Fix ret/retq quirk on different machines - linux-rootkit - Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)

commit 18b828344d967323f6fb5d49c287c91a7a90db65
parent bd3f1401d3e3abfdf424330e923c1d7590c9a33d
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Wed,  3 Feb 2021 22:03:34 +0100

Fix ret/retq quirk on different machines

Diffstat:
M project/extract_sizeret.py  | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/project/extract_sizeret.py b/project/extract_sizeret.py
@@ -114,7 +114,7 @@ class Stage3():
             disass = gdb.execute(f"disass {b}", to_string=True).strip().split("\n")
             disass = [instr.split("\t") for instr in disass]
             instrs = [(instr[0].strip(), instr[1].split(" ")[0].strip()) for instr in disass if len(instr) > 1]
-            retqs = [int(loc.split("<")[1].split(">")[0]) for (loc, instr) in instrs if instr == "retq"]
+            retqs = [int(loc.split("<")[1].split(">")[0]) for (loc, instr) in instrs if instr == "ret" or instr == "retq"]
 
             # set breakpoints at function exits (retq), to extract return value
             for retq in retqs:

	linux-rootkit Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
	git clone git://git.deurzen.net/linux-rootkit
	Log \| Files \| Refs