Idea for a kernel integrity check module

This evening I pushed a commit for tpe-lkm that checks if the symbol is already hijacked. If it is, it doesn’t bother to hijack it, and spits out an error. This check was a side-effect of my thinking of implementation details for a kernel integrity check module. The basic idea; continually check certain “vital” areas of kernel memory for suspicious activity, and take predefined action upon discovery. Kind of an anti-rootkit kernel module. As I get some more time in the coming weeks, and after some google searches on the subject, I’ll give more details, and hopefully some code to go with it.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>