Hi everyone,
I am working on a program that checks the integrity of the kernel code
to detect the presence of kernel rootkits. As a first step I am trying
to compare the text section of vmlinux with the text area dumped from
memory. I understand that vmlinux has no relocation entries and no
unresolved symbols, so the memory image and vmlinux should compare equal.
I used hexdump on vmlinux and /dev/mem to compare the two, I find that
for most part of it they compare equal, but they differ in some bytes
scattered all over the text. Is my understanding flawed? It would be
great if somebody could explain why the memory image is different from
vmlinux.
The kernel version I am working on is 2.6.23.
Thanks in advance.
Regards,
Vijay
--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to [EMAIL PROTECTED]
Please read the FAQ at http://kernelnewbies.org/FAQ
