[Vol-users] Can't detect stealth LKM rootkit

Smith Michael s8xc2dri at gmail.com
Thu Mar 3 12:02:14 CST 2016


I'm trying to detect LKM rootkit (https://github.com/ivyl/rootkit) which
hides module and hooks fop.
I use CentOS 6.5 (2.6.32-431.el6.x86_64), LiME 1.7.2 and latest Volatility
git repo (52c9c40a273595ef0b088b75b396c3487cb1b27c) for both memory dump
and analyse.
Many plugin works fine, but it can't be detected by below plugin (same on
Volatility 2.4).

* linux_hidden_modules - nothing is detected

$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_hidden_modules
Volatility Foundation Volatility Framework 2.5
Offset (V)         Name
------------------ ----

* linux_check_fops - outputs error (no verbose output on --debug option)

$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fops
Volatility Foundation Volatility Framework 2.5
ERROR   : volatility.debug    : You must specify something to do (try -h)

I would really appreciate any advice.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20160304/627e1e6a/attachment.html

More information about the Vol-users mailing list