Patchguard protects critical system calls from being tampered, e.g sys_open, socket_seq_show.
Specifically, it's capable of restoring:
- SSDT Hooks
- Inline Hooks
Patchguard must be loaded ahead of any rootkits. Currently there's no way to regain tampered bytes anywhere.
- Linux 3.2 +
- FreeBSD 9 + (Ongoing)