Class KernelRootkit (1.39.0)

KernelRootkit(mapping=None, *, ignore_unknown_fields=False, **kwargs)

Kernel mode rootkit signatures.

Attributes
Name	Description
`name`	`str` Rootkit name, when available.
`unexpected_code_modification`	`bool` True if unexpected modifications of kernel code memory are present.
`unexpected_read_only_data_modification`	`bool` True if unexpected modifications of kernel read-only data memory are present.
`unexpected_ftrace_handler`	`bool` True if `ftrace` points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
`unexpected_kprobe_handler`	`bool` True if `kprobe` points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
`unexpected_kernel_code_pages`	`bool` True if kernel code pages that are not in the expected kernel or module code regions are present.
`unexpected_system_call_handler`	`bool` True if system call handlers that are are not in the expected kernel or module code regions are present.
`unexpected_interrupt_handler`	`bool` True if interrupt handlers that are are not in the expected kernel or module code regions are present.
`unexpected_processes_in_runqueue`	`bool` True if unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list.

Class KernelRootkit (1.39.0) Stay organized with collections Save and categorize content based on your preferences.