$ git submodule update --init
$ make
Each module has a README file with more details.
Disassembler that uses Beaengine engine,
patched to load from kernel modules:
https://github.com/carloslack/beaengine/tree/use_in_kernel_patch
to dump the first bytes that make up of a kernel object, like a syscall,
API or structure.
Use cases e.g.: kernel function trampoline, rootkits, anti-rootkits and IDS's ...
Read running ELF objects from kernel memory in similar fashion a userland ELF
parser would.
The ELF file is always the one that originated the PID. E.g.: ./a.out &
Use cases e.g.: ELF runtime infection, IDS's ...
Read inode stats from given running process.
Again, the file is always the one that originate the PID.
Kernel netfilter usage example.
All these modules have been tested only on 5.4.0-48-generic.