Skip to content

Gdb, r2, python scripts i made to perform binary analysis and forensic tasks.

License

Notifications You must be signed in to change notification settings

tin-z/Linux-kernel-forensics-scripts

Repository files navigation

Linux-kernel-forensics-scripts

Gdb, r2, python scripts i made to perform binary analysis and forensic tasks. Keywords: Linux kernel, processes, x86

Contents

  • syscall_table_integrity.py
    • description: inspect syscall table and check its integrity
    • usage: sudo gdb -q ./vmlinux /proc/kcore -ex "source syscall_table_integrity.py" -ex "quit"

example_pictures/es1.jpg


  • syscall_checksum.py
    • description: Compare syscall checksums of your kernel that is running with its vmlinux image ones. In particular, integrity of each syscall code segment using sha256 (only for 1st basic block area)
    • Before launching the script, download r2pipe module and place 'r2pipe' folder on the current folder, https://pypi.org/project/r2pipe/#files
    • I've also written an introduction to r2 and r2pipe here: https://tin-z.github.io/2020/10/11/solving-rev-1.html
    • usage: sudo gdb -q ./vmlinux /proc/kcore -ex "source syscall_checksum.py" -ex "quit"

example_pictures/es3.jpg


  • trace_network.py
    • description: trace network syscall and get alerts from suspicious packets flow (create your own alert rules)
    • usage: gdb -q ./main -ex "source trace_network.py" -ex "run" -ex "quit"

example_pictures/es2.jpg

Refs

About

Gdb, r2, python scripts i made to perform binary analysis and forensic tasks.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published