linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 42712dd01a537395d4ef40c7613d7e0452b81a1f
parent f57cfae1ffed229df939bb56f369471539af9441
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sun, 24 Jan 2021 23:27:03 +0100

working inferior reading

Diffstat:

Mmem_forensics/memcheck-gdb.py | 18++++++++----------


1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/mem_forensics/memcheck-gdb.py b/mem_forensics/memcheck-gdb.py
@@ -668,6 +668,7 @@ class RkCheckFunctions(gdb.Command):
             return None
 
         # TODO just grab inferior id from add-inferior..
+        # -no-connection is _very_ important, otherwise we read in the live bytes from the vm again
         gdb.execute(f"add-inferior -exec {tmp} -no-connection")
         gdb.execute("inferior 2")
 
@@ -675,26 +676,23 @@ class RkCheckFunctions(gdb.Command):
             if symbol.entry["st_info"]["type"] == "STT_FUNC":
                 name = symbol.name
                 size = symbol.entry["st_size"]
+
                 try:
-                    a = gdb.execute(f"x {name}", to_string=True).split(" ")[0]
+                    a = gdb.execute(f"x {name} + {v_off_g}", to_string=True).split(" ")[0]
                 except:
+                    print(f"1: {name}")
                     continue
 
-                addr = int(a, 16)
                 try:
+                    addr = int(a, 16)
                     elf = gdb.selected_inferior().read_memory(addr, size)
-                    gdb.execute("inferior 1")
-                    live = gdb.selected_inferior().read_memory(addr, size)
-                    gdb.execute("inferior 2")
                 except:
+                    print(f"2: {name}")
                     continue
 
-                if bytes(elf) != bytes(live):
-                    print(f"== {name} ==")
-                    print(f"Got bytes: {bytes(elf).hex()}")
-                    print(f"Live bytes: {bytes(live).hex()}")
 
-        
+        gdb.execute("inferior 1")
+  
 
     def fill_code_dict(self):
         for i, symbol in enumerate(self.s.iter_symbols()):