如何反汇编正在运行的linux内核? [英] How to disassemble the running linux kernel?
问题描述
寻找一种方法来反汇编正在运行的内核.我可以通过/dev/kmem吗?我正在运行Linux 2.6.32.或者我可以使用内核模块来运行内核.我是这个初学者.请帮忙.
Looking for a way to disassemble the running kernel. Can I do it through /dev/kmem? I am running linux 2.6.32. Or can I use a kernel module to run through the kernel. I am beginner to this. Please help.
我要做的就是通过查看是否发生了某些特定指令来检查某些恶意模块的内核映像.
All I want to do is check the kernel image for some malicious module, by looking at the whether some specific instruction occured or not.
推荐答案
尝试 Linux内核调试器.
更新
正如我所说,请尝试 Linux内核调试器.在页面中间大约一半的链接文章中查找:
As I said, try the Linux Kernel Debugger. Look in the linked article, about halfway down the page, where it says:
要拆卸说明开始 从例程
schedule
.数字 显示的行数取决于 环境变量IDCOUNT
:
To disassemble instructions starting from the routine
schedule
. The number of lines displayed depends on the environment variableIDCOUNT
:
[0]kdb> id schedule
这篇关于如何反汇编正在运行的linux内核?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!