How to get kernel function addresses

Z

zeroth

Hi everyone,

1- I need to discover which function is hooked by rootkits or etc. and I think I can do it via matching original kernel function addr and pointer. So I need to get original kernel function addr and "redirected address".

2- it's about /dev/ksyms. Is it only found in custom compiled kernel?

Thank you.
 
1 - If someone is looking for a solution to determine which function is hooked by rootkits (just like me). You can do this by calculating the correct function address. For example;

Code: 
original_addr = kernsys_num + sysent_value * sizeof(struct sysent);

if the previous addresses is different from current addresses. it's hooked!

2- I don't know :)
 
You must log in or register to reply here.
Back
Top