Created
May 10, 2025 16:16
-
-
Save timb-machine/40de596a937e5a5750c2cb02e22ff45f to your computer and use it in GitHub Desktop.
Dumping CrowdStrike's LKM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Falcon-sensor strace: | |
| 1185 init_module(0x556ce33f8b00, 204357, "") = 0 | |
| 1185 init_module(0x556ce3430940, 122757, "") = 0 | |
| 1185 init_module(0x556ce342a950, 24541, "") = 0 | |
| 1185 init_module(0x7f33243be010, 1718317, "configbuild=1007.8.0012905.1") = 0 | |
| (gdb) catch syscall init_module | |
| (gdb) run | |
| … | |
| Thread 3.1 "falcon-sensor" hit Catchpoint 1 (call to syscall init_module), syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38 | |
| (gdb) info reg | |
| (gdb) dump memory <name>.so <rdi> <rdi+rsi> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment