linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 243e22e2b98f7ad638ace7c1e89bd05a3a28c597
parent 873af20d1a5906070ef59d75832380cee4a32680
Author: deurzen <m.deurzen@tum.de>
Date:   Mon, 25 Jan 2021 11:13:49 +0100

adds call -> nop skipping

Diffstat:

Mmem_forensics/memcheck-gdb.py | 9+++++++--


1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/mem_forensics/memcheck-gdb.py b/mem_forensics/memcheck-gdb.py
@@ -661,7 +661,7 @@ class RkCheckFunctions(gdb.Command):
         i = 0
         for symbol in self.s.iter_symbols():
             i += 1
-            if i < 32000:
+            if i < 17000:
                 continue
             if i > 34000:
                 break
@@ -846,7 +846,7 @@ class RkCheckFunctions(gdb.Command):
 
                     # account for the LOCK prefix
                     # https://stackoverflow.com/a/8891781/11069175
-                    if elf[i:i+2] == "f0":
+                    if elf[i:i+2] == "f0" or live[i:i+2] == "f0":
                         i += 2
                         continue
 
@@ -855,6 +855,11 @@ class RkCheckFunctions(gdb.Command):
                         i += 10
                         continue
 
+                    # pattern: call -> nop
+                    if elf[i:i+2] == "e8" and live[i:i+4] == "0f1f":
+                        i += 10
+                        continue
+
                     resolved = False
                     break
                 else: