Expand description
Linux network protocol handler (seq_afinfo) hook detector.
Linux rootkits commonly replace the seq_show function pointer in
tcp_seq_afinfo, udp_seq_afinfo, and similar protocol handler
structures to hide network connections from /proc/net/tcp and
/proc/net/udp. This module reads those structs from memory and
compares each seq_ops function pointer against the kernel text
range (_stext.._etext) to detect hooks.
Re-exports§
pub use crate::heuristics::classify_afinfo_hook;
Structs§
- AfInfo
Hook Info - Information about a network protocol handler with potential hooks.
Functions§
- walk_
check_ afinfo - Walk network protocol handler structs and check for hooks.