Comments (15)
alexandernst
commented on May 18, 2024
Scratch last phrase. Procmon should be able to determine if the syscall table is already patched, and if it is, it should be possible to guess if it's patched by procmon's stubs. If so, it should be possible to get the real syscall address and re-patch.
from monks.
alexandernst
commented on May 18, 2024
Also scratch that last thing! It should be possible to do so, BUT, if user really wants to re-patch the syscalls (meaning patch the stubs with another stubs) tell him clearly why that it's not a good idea. Anyways, give him the option to do so... We won't fight against brave people! ๐
from monks.
milabs
commented on May 18, 2024
@alexandernst Alexander, what do you think about the option of restore original system call table using the vmlinux (or packed vmlinuz) images? Procmon may be used as a simple "anti-rootkit" solution in that case :)
from monks.
alexandernst
commented on May 18, 2024
@milabs Oh, that's an interesting point! You mean something like scan (with udis? ๐ ) a vmlinux binary, check where syscalls should be and then check the current syscall table, right?
from monks.
milabs
commented on May 18, 2024
@alexandernst Yes!
from monks.
alexandernst
commented on May 18, 2024
@milabs Procmon (Monks!) could expose the address of each syscall the same way it exposes the state of each syscall (via sysctl). That way we could do the checking part in the viewer rather than the kernel module. What do you think?
from monks.
milabs
commented on May 18, 2024
@alexandernst How do you intend to scan kernel's memory from the viewer?
from monks.
alexandernst
commented on May 18, 2024
@milabs No need.
1. Load the kernel.
2. Create entries for each syscall (currently we do that already) in ```procmon.syscalls.__NR_read.realsc_addr```
3. Start the viewer and check those values from ```sysctl``` while reading a binary vmlinux image.
I think it could work.
from monks.
milabs
commented on May 18, 2024
@alexandernst OK, I've got it. Do you think that sysctl is a good information exporting interface?
from monks.
alexandernst
commented on May 18, 2024
@milabs Maybe not the best one. sysctl is the first thing I thought, but it could be replaced with anything :)
The main idea is to keep as little logic as possible in the kernel module. The kernel module itself should just expose information and swap real with fake syscalls.
from monks.
milabs
commented on May 18, 2024
@alexandernst I think proc interface is a good choice for that purporse. Sysctl not the best one as I see it.
from monks.
alexandernst
commented on May 18, 2024
In the end they both are quite the same. They place some files inside /proc, just that they place them in different locations.
Ok, I'll open an issue for this
from monks.
milabs
commented on May 18, 2024
@alexandernst procfs allows to read one file to get meny things (list of broken syscalls, for ex.) I don't think that sysctl does it as well as proc besides of the same back interface :)
from monks.
alexandernst
commented on May 18, 2024
@milabs Ah, indeed! Good point :)
If no other alternative shows up, procfs will it be
from monks.
milabs
commented on May 18, 2024
@alexandernst procfs is the simplier one :)
from monks.
Related Issues (20)
- Stop sending empty messages to kernel module
- Maybe we're missing messages HOT 8
- Up/down keys are buggy
- Logging to file
- Use kernel thread to handle all the netlink messages HOT 5
- Use stub funcitons for the un/hook process HOT 39
- Procmon-viewer crashes while resizing HOT 2
- Multi-viewer support HOT 1
- Rename procmon to avoid conflicts with MS HOT 10
- rmmod procmon.ko BUG? HOT 2
- Anti-rootkit
- Clear 32/86/64 mess HOT 2
- Data get's invalidated HOT 4
- Calculate how many syscalls are faked HOT 13
- Academic project
- Create wiki
- Wrong comments
- I have a question when I run make inside the root folder,'start_color' has not defined,but I already install the curse.h library๏ผwhy? HOT 9
- Inserting of kernel module fails
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from monks.