended for monitoring and tracing, these mechanisms can be abused to implement kernel splitting. For example, eBPF programs can be attached to kernel functions or tracepoints, intercepting and modifying system calls or kernel events at runtime. Similarly, kprobes allow the insertion of probes at arbitrary kernel addresses, enabling the redirection of execution to custom handlers. These approaches are increasingly used in both legitimate security products and advanced rootkits.

Kernel Splitting is a powerful tool in the arsenal of penetration testers and red team operators. By intercepting and manipulating kernel-level operations, testers can achieve privilege escalation, bypass security controls, and maintain stealthy persistence on target systems. For example, by hooking the kill syscall and replacing it with a pseudo function, a tester can prevent the termination of malicious processes or escalate privileges by modifying credential structures in memory ^[6].

EDR evasion is another critical application. Modern EDR solutions rely on kernel callbacks, Event Tracing for Windows (ETW), and other telemetry sources to monitor system activity. By splitting the kernel and redirecting or disabling these monitoring mechanisms, attackers can operate undetected. Techniques such as disabling ETW providers, patching ETW functions in memory, or removing kernel callbacks are commonly used to blind EDRs and facilitate post-exploitation activities ^[7].

A typical penetration testing workflow involving Kernel Splitting may include the following steps:

1. Reconnaissance: Identify the target kernel version, available symbols, and security features (e.g., SMEP/SMAP, PatchGuard).
2. Vulnerability Identification: Locate exploitable vulnerabilities or misconfigurations that allow kernel code execution (e.g., vulnerable drivers, exposed device interfaces).
3. Payload Development: Craft a kernel module or exploit that implements the desired splitting mechanism (inline patch, dispatcher modification, etc.).
4. Deployment: Load the module or trigger the exploit to install pseudo functions and redirect kernel operations.
5. Post-Exploitation: Use the split kernel to escalate privileges, hide processes, or evade detection.
6. Cleanup: Restore original code or remove traces to minimize forensic evidence.

Several tools and frameworks facilitate kernel research and the implementation of splitting techniques:

• GDB with kernel debugging extensions: Enables live debugging and analysis of kernel memory and code paths.
• QEMU: Provides virtualized environments for safe kernel testing and exploitation.
• Syzkaller: An automated kernel fuzzer used to discover vulnerabilities and test exploit reliability ^[8].
• Volatility: A memory forensics framework with plugins for detecting rootkits, hidden modules, and DKOM artifacts ^[9].
• Kernel Inline Hook Frameworks: Open-source projects such as WeiJiLab’s kernel-inline-hook-framework allow for dynamic function hooking and replacement in live kernels ^[4].
• eBPF and kprobe utilities: Used for dynamic instrumentation and monitoring, as well as for implementing stealthy hooks.

Penetration testers must adhere to strict ethical and legal guidelines when employing kernel splitting or similar techniques. Explicit authorization, well-defined scope, and comprehensive documentation are essential to avoid unintended damage or legal repercussions. Testing should be conducted in isolated environments, and all findings must be reported responsibly to stakeholders¹⁸¹⁹²⁰.

Kernel Splitting poses significant security risks, as it enables attackers to operate at the highest privilege level (ring 0) and subvert core operating system mechanisms. The ability to intercept and manipulate system calls or kernel functions can lead to:

• Complete system compromise: Attackers can gain root or SYSTEM privileges, bypass authentication, and control all system resources.
• Stealth and persistence: By hiding processes, files, or network connections, attackers can maintain long-term access without detection.
• EDR and security control bypass: Disabling or redirecting security telemetry blinds defenders and impedes incident response.
• Data exfiltration and sabotage: Attackers can intercept sensitive data, inject malicious payloads, or disrupt system operations.

Modern EDR solutions employ a variety of kernel-level monitoring mechanisms, including:

• Kernel callbacks: Used to monitor process/thread creation, image loading, and object access.
• ETW (Event Tracing for Windows): Provides detailed telemetry on system activity.
• Syscall monitoring: Hooks or traces system calls to detect suspicious behavior.

Kernel Splitting enables attackers to evade these controls by:

• Removing or overwriting kernel callbacks: Using vulnerable drivers or rootkits to unregister or patch callback addresses, rendering EDRs blind to critical events.
• Disabling ETW providers: Stopping ETW sessions or patching ETW functions in memory to prevent event logging.
• Direct syscall execution: Bypassing user-mode hooks and invoking syscalls directly from shellcode or heap-allocated stubs, evading detection by user-mode monitoring tools ^[10].
• Hardware breakpoint exploitation: Leveraging CPU debug registers to manipulate execution flow without triggering monitored APIs or generating detectable telemetry.

Kernel Splitting is frequently used to escalate privileges by:

• Modifying credential structures: Overwriting process tokens or credential fields to grant root or SYSTEM access ^[11].
• Hijacking syscalls: Redirecting syscalls such as NtShutdownSystem or kill to attacker-controlled routines that perform privileged actions.
• Abusing kernel vulnerabilities: Exploiting race conditions, buffer overflows, or logic flaws to gain arbitrary code execution in the kernel context ^[12].

The rise of cloud computing and containerization has introduced new attack surfaces for kernel splitting. Containers share the host kernel, making kernel-level exploits particularly dangerous. Techniques such as abusing user-mode helpers, exploiting kernel vulnerabilities (e.g., Dirty COW, OverlayFS), or loading malicious kernel modules from privileged containers can enable container escapes and host compromise ^[13].

Detecting Kernel Splitting and related rootkit activity is challenging due to the stealth and sophistication of modern techniques. However, several approaches can aid in identification:

• Memory Forensics: Analyzing memory dumps with tools like Volatility to detect hidden modules, function hooks, or DKOM artifacts. Plugins such as linux_check_modules, ssdt, and psxview can reveal discrepancies between different enumeration methods, indicating manipulation ^[14].
• Integrity Checks: Verifying the integrity of kernel code and data structures using cryptographic hashes or runtime attestation. Any unauthorized modification of function prologues, syscall dispatchers, or critical tables should raise alerts.
• Cross-View Analysis: Comparing information obtained from multiple sources (e.g., kernel APIs, direct memory scans, hardware registers) to identify inconsistencies caused by rootkits or DKOM.
• YARA Signatures: Employing YARA rules to detect known rootkit patterns or obfuscated code in memory or on disk. For example, Elastic Security Labs released YARA signatures for the FlipSwitch and PUMAKIT rootkits ^[15].
• Runtime Monitoring: Using security tools like Falco or auditd to monitor for suspicious kernel module loading, privilege escalation events, or modifications to sensitive files and directories ^[16].

Defending against Kernel Splitting requires a multi-layered approach:

• Kernel Hardening: Enable security features such as SMEP (Supervisor Mode Execution Prevention), SMAP (Supervisor Mode Access Prevention), KASLR (Kernel Address Space Layout Randomization), and PatchGuard (on Windows) to make kernel exploitation more difficult ^[17].
• Driver Signing and Enforcement: Restrict the loading of unsigned or untrusted kernel modules. Use driver blocklisting to prevent known vulnerable drivers from being exploited ^[18].
• Kernel Page Table Isolation (KPTI): Isolate kernel and user memory spaces to prevent privilege escalation via memory corruption.
• Regular Patching: Keep kernels and drivers up to date to mitigate known vulnerabilities exploited by kernel splitting techniques.
• Monitoring and Auditing: Continuously monitor for suspicious kernel activity, module loading, and privilege changes. Employ behavioral analytics and anomaly detection to identify novel attacks.
• Hardware-Assisted Security: Leverage hardware features such as Intel CET (Control-flow Enforcement Technology) or AMD SME to enforce control flow integrity and prevent unauthorized code execution ^[19]
• Isolation and Least Privilege: Run applications and containers with the minimum necessary privileges. Avoid running containers in privileged mode or with unnecessary capabilities²⁴²⁶.

Despite advances in detection and mitigation, sophisticated attackers continue to develop new techniques to bypass defenses. For example, FlipSwitch’s dispatcher patching leaves minimal forensic artifacts, and eBPF-based rootkits can operate without loading traditional kernel modules, evading module list checks. Continuous research and adaptation are required to stay ahead of emerging threats.

Kernel exploitation has evolved significantly over the past two decades. Early attacks focused on simple buffer overflows and direct memory corruption, while modern techniques employ complex chains of vulnerabilities and advanced evasion strategies²³. The following timeline highlights key milestones:

• 2005–2012: Buffer overflows, integer overflows, and direct sys_call_table overwrites were common. Rootkits such as Adore and SuckIT used table patching and inline hooks to intercept syscalls.
• 2013–2015: Subsystem-specific exploits (e.g., performance events) and DKOM techniques gained prominence. Attackers began targeting kernel data structures directly to hide processes and drivers.
• 2016: The Dirty COW vulnerability (CVE-2016-5195) demonstrated the impact of race conditions in kernel memory management, enabling reliable privilege escalation and container escapes.
• 2018–2020: The adoption of eBPF and kprobes introduced new avenues for both legitimate monitoring and malicious rootkit development. eBPF-based rootkits showcased the potential for stealthy, portable kernel manipulation.
• 2024–2025: Hardened kernels (e.g., Linux 6.9) rendered traditional syscall table overwrites obsolete. Techniques such as FlipSwitch emerged, targeting the syscall dispatcher’s machine code for precise and stealthy hooking. Rootkits like PUMAKIT combined ftrace-based syscall hooking, privilege escalation, and anti-forensics in multi-stage architectures.

• FlipSwitch: A rootkit targeting Linux 6.9+, FlipSwitch patches the x64_sys_call dispatcher to redirect syscalls to malicious handlers. It leverages kprobes to locate kallsyms_lookup_name, disables write protection, and modifies call offsets in the dispatcher’s machine code. FlipSwitch is highly stealthy and reversible, leaving minimal traces upon module removal.
• PUMAKIT: A sophisticated LKM rootkit that uses ftrace to hook multiple syscalls, hides files and processes, and enables privilege escalation via the rmdir syscall. PUMAKIT demonstrates advanced anti-forensics and stealth techniques, including memory-resident execution and userland interaction via LD_PRELOAD⁴²⁷.
• DKOM-based Rootkits: Rootkits employing Direct Kernel Object Manipulation unlink processes or drivers from kernel lists, making them invisible to standard enumeration tools. Detection relies on memory forensics and cross-view analysis.
• eBPF Rootkits: Leveraging the eBPF framework, these rootkits attach programs to kernel functions or tracepoints, intercepting and modifying system behavior without loading traditional modules. Detection is challenging due to the lack of persistent artifacts.

• DEF CON and Black Hat: Numerous presentations have explored kernel hooking, rootkit development, and EDR evasion. Talks such as "eBPF, I thought we were friends!" and "Warpy Reality" demonstrate the use of eBPF for rootkit development and container breakout techniques.
• Academic Research: Papers such as "zpoline: a system call hook mechanism based on binary rewriting" and "NanoHook: An Efficient System Call Hooking Technique with One-Byte Invasive" analyze the performance and stability of various hooking mechanisms, including binary rewriting, data-driven hooks, and dispatcher patching.

Kernel Splitting represents a convergence of advanced kernel manipulation techniques, enabling attackers and penetration testers to intercept, redirect, and manipulate kernel-level operations with precision and stealth. By segmenting and replacing kernel functions with pseudo functions, practitioners can achieve privilege escalation, evade EDR systems, and maintain persistent control over compromised systems. The technique draws upon a rich history of kernel hooking, syscall redirection, rootkit deployment, and DKOM, evolving in response to modern kernel hardening measures.

Detection and mitigation remain challenging, requiring a combination of memory forensics, integrity checking, cross-view analysis, and hardware-assisted security. As attackers continue to innovate, defenders must adopt a proactive, layered approach to kernel security, leveraging the latest research and tooling to stay ahead of emerging threats.

The ongoing evolution of kernel exploitation underscores the importance of continuous learning, responsible disclosure, and collaboration between security researchers, developers, and defenders. Kernel Splitting, while a powerful tool for both offense and defense, must be wielded with care, adhering to strict ethical and legal standards to protect the integrity and security of modern computing environments.