On Jan 2, 2008 4:21 PM, Vijay Kumar <[EMAIL PROTECTED]> wrote: > Hi everyone, > I am working on a program that checks the integrity of the kernel code > to detect the presence of kernel rootkits. As a first step I am trying > to compare the text section of vmlinux with the text area dumped from > memory. I understand that vmlinux has no relocation entries and no > unresolved symbols, so the memory image and vmlinux should compare equal. > > I used hexdump on vmlinux and /dev/mem to compare the two, I find that > for most part of it they compare equal, but they differ in some bytes > scattered all over the text.
Are the two images exactly equal in length ? Also, the changed parts might be due to self modifying code present in the kernel for architecture specific optimization. For i386 - http://lxr.linux.no/linux/arch/i386/kernel/alternative.c#L171 Please CMIIW. Best regards, Pranav ------------------------------------------------------------------------------------ Religion - it's a powerful healing force in a world torn apart - by Religion. -- Jon Stewart
