Skip to content

gopper.md

Latest commit

 

History

History
67 lines (51 loc) · 2.11 KB

gopper.md

File metadata and controls

67 lines (51 loc) · 2.11 KB
title Gopper, keep a close eye on this proc!
summary Gopper
categories blog
date Thu 27 Jan 2022 07:35:51 PM CET
thumbnail gopper
image https://github.com/sysfatal/figs/gopher-copper.jpg
layout post
author e__soriano
tags
reversing
evasion
malware
Share this on → [Twitter] [Facebook]

{{gopher copper image}}

Gopper

I have written a mini tool named Gopper (gopher copper :)) in Go. It implements the procedure explained above. In addition, it also detects the following suspicious actions:

  • Modifications of the permissions of the pages. It also warns about dangerous permissions (i.e. write+exec). To do that, it polls /proc/pid/maps.

  • Calls to the mprotect syscall, used to change page permissions. This is done by receiving events from the Linux kernel tracepoints through the synthetic files located in /sys/kernel/debug/tracing. See events.txt for more info.

  • Calls to other syscalls defined by the user.

Gopper can be used together with Frida-trace or any other analysis tool. It does not interfere with the watched process.

Gopper git:

https://gitlab.etsit.urjc.es/esoriano/gopper

Comments

You can comment this post in twitter

(cc) Enrique Soriano-Salvador Algunos derechos reservados. Este trabajo se entrega bajo la licencia Creative Commons Reconocimiento - NoComercial - SinObraDerivada (by-nc-nd). Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.