Skip to content
/ lkm-snips Public

Small Linux kernel modules showing some kernel internals

License

MIT license
6 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

carloslack/lkm-snips

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
kdis
kdis
 
 
kelf
kelf
 
 
knf
knf
 
 
kstat
kstat
 
 
.gitmodules
.gitmodules
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
lgtm.yml
lgtm.yml
 
 

Repository files navigation

LKM code snippets

Software License

Run

$ git submodule update --init
$ make

Each module has a README file with more details.

Modules summary

Kdis

Disassembler that uses Beaengine engine,
patched to load from kernel modules:
    https://github.com/carloslack/beaengine/tree/use_in_kernel_patch
to dump the first bytes that make up of a kernel object, like a syscall,
API or structure.
Use cases e.g.: kernel function trampoline, rootkits, anti-rootkits and IDS's ...

Kelf

Read running ELF objects from kernel memory in similar fashion a userland ELF
parser would.
The ELF file is always the one that originated the PID. E.g.: ./a.out &
Use cases e.g.: ELF runtime infection, IDS's ...

Kstat

Read inode stats from given running process.
Again, the file is always the one that originate the PID.

Knf

Kernel netfilter usage example.

Gotchas

All these modules have been tested only on 5.4.0-48-generic.

About

Small Linux kernel modules showing some kernel internals

Topics

c linux-kernel-module lkm linux-kernel-hacking disasm

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages