[Gllug] Memory scanning

James Courtier-Dutton james.dutton at gmail.com
Sun Sep 5 00:56:56 UTC 2010

On 5 September 2010 00:08, Steve Parker <steve at steve-parker.org> wrote:
> On 04/09/10 11:44, James Courtier-Dutton wrote:
>> Hi,
>> I am looking for a tool that does the following.
>> 1) Scan an executable binary file to create a checksum.
>> 2) Runs the executable program as a process.
>> 3) Halts execution of a single process
>> 4) Scans the entire process address space to create a checksum
>> 5) Compares the two checksums to discover if any virus or malicious
>> code has been inserted.
>> 6) If all is well, allow the process to schedule again.
> Sounds rather like Text Relocation - SELinux will do that for you -
> http://web.archive.org/web/20080514003359/http://people.redhat.com/drepper/textrelocs.html
> (the original seems to have disappeared, and Drepper's redhat page
> directs you to his personal page, suggesting that he left, I must be out
> of touch!)

I agree that my scan idea will have to allow for relocations, but I
believe all the data I need for that is in the elf file format.
So, so long as I can determine which executable was supposed to be
loaded, I can use the info in the elf file to handle the relocations
in a special way.
Hopefully, I could detect if the relocations are the same as I would
expect them to be, or in some way modified.
For example, in the elf, I might have a location in the code that
calls a library function. So, when scanning memory, I could identify
the location in memory where it makes the function call to the lib,
and verify that it is still pointing to the correct lib function.
This would catch root kits that use hooks to hide themselves.
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list