Hi...
> Hi everyone, > I am working on a program that checks the integrity of the kernel code > to detect the presence of kernel rootkits. As a first step I am trying > to compare the text section of vmlinux with the text area dumped from > memory. I understand that vmlinux has no relocation entries and no > unresolved symbols, so the memory image and vmlinux should compare equal. > > I used hexdump on vmlinux and /dev/mem to compare the two, I find that just fyi, IIRC most distro now just use /dev/kmem > for most part of it they compare equal, but they differ in some bytes > scattered all over the text. Is my understanding flawed? It would be > great if somebody could explain why the memory image is different from > vmlinux. maybe you hit piece of code that were: - referred/wrapped by alternatives() (I may not recall correctly), so the code is patched on the fly - code that is marked with __init and similar, so they are dumped out of memory when not needed anymore. Example: boot only codes Maybe the rest of kernelnewbies folks can provide better explanation. regards, Mulyadi -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to [EMAIL PROTECTED] Please read the FAQ at http://kernelnewbies.org/FAQ
