99lb Code
Status: Alpha
Brought to you by:
gabe100
Menu
▾
▴
Tree [r2] / History
| File | Date | Author | Commit |
|---|---|---|---|
| .tmp_versions | 2007-10-17 | gabe100 | [r1] initial checkin |
| analyzer | 2007-10-23 | gabe100 | [r2] changes to support better display of addresses |
| collector | 2007-10-17 | gabe100 | [r1] initial checkin |
| libdisasm | 2007-10-17 | gabe100 | [r1] initial checkin |
| mod | 2007-10-17 | gabe100 | [r1] initial checkin |
| .idt_proc.o.cmd | 2007-10-17 | gabe100 | [r1] initial checkin |
| LICENSE | 2007-10-17 | gabe100 | [r1] initial checkin |
| README | 2007-10-17 | gabe100 | [r1] initial checkin |
Read Me
This is an alpha release done for toorcon 9 (toorcon.org)
This software lets you collect live RAM data for later analysis from
potentially compromised machines.
It is a LKM - mod
to build:
make
to install
insmod 99lb.ko
It is a shell script - collect.sh
to collect the data (as root):
./collect.sh <path-to-where-you-want-it>
and it is an analysis tool:
to run:
./99lb.py <path-to-where-you-collected-it>
Lots more to be done.
This couldn't have been done without the work of these people:
halflife
Silvio Cesare
Samhain folks
Mariusz Burdach
Jorge Mario Urrea
Gabriel Lawrence
2007
