Report: Kernel Interrupt Table
The kernel interrupt table is the Linux kernel data structure that associates interrupts with the functions that handle them.
Table lookups are triggered by three types of events: hardware interrupts (e.g., keyboard keystrokes or I/O at a network port), software interrupts (e.g., call to the kernel to perform an I/O request), or processor exceptions (e.g., such as an access violation or divide by zero).
Report Detail: Kernel Interrupt Table
Following are the kernel interrupts at the instant the memory snapshot was taken of the centos 6 - 2.6.32-696.28.1.el6.x86_64 image from the samples gallery (requires authentication).
The following table describes each column of the reported data.
| Column | Description | Notes |
|---|---|---|
| Id | Processor-defined ID of the interrupt | Values between 0x0 and 0x1F, inclusive, are reserved for exceptions; values larger than 0x1F are used for interrupt routines |
| Addr | Handler address for the interrupt ID | |
| Name | Name of the interrupt |
Forensic Hints
Patterns to look for: addresses that fall outside the standard range
Note that the Project Freta analysis engine infers the existence of rootkits and other hooks of these objects, and lists them in the Potential Rootkits report section.
This data cannot be obtained from a running Linux system, so an internal-external comparison is not possible.