My some questions about how it works and more

[dmknght]

Hello! I want to thank you for very cool and useful module to detect hidden kernel modules. I'm making a project to scan malware and rootkit on Linux (the scope is to replace rkhunter and chkrootkit which mostly use absolute file and dir paths check). I would like to reuse your code in my project for the LKM modules (which can't be trusted by user's land applications). I have some questions:

1. I didn't do kernel module programming. And readme didn't have explaination so I would like to ask to understand the method this module uses. Is this some kind of check kernel's symbols and compare to find hidden modules?
2. Let say that attacker added the module to the system. Is there any possible way to find the location of the file?
3. I am thinking about a possible way to unload the rootkit's module and possibly allow a scanner (I'm using Yara) to scan with rules / signatures. Do you think it can be done, considering rootkit's module blocks applications from reading the module file to hide itself.