Expand description
Linux file_operations table hook detector.
Rootkits often replace function pointers in file_operations structs
(read, write, open, etc.) for /proc entries or device files. By comparing
these pointers against the kernel text range (_stext.._etext), we can
detect hooks pointing to non-kernel code (loaded module code or injected
memory).
Structs§
- Fops
Hook Info - Information about a file_operations struct with potential hooks.
- Hooked
Fop - A single function pointer from a file_operations struct.
Functions§
- check_
fops_ entry - Read function pointers from a
file_operationsstruct and classify each. - is_
kernel_ text_ address - Check whether an address falls within the kernel text section.
- scan_
proc_ fops - Scan key /proc entries for file_operations hooks.