Gopper, keep a close eye on this proc!

Share this on → [Twitter] [Facebook]

Gopper

I have written a mini tool named Gopper (gopher copper :)) in Go. It implements the procedure explained above. In addition, it also detects the following suspicious actions:

• Modifications of the permissions of the pages. It also warns about dangerous permissions (i.e. write+exec). To do that, it polls /proc/pid/maps.

• Calls to the mprotect syscall, used to change page permissions. This is done by receiving events from the Linux kernel tracepoints through the synthetic files located in /sys/kernel/debug/tracing. See events.txt for more info.

• Calls to other syscalls defined by the user.

Gopper can be used together with Frida-trace or any other analysis tool. It does not interfere with the watched process.

Gopper git:

https://gitlab.etsit.urjc.es/esoriano/gopper

Comments

You can comment this post in twitter

_{^{(cc) Enrique Soriano-Salvador Algunos derechos reservados. Este trabajo se entrega bajo la licencia Creative Commons Reconocimiento - NoComercial - SinObraDerivada (by-nc-nd). Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.}}