Expand description
Linux kernel inline hook detector.
Checks the first bytes of key kernel functions for JMP/CALL trampolines that indicate inline hooking. Reads the function prologue and checks for x86_64 patterns like:
0xE9(relative JMP)0xFF 0x25(absolute indirect JMP)0x48 0xB8 ... 0xFF 0xE0(MOV RAX, imm64; JMP RAX)
Functionsยง
- check_
inline_ hooks - Check key kernel functions for inline hooks.