You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 14, 2021. It is now read-only.
Currently we can't detect if KHOOK has been used to hook kernel functions. This is because it doesn't mess with the pointer, but the function itself by inserting assembly to get it to jump into a custom hook in the LKM.
This should be detectable by (at least in a non-extensible way), comparing the assembly to see if any suspicious jumps are performed immediately in the function.
The text was updated successfully, but these errors were encountered:
What about making a shadow copy of the function and compare it? Of course tyton should be loaded in a clean state, but it could detect a modification made afterwards.
@dvadell What do you mean by shadow copy? In my mind that's a full copy of the function put into memory and then to check do a byte by byte comparison. I like the checksum idea. The alternative is to do exactly what KHOOK does in the first place (insert instructions) and check to see of they're there. IIRC, KHOOK inserts a jump into the front of the function to get inside the rootkit.
Yes, that's what I was referring to when I said shadow copy. I don't know what's easier to implement.
But the problem with inserting an instruction (as a canary, I imagine?) like KHOOK does is that you will be changing something. I think it's better to leave everything as it is, and detect any change.
I didn't mean inserting an instruction, but rather using the instruction API to detect insertions. A shadow copy would, I'd imagine, be fairly easy to implement, but performance-wise I'm not keen on copying every syscall in the kernel.
Currently we can't detect if KHOOK has been used to hook kernel functions. This is because it doesn't mess with the pointer, but the function itself by inserting assembly to get it to jump into a custom hook in the LKM.
This should be detectable by (at least in a non-extensible way), comparing the assembly to see if any suspicious jumps are performed immediately in the function.
The text was updated successfully, but these errors were encountered: