communicate with kernel module via Netlink socket on Linux

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: communicate with kernel module via Netlink socket on Linux
    namespace: host-interaction/kernel
    authors:
      - michael.hunhoff@mandiant.com
    description: Netlink is used to transfer information between the kernel and user-space processes (https://man7.org/linux/man-pages/man7/netlink.7.html)
    scopes:
      static: basic block
      dynamic: call
  features:
    - and:
      - os: linux
      - api: socket
      - number: 0x10 = AF_NETLINK

last edited: 2023-11-24 10:35:00