Very specific dup_task_struct case - linux-rootkit - Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)

commit 34e1d57212f03969ba5d59df64049ee01d1c27d2
parent 4942eb17ff614eedf9a3e1747e11538b4876dc04
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sun,  7 Feb 2021 22:08:29 +0100

Very specific dup_task_struct case

Diffstat:
M project/type_dict.py  | 7 +++++++

1 file changed, 7 insertions(+), 0 deletions(-)
diff --git a/project/type_dict.py b/project/type_dict.py
@@ -62,6 +62,13 @@ class CodeDict():
             lnr = l[2]
             var = l[3]
 
+            # ugly, but necessary since gdb does not like $ whatis 'dup_task_struct'::tsk
+            # and task_struct is too important to give up
+            if "dup_task_struct" in line:
+                key = f"{src}:{lnr}"
+                val = "type = struct task_struct *"
+                continue
+
             var = re.split('\-\>|\.', var)
             var[0] = re.sub('[.*?]', '', var[0])

	linux-rootkit Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
	git clone git://git.deurzen.net/linux-rootkit
	Log \| Files \| Refs