[Vol-users] Can't detect stealth LKM rootkit

Andrew Case atcuno at gmail.com
Thu Mar 17 11:06:27 CDT 2016


Hey,

The name of the second plugin is linux_check_fop (no 's' at the end).
Can you re-run that way and let me know if it picks it up? I will look
into why hidden modules is missing it.

Thanks,
Andrew (@attrc)

On 03/03/2016 12:02 PM, Smith Michael wrote:
> Hi,
> 
> I'm trying to detect LKM rootkit (https://github.com/ivyl/rootkit) which
> hides module and hooks fop.
> I use CentOS 6.5 (2.6.32-431.el6.x86_64), LiME 1.7.2 and latest
> Volatility git repo (52c9c40a273595ef0b088b75b396c3487cb1b27c) for both
> memory dump and analyse.
> Many plugin works fine, but it can't be detected by below plugin (same
> on Volatility 2.4).
> 
> 
> * linux_hidden_modules - nothing is detected
> 
> $ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_hidden_modules
> Volatility Foundation Volatility Framework 2.5
> Offset (V)         Name
> ------------------ ----
> 
> * linux_check_fops - outputs error (no verbose output on --debug option)
> 
> $ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fops
> Volatility Foundation Volatility Framework 2.5
> ERROR   : volatility.debug    : You must specify something to do (try -h)
> 
> 
> I would really appreciate any advice.
> 
> Regards,
> 
> 
> 
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 


More information about the Vol-users mailing list