1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.securitycenter.v1; 18 19option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; 20option go_package = "cloud.google.com/go/securitycenter/apiv1/securitycenterpb;securitycenterpb"; 21option java_multiple_files = true; 22option java_outer_classname = "KernelRootkitProto"; 23option java_package = "com.google.cloud.securitycenter.v1"; 24option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; 25option ruby_package = "Google::Cloud::SecurityCenter::V1"; 26 27// Kernel mode rootkit signatures. 28message KernelRootkit { 29 // Rootkit name, when available. 30 string name = 1; 31 32 // True if unexpected modifications of kernel code memory are present. 33 bool unexpected_code_modification = 2; 34 35 // True if unexpected modifications of kernel read-only data memory are 36 // present. 37 bool unexpected_read_only_data_modification = 3; 38 39 // True if `ftrace` points are present with callbacks pointing to regions 40 // that are not in the expected kernel or module code range. 41 bool unexpected_ftrace_handler = 4; 42 43 // True if `kprobe` points are present with callbacks pointing to regions 44 // that are not in the expected kernel or module code range. 45 bool unexpected_kprobe_handler = 5; 46 47 // True if kernel code pages that are not in the expected kernel or module 48 // code regions are present. 49 bool unexpected_kernel_code_pages = 6; 50 51 // True if system call handlers that are are not in the expected kernel or 52 // module code regions are present. 53 bool unexpected_system_call_handler = 7; 54 55 // True if interrupt handlers that are are not in the expected kernel or 56 // module code regions are present. 57 bool unexpected_interrupt_handler = 8; 58 59 // True if unexpected processes in the scheduler run queue are present. Such 60 // processes are in the run queue, but not in the process task list. 61 bool unexpected_processes_in_runqueue = 9; 62} 63