Pull a hidden kernel module by reading the memory core directly?

Question

Pull a hidden kernel module by reading the memory core directly?

Is it possible to find hidden kernel modules by directly reading the memory core?

By hiding, I mean LKM, which is removed from the list of kernel modules.

If so, what structure should I expect, or what document should I read?

+4

linux kernel

daisy Oct 22 '12 at 6:02

source share

1 answer

ytliu · Answer 1 · 2013-08-27T11:50:58+0000

after @Eugene, I find a way to read the kernel memory directly to find the so-called not-so-smart hidden module: just compare the module in terms of both procfs and sysfs:

static int detect_hidden_mod_init(void) { char *procfs_modules[MAX_MODULE_SIZE]; char *sysfs_modules[MAX_MODULE_SIZE]; int proc_module_index = 0, sys_module_index = 0; struct module *mod; struct list_head *p; // get modules from procfs perspective list_for_each(p, &__this_module.list){ mod = list_entry(p, struct module, list); procfs_modules[proc_module_index++] = mod->name; } // get modules from sysfs perspective struct kobject *kobj; struct kset *kset = __this_module.mkobj.kobj.kset; list_for_each(p, &kset->list) { kobj = container_of(p, struct kobject, entry); sysfs_modules[sys_module_index++] = kobj->k_name; } //compare the procfs_modules and sysfs_modules ... }

In fact, it can detect most of the current routine hidden module, but, as Eugene said, "a smart rootkit may try to hide this data." So this is not an ideal way.

Pull a hidden kernel module by reading the memory core directly?

More articles: