occ.sh - linux-rootkit - Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)

occ.sh (775B)

      1 #!/bin/bash
      2 #extract all occurences of function calls and the assigned variables from kernel sources
      3 
      4 #these are (more or less) wrappers for the functions we use in livedm.py
      5 funcs=("kmalloc" "kzalloc" "vmalloc" "vzalloc" "alloc_task_struct_node")
      6 out=".funcs"
      7 
      8 rm -f cscope.out cscope.files $out
      9 
     10 for f in ${funcs[@]}; do
     11     rm -f $f
     12 done
     13 
     14 if [ $# -eq 0 ]; then
     15     echo "Usage: $0 <kernel src dir>"
     16     exit 0
     17 fi
     18 
     19 if ! [ -x "$(command -v cscope)" ]; then
     20     echo 'Dependency cscope is missing.' >&2
     21     exit 1
     22 fi
     23 
     24 echo "Generating file cscope.files.."
     25 
     26 old_pwd=$PWD
     27 
     28 cd $1
     29 find  . \
     30     -name "*.[chxsS]" -print > ./cscope.files
     31 echo "Done!"
     32 
     33 echo "Generating occurence database.."
     34 for f in ${funcs[@]}; do
     35     cscope -L -0 $f >> $out
     36 done
     37 echo "Done!"
     38 
     39 mv $out $old_pwd

	linux-rootkit Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
	git clone git://git.deurzen.net/linux-rootkit
	Log \| Files \| Refs