[Gllug] Memory scanning
James Courtier-Dutton
james.dutton at gmail.com
Sat Sep 4 10:44:46 UTC 2010
Hi,
I am looking for a tool that does the following.
1) Scan an executable binary file to create a checksum.
2) Runs the executable program as a process.
3) Halts execution of a single process
4) Scans the entire process address space to create a checksum
5) Compares the two checksums to discover if any virus or malicious
code has been inserted.
6) If all is well, allow the process to schedule again.
I think this might be a good tool to help discover root kits and such
like, because root kits cannot redirect memory accesses and so cannot
be stealthy.
You will not know which rootkit you have, you would just know that
something has changed that should not have changed.
If I cannot find an already existing tool, I was going to think about
creating one.
I understand that it will not have much luck with self modifying code,
but should be able to handle most other stuff.
For example, it will not work on Java stuff that uses JIT, but there
are ways round that particular problem.
I.e. Instead of a Java Bytecode program doing just in time compiling
and code optimization, just more the compiling to the "install" step
instead of the "runtime" step.
So, one distributes the Java Bytecode program ready to run in a Java
VM. At the install stage, it runs the bytecode through a bytecode
compiler and converts it to a native binary executable, resulting in
not self modifying code needed.
Kind Regards
James
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list