linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 9bfd769e2b93db710f386f47811f5c98fc86b668
parent 54966ee319deae1c4a11f57c2e56e0db7b93ade8
Author: deurzen <m.deurzen@tum.de>
Date:   Sun, 24 Jan 2021 09:42:46 +0100

adds symbol value resolution

Diffstat:

Mmem_forensics/memcheck-gdb.py | 5++++-


1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mem_forensics/memcheck-gdb.py b/mem_forensics/memcheck-gdb.py
@@ -643,7 +643,7 @@ class RkCheckFunctions(gdb.Command):
         self.compare_functions()
         print(" done!")
 
-        print(f"{self.diff_count} functions differ, {self.same_count} are equal, {self.skip_count} skipped")
+        print(f"{self.diff_count} functions differ, {self.same_count} are equal, {self.skip_count} (symbols) skipped")
 
     def fill_code_dict(self):
         for i, symbol in enumerate(self.s.iter_symbols()):
@@ -803,15 +803,18 @@ class RkCheckFunctions(gdb.Command):
 
         sec = self.f.get_section_by_name(".rela.text")
         data = sec.data()
+        symtab = self.f.get_section(sec['sh_link'])
 
         for reloc in sec.iter_relocations():
             addr = reloc['r_offset'] + v_off_g
             info = reloc['r_info']
             addend = reloc['r_addend']
+            sym_value = symtab.get_symbol(reloc['r_info_sym'])['st_value'] + v_off_g
 
             print('offset = %s' % hex(addr))
             print('info = %s' % hex(info))
             print('addend = %s' % hex(addend))
+            print('value = %s' % hex(sym_value))
 
     def compare_functions(self):
         for name, (size, elf_bytes) in self.code_dict.items():