Ilya V. Matveychikov

@alexandernst IIRC VirtualBox had problems with `sidt` instruction emulation...

@alexandernst See how the `stub_\func` macro implemented: http://lxr.free-electrons.com/source/arch/x86/kernel/entry_64.S?v=3.10#L832 I'll suggest that we can: 1) copy each affected stub function from the kernel's memory OR write the stub's implementation by hands...

@alexandernst He used `jprobes` as that nice commit says `克隆别人的代码，稍作修改，加入jprobe` :) We don't want it I think.

@alexandernst good luck ;)

@alexandernst @igorastds Well, need to remember that things... )

Note that we need to handle `stubs` separately. For example, hooking `execve` through the `sys_call_table` doesn't correct as `__NR_execve` points to the `stub_execve` not the `sys_execve`. IIRC there are about...

@alexandernst Alexander, what do you think about the option of restore original system call table using the vmlinux (or packed vmlinuz) images? Procmon may be used as a simple "anti-rootkit"...

@alexandernst Yes!

@alexandernst How do you intend to scan kernel's memory from the viewer?

@alexandernst OK, I've got it. Do you think that sysctl is a good information exporting interface?