... adding kprobes folks and Kees to cc On 2/18/26 06:47, Elly I. Esparza wrote: > Kprobes can be used by rootkits to find the address of x64_sys_call(), > x32_sys_call() and ia32_sys_call(). This in turn allows for the rootkits > to find an specific syscall handler and hook it. > > Add x64_sys_call(), x32_sys_call() and ia32_sys_call() to the kprobes > blacklist. I'm an occasional, but not super regular kprobes user. Is this going to hurt folks who are legitimately probing the syscall dispatch functions?
I'm a bit worried that the rootkits will just move on to something else and this will become a never ending game of whack-a-mole where half the kernel needs NOKPROBE_SYMBOL(). ;)
