linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs

commit 5d5484a49d6ba82de4e13518c40dc40227d89fb8
parent 692f706b7356f11288389e9c8cd2eb10e49ce033
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Mon, 25 Jan 2021 00:00:45 +0100

Fix small issues, limit count

Diffstat:
Mmem_forensics/memcheck-gdb.py | 16++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/mem_forensics/memcheck-gdb.py b/mem_forensics/memcheck-gdb.py @@ -671,6 +671,7 @@ class RkCheckFunctions(gdb.Command): gdb.execute(f"add-inferior -exec {tmp} -no-connection") gdb.execute("inferior 2") + i = 0 for symbol in self.s.iter_symbols(): if symbol.entry["st_info"]["type"] == "STT_FUNC": name = symbol.name @@ -679,7 +680,6 @@ class RkCheckFunctions(gdb.Command): try: a = gdb.execute(f"x {name} + {v_off_g}", to_string=True).split(" ")[0] except: - print("TEST_try1") self.skip_count += 1 continue @@ -687,13 +687,16 @@ class RkCheckFunctions(gdb.Command): addr = int(a, 16) elf = gdb.selected_inferior().read_memory(addr, size) except: - print("TEST_try2") self.skip_count += 1 continue self.code_dict[name] = (addr, size, bytes(elf).hex()) + i += 1 + if i == 1000: + break + gdb.execute("inferior 1") @@ -788,10 +791,11 @@ class RkCheckFunctions(gdb.Command): def compare_functions(self): for name, (addr, size, elf) in self.code_dict.items(): try: - addr = int(addr, 16) live = gdb.selected_inferior().read_memory(addr, size) + live = bytes(live).hex() except: self.skip_count += 1 + print("Skipped at cmp") continue to_exclude = [] @@ -821,16 +825,16 @@ class RkCheckFunctions(gdb.Command): to_exclude += to_exclude_paravirt + to_exclude_altinstr if to_exclude: - elf_bytes = "".join([elf_byte for i, elf_byte in enumerate(elf_bytes) + elf = "".join([elf_byte for i, elf_byte in enumerate(elf) if i not in to_exclude]) - live_bytes = "".join([elf_byte for i, elf_byte in enumerate(live_bytes) + live = "".join([live_byte for i, live_byte in enumerate(live) if i not in to_exclude]) if live != elf: self.diff_count += 1 print(f"function `{name}` compromised, live bytes not equal to ELF bytes") - print(f"excluded: {to_exclude}, expected: {elf_bytes}, live: {live_bytes}") + print(f"excluded: {to_exclude}, expected: {elf}, live: {live}") else: self.same_count += 1