On Jan 2, 2008 5:51 AM, Vijay Kumar <vijaykumar@xxxxxxxxxxxx> wrote: > Hi everyone, > I am working on a program that checks the integrity of the kernel code > to detect the presence of kernel rootkits. As a first step I am trying > to compare the text section of vmlinux with the text area dumped from > memory. I understand that vmlinux has no relocation entries and no > unresolved symbols, so the memory image and vmlinux should compare equal. > > I used hexdump on vmlinux and /dev/mem to compare the two, I find that > for most part of it they compare equal, but they differ in some bytes > scattered all over the text. Is my understanding flawed? It would be > great if somebody could explain why the memory image is different from > vmlinux. > > The kernel version I am working on is 2.6.23. > > Thanks in advance. > > Regards, > Vijay At a minimum, the SMP locks are self modifying at least for intel/amd. On SMP boxes nothing happens (iirc). On UP boxes they are overwritten by noops (iirc). Greg -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
