[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kernel Text Comparison

On Jan 2, 2008 4:21 PM, Vijay Kumar <vijaykumar@xxxxxxxxxxxx> wrote:
Hi everyone,
I am working on a program that checks the integrity of the kernel code
to detect the presence of kernel rootkits. As a first step I am trying
to compare the text section of vmlinux with the text area dumped from
memory. I understand that vmlinux has no relocation entries and no
unresolved symbols, so the memory image and vmlinux should compare equal.

I used hexdump on vmlinux and /dev/mem to compare the two, I find that
for most part of it they compare equal, but they differ in some bytes
scattered all over the text.

Are the two images exactly equal in length ? 
Also, the changed parts might be due to self modifying code present in the kernel for architecture specific optimization. For i386 - http://lxr.linux.no/linux/arch/i386/kernel/alternative.c#L171

Please CMIIW.

Best regards,
Pranav

------------------------------------------------------------------------------------
Religion - it's a powerful healing force in a world torn apart - by Religion.
-- Jon Stewart