I am trying to measure the linux kernel (4.14.155) integrity during runtime in RAM, using hash algorithm, and I found that the read only segment from _stext to _etext changed when running, which is maybe "self modify code". My question is how can I jump the wholes, jump all the changed data, to find out all the constant part between _stext and _etext, in order to get the same hash from RAM with hash from vmlinux image.
here is how I get the target data:
start = (void*)kallsyms_lookup_name("_stext"); end = (void*)kallsyms_lookup_name("_etext"); and I'm get hash like: hash(start, end).
Or, is there any way to measure the integrity of the runtime kernel in RAM? Thanks.
https://stackoverflow.com/questions/65824281/linux-kernel-rumtime-integrity-measure January 21, 2021 at 05:15PM
没有评论:
发表评论