Hi everyone,
I am working on a program that checks the integrity of the kernel code
to detect the presence of kernel rootkits. As a first step I am trying
to compare the text section of vmlinux with the text area dumped from
memory. I understand that vmlinux has no relocation entries and no
unresolved symbols, so the memory image and vmlinux should compare equal.
I used hexdump on vmlinux and /dev/mem to compare the two, I find that
for most part of it they compare equal, but they differ in some bytes
scattered all over the text.
Are the two images exactly equal in length ?
Also, the changed parts might be due to self modifying code present in the kernel for architecture specific optimization. For i386 - http://lxr.linux.no/linux/arch/i386/kernel/alternative.c#L171
Best regards,
Pranav
------------------------------------------------------------------------------------
Religion - it's a powerful healing force in a world torn apart - by Religion.
-- Jon Stewart
