Hi, I'm trying to detect LKM rootkit (https://github.com/ivyl/rootkit) which hides module and hooks fop. I use CentOS 6.5 (2.6.32-431.el6.x86_64), LiME 1.7.2 and latest Volatility git repo (52c9c40a273595ef0b088b75b396c3487cb1b27c) for both memory dump and analyse. Many plugin works fine, but it can't be detected by below plugin (same on Volatility 2.4).
* linux_hidden_modules - nothing is detected $ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_hidden_modules Volatility Foundation Volatility Framework 2.5 Offset (V) Name ------------------ ---- * linux_check_fops - outputs error (no verbose output on --debug option) $ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fops Volatility Foundation Volatility Framework 2.5 ERROR : volatility.debug : You must specify something to do (try -h) I would really appreciate any advice. Regards,
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
