[Vol-users] Can't detect stealth LKM rootkit

Michael Smith s8xc2dri at gmail.com
Mon Mar 21 02:47:30 CDT 2016


Hi Andrew,

Thank you for your reply! (Volatility and your book is awesome)


> The name of the second plugin is linux_check_fop (no 's' at the end).
> Can you re-run that way and let me know if it picks it up?

Oh, I was mistaking. I retried on few memory dumps on same environment and
linux_check_fop seems detecting /proc readdir (and sometime others).

$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fop
Volatility Foundation Volatility Framework 2.5
Symbol Name                                Member
         Address
------------------------------------------ ------------------------------
------------------
proc_root                                  readdir
 0xffffffffa0087000
/proc                                      readdir
 0xffffffffa0087000
/                                          readdir
 0xffffffffa0087020
Killed

On another memory dump.

$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fop
Volatility Foundation Volatility Framework 2.5
Symbol Name                                Member
         Address
------------------------------------------ ------------------------------
------------------
proc_root                                  readdir
 0xffffffffa0051000
/proc                                      readdir
 0xffffffffa0051000
/                                          readdir
 0xffffffffa0051020
/root                                      readdir
 0xffffffffa0051020
/net                                       readdir
 0xffffffffa0051020
/misc                                      readdir
 0xffffffffa0051020
/cgroup                                    readdir
 0xffffffffa0051020
/cgroup/blkio                              readdir
 0xffffffffa0051020
/cgroup/net_cls                            readdir
 0xffffffffa0051020
/cgroup/freezer                            readdir
 0xffffffffa0051020
/cgroup/devices                            readdir
 0xffffffffa0051020
/cgroup/memory                             readdir
 0xffffffffa0051020
/cgroup/cpuacct                            readdir
 0xffffffffa0051020
/cgroup/cpu                                readdir
 0xffffffffa0051020
/cgroup/cpuset                             readdir
 0xffffffffa0051020
/tmp                                       readdir
 0xffffffffa0051020
/tmp/.X11-unix                             readdir
 0xffffffffa0051020
/tmp/.ICE-unix                             readdir
 0xffffffffa0051020
/home                                      readdir
 0xffffffffa0051020
/boot                                      readdir
 0xffffffffa0051020
/var                                       readdir
 0xffffffffa0051020
/var/cache                                 readdir
 0xffffffffa0051020
/var/cache/fontconfig                      readdir
 0xffffffffa0051020
/var/cache/hald                            readdir
 0xffffffffa0051020
/var/spool                                 readdir
 0xffffffffa0051020
/var/spool/mail                            readdir
 0xffffffffa0051020
/var/spool/at                              readdir
 0xffffffffa0051020
/var/spool/postfix                         readdir
 0xffffffffa0051020
/var/spool/postfix/maildrop                readdir
 0xffffffffa0051020
/var/spool/postfix/public                  readdir
 0xffffffffa0051020
/var/spool/postfix/private                 readdir
 0xffffffffa0051020
/var/spool/postfix/pid                     readdir
 0xffffffffa0051020
/var/gdm                                   readdir
 0xffffffffa0051020
/var/log                                   readdir
 0xffffffffa0051020
/var/log/ConsoleKit                        readdir
 0xffffffffa0051020
/var/log/gdm                               readdir
 0xffffffffa0051020
/var/log/libvirt                           readdir
 0xffffffffa0051020
/var/log/httpd                             readdir
 0xffffffffa0051020
/var/log/audit                             readdir
 0xffffffffa0051020
/var/lib                                   readdir
 0xffffffffa0051020
/var/lib/NetworkManager                    readdir
 0xffffffffa0051020
/var/lib/PackageKit                        readdir
 0xffffffffa0051020
/var/lib/libvirt                           readdir
 0xffffffffa0051020
/var/lib/libvirt/dnsmasq                   readdir
 0xffffffffa0051020
/var/lib/postfix                           readdir
 0xffffffffa0051020
/var/lib/mysql                             readdir
 0xffffffffa0051020
/var/lib/mysql/mysql                       readdir
 0xffffffffa0051020
/var/lib/dhclient                          readdir
 0xffffffffa0051020
/var/lib/nfs                               readdir
 0xffffffffa0051020
/var/lib/nfs/statd                         readdir
 0xffffffffa0051020
/var/run                                   readdir
 0xffffffffa0051020
/var/run/gdm                               readdir
 0xffffffffa0051020
/var/run/abrt                              readdir
 0xffffffffa0051020
/var/run/cups                              readdir
 0xffffffffa0051020
/var/run/dbus                              readdir
 0xffffffffa0051020
/var/run/libvirt                           readdir
 0xffffffffa0051020
/var/run/libvirt/network                   readdir
 0xffffffffa0051020
/bin                                       readdir
 0xffffffffa0051020
/sys                                       readdir
 0xffffffffa0051020
/dev                                       readdir
 0xffffffffa0051020
/lib64                                     readdir
 0xffffffffa0051020
/lib64/tls                                 readdir
 0xffffffffa0051020
/lib64/security                            readdir
 0xffffffffa0051020
/lib64/rsyslog                             readdir
 0xffffffffa0051020
/sbin                                      readdir
 0xffffffffa0051020
/usr                                       readdir
 0xffffffffa0051020
/usr/local                                 readdir
 0xffffffffa0051020
/usr/local/bin                             readdir
 0xffffffffa0051020
/usr/libexec                               readdir
 0xffffffffa0051020
/usr/libexec/pulse                         readdir
 0xffffffffa0051020
/usr/libexec/polkit-1                      readdir
 0xffffffffa0051020
/usr/libexec/postfix                       readdir
 0xffffffffa0051020
/usr/bin                                   readdir
 0xffffffffa0051020
/usr/share                                 readdir
 0xffffffffa0051020
/usr/share/vte                             readdir
 0xffffffffa0051020
/usr/share/vte/termcap                     readdir
 0xffffffffa0051020
/usr/share/anthy                           readdir
 0xffffffffa0051020
/usr/share/mime                            readdir
 0xffffffffa0051020
/usr/share/icons                           readdir
 0xffffffffa0051020
/usr/share/icons/hicolor                   readdir
 0xffffffffa0051020
/usr/share/icons/gnome                     readdir
 0xffffffffa0051020
/usr/share/icons/Mist                      readdir
 0xffffffffa0051020
/usr/share/icons/System                    readdir
 0xffffffffa0051020
/usr/share/fonts                           readdir
 0xffffffffa0051020
/usr/share/fonts/wqy-zenhei                readdir
 0xffffffffa0051020
/usr/share/fonts/vlgothic                  readdir
 0xffffffffa0051020
/usr/share/fonts/dejavu                    readdir
 0xffffffffa0051020
/usr/share/hwdata                          readdir
 0xffffffffa0051020
/usr/share/locale                          readdir
 0xffffffffa0051020
/usr/sbin                                  readdir
 0xffffffffa0051020
/usr/lib64                                 readdir
 0xffffffffa0051020
/usr/lib64/qt-3.3                          readdir
 0xffffffffa0051020
/usr/lib64/qt-3.3/bin                      readdir
 0xffffffffa0051020
/usr/lib                                   readdir
 0xffffffffa0051020
/usr/lib/python2.6                         readdir
 0xffffffffa0051020
/usr/lib/python2.6/site-packages           readdir
 0xffffffffa0051020
/usr/lib/python2.6/site-packages/distorm3  readdir
 0xffffffffa0051020
/usr/lib/locale                            readdir
 0xffffffffa0051020
/proc                                      readdir
 0xffffffffa0051020
/etc                                       readdir
 0xffffffffa0051020
/etc/xdg                                   readdir
 0xffffffffa0051020
/etc/xdg/menus                             readdir
 0xffffffffa0051020
/proc                                      readdir
 0xffffffffa0051000
/home                                      readdir
 0xffffffffa0051020
/boot                                      readdir
 0xffffffffa0051020



> I will look into why hidden modules is missing it.

Thank you!


I forgot to write and I don't know if it has any affect, but I'm using
VMware for both memory dump and analyse.


Regards,

2016-03-18 1:06 GMT+09:00 Andrew Case <atcuno at gmail.com>:

> Hey,
>
> The name of the second plugin is linux_check_fop (no 's' at the end).
> Can you re-run that way and let me know if it picks it up? I will look
> into why hidden modules is missing it.
>
> Thanks,
> Andrew (@attrc)
>
> On 03/03/2016 12:02 PM, Smith Michael wrote:
> > Hi,
> >
> > I'm trying to detect LKM rootkit (https://github.com/ivyl/rootkit) which
> > hides module and hooks fop.
> > I use CentOS 6.5 (2.6.32-431.el6.x86_64), LiME 1.7.2 and latest
> > Volatility git repo (52c9c40a273595ef0b088b75b396c3487cb1b27c) for both
> > memory dump and analyse.
> > Many plugin works fine, but it can't be detected by below plugin (same
> > on Volatility 2.4).
> >
> >
> > * linux_hidden_modules - nothing is detected
> >
> > $ python vol.py -f mem.img --profile=LinuxCentOS65x64
> linux_hidden_modules
> > Volatility Foundation Volatility Framework 2.5
> > Offset (V)         Name
> > ------------------ ----
> >
> > * linux_check_fops - outputs error (no verbose output on --debug option)
> >
> > $ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fops
> > Volatility Foundation Volatility Framework 2.5
> > ERROR   : volatility.debug    : You must specify something to do (try -h)
> >
> >
> > I would really appreciate any advice.
> >
> > Regards,
> >
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20160321/3bdcf283/attachment-0001.html


More information about the Vol-users mailing list