Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

new plugin callbackmon #1380

Merged
merged 4 commits into from
Jan 16, 2022
Merged

new plugin callbackmon #1380

merged 4 commits into from
Jan 16, 2022

Conversation

archercreat
Copy link
Contributor

Hello!
This is the new plugin that aims to find installed/removed/hooked callbacks in kernel. We've found that some rootkits directly modify underlying data structures with callbacks bypassing api hooks.
I've also added more informative output compared to rootkitmon.
Module : module name that contains callback function
RVA : address within the module
ListName : callback type
Action : removed/added/replaced

CC: @disaykin

archercreat and others added 3 commits January 14, 2022 15:06
@archercreat
new plugin callbackmon
4820cb3 
* initial

* initial

* astyle

* style

* final

* final x2

* letsgo

* final x3

* added callouts

* new plugin callbackmon

* renamed rootkitmon to callbackmon

* astyle
@archercreat
bump license year
d1577f9
@archercreat
bump license year(again)
d9cd13f
@drakvuf-jenkins
Copy link
Collaborator

Can one of the admins verify this patch?

@tklengyel
Copy link
Owner

@drakvuf-jenkins This is OK to test

@manorit2001
Copy link
Contributor

Hi, could you also add a bit of documentation for this plugin? I think it'll really help the project a long way since the documentation part of the project isn't much focused on at this stage.

@tklengyel
Copy link
Owner

Agree with @manorit2001, if you could add a small README.md into the plugin folder describing briefly its intended use and the output it produces that would be great. Otherwise LGTM.

@tklengyel tklengyel merged commit 392afaa into tklengyel:master Jan 16, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@archercreat @drakvuf-jenkins @tklengyel @manorit2001