Class KernelRootkit (1.21.0)

KernelRootkit(mapping=None, *, ignore_unknown_fields=False, **kwargs)

Kernel mode rootkit signatures.

Attributes

NameDescription
name str
Rootkit name when available.
unexpected_code_modification bool
True when unexpected modifications of kernel code memory are present.
unexpected_read_only_data_modification bool
True when unexpected modifications of kernel read-only data memory are present.
unexpected_ftrace_handler bool
True when ftrace points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
unexpected_kprobe_handler bool
True when kprobe points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
unexpected_kernel_code_pages bool
True when kernel code pages that are not in the expected kernel or module code regions are present.
unexpected_system_call_handler bool
True when system call handlers that are are not in the expected kernel or module code regions are present.
unexpected_interrupt_handler bool
True when interrupt handlers that are are not in the expected kernel or module code regions are present.
unexpected_processes_in_runqueue bool
True when unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list.