- 1.39.0 (latest)
- 1.38.0
- 1.37.0
- 1.36.0
- 1.35.1
- 1.33.1
- 1.32.1
- 1.31.0
- 1.30.1
- 1.29.0
- 1.28.0
- 1.27.0
- 1.26.1
- 1.25.0
- 1.24.1
- 1.23.2
- 1.22.0
- 1.21.0
- 1.20.0
- 1.19.1
- 1.18.2
- 1.17.0
- 1.16.2
- 1.15.0
- 1.14.0
- 1.13.0
- 1.12.0
- 1.11.1
- 1.10.0
- 1.9.0
- 1.8.0
- 1.7.0
- 1.6.0
- 1.5.2
- 1.4.0
- 1.3.1
- 1.2.0
- 1.1.0
- 1.0.0
- 0.7.3
- 0.6.0
- 0.5.0
- 0.4.0
- 0.3.0
KernelRootkit(mapping=None, *, ignore_unknown_fields=False, **kwargs)Kernel mode rootkit signatures.
Attributes |
|
|---|---|
| Name | Description |
name |
str
Rootkit name when available. |
unexpected_code_modification |
bool
True when unexpected modifications of kernel code memory are present. |
unexpected_read_only_data_modification |
bool
True when unexpected modifications of kernel read-only data memory are present. |
unexpected_ftrace_handler |
bool
True when ftrace points are present with callbacks
pointing to regions that are not in the expected kernel or
module code range.
|
unexpected_kprobe_handler |
bool
True when kprobe points are present with callbacks
pointing to regions that are not in the expected kernel or
module code range.
|
unexpected_kernel_code_pages |
bool
True when kernel code pages that are not in the expected kernel or module code regions are present. |
unexpected_system_call_handler |
bool
True when system call handlers that are are not in the expected kernel or module code regions are present. |
unexpected_interrupt_handler |
bool
True when interrupt handlers that are are not in the expected kernel or module code regions are present. |
unexpected_processes_in_runqueue |
bool
True when unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list. |