Expand description
Linux IDT (Interrupt Descriptor Table) hook detector.
Rootkits can hook the IDT to intercept system calls and hardware
interrupts (MITRE ATT&CK T1014). This module reads the IDT entries
from memory and checks if handler addresses point outside the kernel
text segment (_stext.._etext), which indicates potential hooking.
On x86_64, the IDT has 256 entries, each a 16-byte gate_descriptor:
- offset_low: u16 at +0
- segment: u16 at +2
- ist: u8 at +4
- type_attr: u8 at +5
- offset_mid: u16 at +6
- offset_high: u32 at +8
- reserved: u32 at +12
The handler address is reconstructed as:
(offset_high << 32) | (offset_mid << 16) | offset_low
Re-exports§
pub use crate::heuristics::classify_idt_entry;
Structs§
- IdtEntry
Info - Information about a single IDT entry with hook classification.
Functions§
- gate_
type_ name - Map a gate type nibble to a human-readable name.
- walk_
check_ idt - Walk the IDT and classify each entry against the kernel text range.