Kernel hacking goodies
The Linux kernel is a vast topic with regards to forensic analysis and reverse engineering. There are many exciting ways to go about instrumenting the kernel for purposes of hacking, reversing, and debugging, and Linux offers its users many entry points into these areas. I have discussed some files and APIs that are useful throughout this chapter, but I will also give a small, condensed list of things that may be of help in your research.
General reverse engineering and debugging
/proc/kcore
/proc/kallsyms
/boot/System.map
/dev/mem
(deprecated)/dev/kmem
(deprecated)GNU debugger (used with kcore)
Advanced kernel hacking/debugging interfaces
Kprobes
Ftrace
Papers mentioned in this chapter
Kprobe instrumentation: http://phrack.org/issues/67/6.html
Runtime kernel kmem patching: http://althing.cs.dartmouth.edu/local/vsc07.html
LKM infection: http://phrack.org/issues/68/11.html
Special sections in Linux binaries: https://lwn.net/Articles/531148/
Kernel Voodoo: http://www.bitlackeys...