oot@precise32:/vagrant/git/detector# ./syscall_integrity_scanner.sh 
make -C /lib/modules/3.2.0-23-generic-pae/build M=/vagrant/git/detector/dump_virtual_sys_open modules
make[1]: Entering directory `/usr/src/linux-headers-3.2.0-23-generic-pae'
  Building modules, stage 2.
    MODPOST 1 modules
    make[1]: Leaving directory `/usr/src/linux-headers-3.2.0-23-generic-pae'
    [260925.040333] + virtual memory for sys_open {c1143c20}
    [260925.040333] [0xCAFEBABE] START DUMP
    [260925.040335] 68 d0 41 8a d8 04 00 04 00 04 00 04 00 04 00 04  h.A.............
    [260925.040336] 00 04 00 c3 b8 9c ff ff ff 8b 7d 08 8b 75 0c 8b  ..........}..u..
    [260925.040337] 5d 10 89 fa 89 f1 89 1c 24 e8 e2 fd ff ff 8b 5d  ].......$......]
    [260925.040338] f4 8b 75 f8 8b 7d fc 89 ec 5d c3 90 8d 74 26 00  ..u..}...]...t&.
    [260925.040339] 55 89 e5 83 ec 10 89 5d f4 89 75 f8 89 7d fc 3e  U......]..u..}.>
    [260925.040340] 8d 74 26 00 8b 7d 0c 8b 75 10 8b 5d 14 8b 45 08  .t&..}..u..]..E.
    [260925.040341] 89 fa 89 f1 89 1c 24 e8 a4 fd ff ff 8b 5d f4 8b  ......$......]..
    [260925.040342] 75 f8 8b 7d fc 89 ec 5d c3 8d b4 26 00 00 00 00  u..}...]...&....
    [260925.040343] 55 89 e5 83 ec 0c 3e 8d 74 26 00 8b 45 0c c7 44  U.....>.t&..E..D
    [260925.040344] 24 04 41 02 00 00 89 44 24 08 8b 45 08 89 04 24  $.A....D$..E...$
    [260925.040344] e8 5b ff ff ff c9 c3 89 f6 8d bc 27 00 00 00 00  .[.........'....
    [260925.040345] 55 89 e5 3e 8d 74 26 00 b8 1a 00 00 00 e8 2e 1b  U..>.t&.........
    [260925.040346] f2 ff ba ff ff ff ff 84 c0 74 07 e8 50 bb 20 00  .........t..P. .
    [260925.040347] 31 d2 89 d0 5d c3 90 90 90 90 90 90 90 90 90 90  1...]...........
    [260925.040348] 55 89 e5 3e 8d 74 26 00 8b 50 2c 5d 8b 40 28 c3  U..>.t&..P,].@(.
    [260925.040349] 55 89 e5 3e 8d 74 26 00 b8 e3 ff ff ff ba ff ff  U..>.t&.........
    [260925.040350] ff ff 5d c3 8d b6 00 00 00 00 8d bf 00 00 00 00  ..].............
    [260925.040351] 55 89 e5 83 ec 0c 89 5d f8 89 75 fc 3e 8d 74 26  U......]..u.>.t&
    [260925.040351] 00 be 10 3d 14 c1 f6 40 24 04 74 14 8b 58 10 85  ...=...@$.t..X..
    [260925.040352] db 74 0d 8b 73 04 bb 10 3d 14 c1 85 f6 0f 44 f3  .t..s...=.....D.
    [260925.040353] 8b 5d 08 89 1c 24 ff d6 8b 5d f8 8b 75 fc 89 ec  .]...$...]..u...
    [260925.040354] 5d c3 8d b4 26 00 00 00 00 8d bc 27 00 00 00 00  ]...&......'....
    [260925.040355] 55 89 e5 57 56 53 3e 8d 74 26 00 89 c3 31 c0 85  U..WVS>.t&...1..
    [260925.040356] d2 74 22 8b 73 04 b0 01 39 f1 77 15 eb 1c 66 90  .t".s...9.w...f.
    [260925.040357] 83 c3 08 83 c0 01 8b 7b 04 01 f7 39 cf 73 19 89  .......{...9.s..
    [260925.040358] fe 39 d0 75 eb 5b 5e 5f 5d c3 b8 01 00 00 00 31  .9.u.[^_]......1
    [260925.040358] f6 8d b4 26 00 00 00 00 29 f1 89 4b 04 5b 5e 5f  ...&....)..K.[^_
    [260925.040359] 5d c3 8d b4 26 00 00 00 00 8d bc 27 00 00 00 00  ]...&......'....
    [260925.040360] 55 89 e5 83 ec 04 3e 8d 74 26 00 64 8b 0d 4c ae  U.....>.t&.d..L.
    [260925.040361] 92 c1 c7 45 fc 02 00 00 00 8b 55 fc 87 11 89 55  ...E......U....U
    [260925.040362] fc 8b 55 fc 8b 50 08 83 e2 02 74 14 3e 80 60 08  ..U..P....t.>.`.
    [260925.040363] fd 64 a1 4c                                      .d.L
    [260925.040363] [0xCAFEBABE] END DUMP
    c1143c20:c1143c2055                   	push   ebp
    c1143c21:c1143c2189 e5                	mov    ebp,esp
    c1143c23:c1143c2383 ec 10             	sub    esp,0x10
    c1143c26:c1143c2689 5d f4             	mov    DWORD PTR [ebp-0xc],ebx
    c1143c29:c1143c2989 75 f8             	mov    DWORD PTR [ebp-0x8],esi
    c1143c2c:c1143c2c89 7d fc             	mov    DWORD PTR [ebp-0x4],edi
    c1143c2f:c1143c2fe8 74 bb 46 00       	call   0xc15af7a8
    c1143c34:c1143c34b8 9c ff ff ff       	mov    eax,0xffffff9c
    c1143c39:c1143c398b 7d 08             	mov    edi,DWORD PTR [ebp+0x8]
    c1143c3c:c1143c3c8b 75 0c             	mov    esi,DWORD PTR [ebp+0xc]
    c1143c3f:c1143c3f8b 5d 10             	mov    ebx,DWORD PTR [ebp+0x10]
    c1143c42:c1143c4289 fa                	mov    edx,edi
    c1143c44:c1143c4489 f1                	mov    ecx,esi
    c1143c46:c1143c4689 1c 24             	mov    DWORD PTR [esp],ebx
    c1143c49:c1143c49e8 e2 fd ff ff       	call   0xc1143a30
    c1143c4e:c1143c4e8b 5d f4             	mov    ebx,DWORD PTR [ebp-0xc]
    c1143c51:c1143c518b 75 f8             	mov    esi,DWORD PTR [ebp-0x8]
    c1143c54:c1143c548b 7d fc             	mov    edi,DWORD PTR [ebp-0x4]
    c1143c57:c1143c5789 ec                	mov    esp,ebp
    c1143c59:c1143c595d                   	pop    ebp
    c1143c5a:c1143c5ac3                   	ret    
    usage {check_syscall_integrity.py} SYS_OPEN_VMLINUX_FILE SYS_OPEN_VIRTUAL.FILE

    opcodes VMlinux: ([['55'], ['89', 'e5'], ['83', 'ec', '10'], ['89', '5d', 'f4'], ['89', '75', 'f8'], ['89', '7d', 'fc'], ['e8', '74', 'bb', '46', '00'], ['b8', '9c', 'ff', 'ff', 'ff'], ['8b', '7d', '08'], ['8b', '75', '0c'], ['8b', '5d', '10'], ['89', 'fa'], ['89', 'f1'], ['89', '1c', '24'], ['e8', 'e2', 'fd', 'ff', 'ff'], ['8b', '5d', 'f4'], ['8b', '75', 'f8'], ['8b', '7d', 'fc'], ['89', 'ec'], ['5d'], ['c3']])

    opcodes Virtual: (['68', 'd0', '41', '8a', 'd8', '04', '00', '04', '00', '04', '00', '04', '00', '04', '00', '04', '00', '04', '00', 'c3', 'b8', '9c', 'ff', 'ff', 'ff', '8b', '7d', '08', '8b', '75', '0c', '8b', '5d', '10', '89', 'fa', '89', 'f1', '89', '1c', '24', 'e8', 'e2', 'fd', 'ff', 'ff', '8b', '5d', 'f4', '8b', '75', 'f8', '8b', '7d', 'fc', '89', 'ec', '5d', 'c3', '90', '8d', '74', '26', '00', '55', '89', 'e5', '83', 'ec', '10', '89', '5d', 'f4', '89', '75', 'f8', '89', '7d', 'fc', '3e', '8d', '74', '26', '00', '8b', '7d', '0c', '8b', '75', '10', '8b', '5d', '14', '8b', '45', '08', '89', 'fa', '89', 'f1', '89', '1c', '24', 'e8', 'a4', 'fd', 'ff', 'ff', '8b', '5d', 'f4', '8b', '75', 'f8', '8b', '7d', 'fc', '89', 'ec', '5d', 'c3', '8d', 'b4', '26', '00', '00', '00', '00', '55', '89', 'e5', '83', 'ec', '0c', '3e', '8d', '74', '26', '00', '8b', '45', '0c', 'c7', '44', '24', '04', '41', '02', '00', '00', '89', '44', '24', '08', '8b', '45', '08', '89', '04', '24', 'e8', '5b', 'ff', 'ff', 'ff', 'c9', 'c3', '89', 'f6', '8d', 'bc', '27', '00', '00', '00', '00', '55', '89', 'e5', '3e', '8d', '74', '26', '00', 'b8', '1a', '00', '00', '00', 'e8', '2e', '1b', 'f2', 'ff', 'ba', 'ff', 'ff', 'ff', 'ff', '84', 'c0', '74', '07', 'e8', '50', 'bb', '20', '00', '31', 'd2', '89', 'd0', '5d', 'c3', '90', '90', '90', '90', '90', '90', '90', '90', '90', '90', '55', '89', 'e5', '3e', '8d', '74', '26', '00', '8b', '50', '2c', '5d', '8b', '40', '28', 'c3', '55', '89', 'e5', '3e', '8d', '74', '26', '00', 'b8', 'e3', 'ff', 'ff', 'ff', 'ba', 'ff', 'ff', 'ff', 'ff', '5d', 'c3', '8d', 'b6', '00', '00', '00', '00', '8d', 'bf', '00', '00', '00', '00', '55', '89', 'e5', '83', 'ec', '0c', '89', '5d', 'f8', '89', '75', 'fc', '3e', '8d', '74', '26', '00', 'be', '10', '3d', '14', 'c1', 'f6', '40', '24', '04', '74', '14', '8b', '58', '10', '85', 'db', '74', '0d', '8b', '73', '04', 'bb', '10', '3d', '14', 'c1', '85', 'f6', '0f', '44', 'f3', '8b', '5d', '08', '89', '1c', '24', 'ff', 'd6', '8b', '5d', 'f8', '8b', '75', 'fc', '89', 'ec', '5d', 'c3', '8d', 'b4', '26', '00', '00', '00', '00', '8d', 'bc', '27', '00', '00', '00', '00', '55', '89', 'e5', '57', '56', '53', '3e', '8d', '74', '26', '00', '89', 'c3', '31', 'c0', '85', 'd2', '74', '22', '8b', '73', '04', 'b0', '01', '39', 'f1', '77', '15', 'eb', '1c', '66', '90', '83', 'c3', '08', '83', 'c0', '01', '8b', '7b', '04', '01', 'f7', '39', 'cf', '73', '19', '89', 'fe', '39', 'd0', '75', 'eb', '5b', '5e', '5f', '5d', 'c3', 'b8', '01', '00', '00', '00', '31', 'f6', '8d', 'b4', '26', '00', '00', '00', '00', '29', 'f1', '89', '4b', '04', '5b', '5e', '5f', '5d', 'c3', '8d', 'b4', '26', '00', '00', '00', '00', '8d', 'bc', '27', '00', '00', '00', '00', '55', '89', 'e5', '83', 'ec', '04', '3e', '8d', '74', '26', '00', '64', '8b', '0d', '4c', 'ae', '92', 'c1', 'c7', '45', 'fc', '02', '00', '00', '00', '8b', '55', 'fc', '87', '11', '89', '55', 'fc', '8b', '55', 'fc', '8b', '50', '08', '83', 'e2', '02', '74', '14', '3e', '80', '60', '08', 'fd', '64', 'a1', '4c'])

    op {55} and {68} dismatch
    op {89} and {d0} dismatch
    op {e5} and {41} dismatch
    op {83} and {8a} dismatch
    op {ec} and {d8} dismatch
    op {10} and {04} dismatch
    op {89} and {00} dismatch
    op {5d} and {04} dismatch
    op {f4} and {00} dismatch
    op {89} and {04} dismatch
    op {75} and {00} dismatch
    op {f8} and {04} dismatch
    op {89} and {00} dismatch
    op {7d} and {04} dismatch
    op {fc} and {00} dismatch
    op {e8} and {04} dismatch
    op {74} and {00} dismatch
    op {bb} and {04} dismatch
    op {46} and {00} dismatch
    op {00} and {c3} dismatch
    dismatched ['55', '89', 'e5', '83', 'ec', '10', '89', '5d', 'f4', '89', '75', 'f8', '89', '7d', 'fc', 'e8', '74', 'bb', '46', '00']
    hijacking detected

