In order to implement Linux VMI, DECAF needs to compile procinfo.ko and run it in the target kernel. But in my case, I have a restricted virtual machine and cannot get the kernel's source code and it is not easy to insert modules on it.
So I'm curious, Is there a theoretically feasible way to get these procinfo(address and structure offset, etc.) directly from the QEMU level without extra work?
NOTE: This is not a request for DECAF enhancement, just a free technical discussion.
In order to implement Linux VMI, DECAF needs to compile procinfo.ko and run it in the target kernel. But in my case, I have a restricted virtual machine and cannot get the kernel's source code and it is not easy to insert modules on it.
So I'm curious, Is there a theoretically feasible way to get these procinfo(address and structure offset, etc.) directly from the QEMU level without extra work?
NOTE: This is not a request for DECAF enhancement, just a free technical discussion.