Re: [Vol-users] Can't detect stealth LKM rootkit

Hi Andrew, Thank you for your reply! (Volatility and your book is awesome) Oh, I was mistaking. I retried on few memory dumps on same environment and linux_check_fop seems detecting /proc readdir (and sometime others). $ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fop Volatility Foundation Volatility Framework 2.5 Symbol Name Member Address ------------------------------------------ ------------------------------ ------------------ proc_root readdir 0xffffffffa0087000 /proc readdir 0xffffffffa0087000 / readdir 0xffffffffa0087020 Killed On another memory dump. $ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fop Volatility Foundation Volatility Framework 2.5 Symbol Name Member Address ------------------------------------------ ------------------------------ ------------------ proc_root readdir 0xffffffffa0051000 /proc readdir 0xffffffffa0051000 / readdir 0xffffffffa0051020 /root readdir 0xffffffffa0051020 /net readdir 0xffffffffa0051020 /misc readdir 0xffffffffa0051020 /cgroup readdir 0xffffffffa0051020 /cgroup/blkio readdir 0xffffffffa0051020 /cgroup/net_cls readdir 0xffffffffa0051020 /cgroup/freezer readdir 0xffffffffa0051020 /cgroup/devices readdir 0xffffffffa0051020 /cgroup/memory readdir 0xffffffffa0051020 /cgroup/cpuacct readdir 0xffffffffa0051020 /cgroup/cpu readdir 0xffffffffa0051020 /cgroup/cpuset readdir 0xffffffffa0051020 /tmp readdir 0xffffffffa0051020 /tmp/.X11-unix readdir 0xffffffffa0051020 /tmp/.ICE-unix readdir 0xffffffffa0051020 /home readdir 0xffffffffa0051020 /boot readdir 0xffffffffa0051020 /var readdir 0xffffffffa0051020 /var/cache readdir 0xffffffffa0051020 /var/cache/fontconfig readdir 0xffffffffa0051020 /var/cache/hald readdir 0xffffffffa0051020 /var/spool readdir 0xffffffffa0051020 /var/spool/mail readdir 0xffffffffa0051020 /var/spool/at readdir 0xffffffffa0051020 /var/spool/postfix readdir 0xffffffffa0051020 /var/spool/postfix/maildrop readdir 0xffffffffa0051020 /var/spool/postfix/public readdir 0xffffffffa0051020 /var/spool/postfix/private readdir 0xffffffffa0051020 /var/spool/postfix/pid readdir 0xffffffffa0051020 /var/gdm readdir 0xffffffffa0051020 /var/log readdir 0xffffffffa0051020 /var/log/ConsoleKit readdir 0xffffffffa0051020 /var/log/gdm readdir 0xffffffffa0051020 /var/log/libvirt readdir 0xffffffffa0051020 /var/log/httpd readdir 0xffffffffa0051020 /var/log/audit readdir 0xffffffffa0051020 /var/lib readdir 0xffffffffa0051020 /var/lib/NetworkManager readdir 0xffffffffa0051020 /var/lib/PackageKit readdir 0xffffffffa0051020 /var/lib/libvirt readdir 0xffffffffa0051020 /var/lib/libvirt/dnsmasq readdir 0xffffffffa0051020 /var/lib/postfix readdir 0xffffffffa0051020 /var/lib/mysql readdir 0xffffffffa0051020 /var/lib/mysql/mysql readdir 0xffffffffa0051020 /var/lib/dhclient readdir 0xffffffffa0051020 /var/lib/nfs readdir 0xffffffffa0051020 /var/lib/nfs/statd readdir 0xffffffffa0051020 /var/run readdir 0xffffffffa0051020 /var/run/gdm readdir 0xffffffffa0051020 /var/run/abrt readdir 0xffffffffa0051020 /var/run/cups readdir 0xffffffffa0051020 /var/run/dbus readdir 0xffffffffa0051020 /var/run/libvirt readdir 0xffffffffa0051020 /var/run/libvirt/network readdir 0xffffffffa0051020 /bin readdir 0xffffffffa0051020 /sys readdir 0xffffffffa0051020 /dev readdir 0xffffffffa0051020 /lib64 readdir 0xffffffffa0051020 /lib64/tls readdir 0xffffffffa0051020 /lib64/security readdir 0xffffffffa0051020 /lib64/rsyslog readdir 0xffffffffa0051020 /sbin readdir 0xffffffffa0051020 /usr readdir 0xffffffffa0051020 /usr/local readdir 0xffffffffa0051020 /usr/local/bin readdir 0xffffffffa0051020 /usr/libexec readdir 0xffffffffa0051020 /usr/libexec/pulse readdir 0xffffffffa0051020 /usr/libexec/polkit-1 readdir 0xffffffffa0051020 /usr/libexec/postfix readdir 0xffffffffa0051020 /usr/bin readdir 0xffffffffa0051020 /usr/share readdir 0xffffffffa0051020 /usr/share/vte readdir 0xffffffffa0051020 /usr/share/vte/termcap readdir 0xffffffffa0051020 /usr/share/anthy readdir 0xffffffffa0051020 /usr/share/mime readdir 0xffffffffa0051020 /usr/share/icons readdir 0xffffffffa0051020 /usr/share/icons/hicolor readdir 0xffffffffa0051020 /usr/share/icons/gnome readdir 0xffffffffa0051020 /usr/share/icons/Mist readdir 0xffffffffa0051020 /usr/share/icons/System readdir 0xffffffffa0051020 /usr/share/fonts readdir 0xffffffffa0051020 /usr/share/fonts/wqy-zenhei readdir 0xffffffffa0051020 /usr/share/fonts/vlgothic readdir 0xffffffffa0051020 /usr/share/fonts/dejavu readdir 0xffffffffa0051020 /usr/share/hwdata readdir 0xffffffffa0051020 /usr/share/locale readdir 0xffffffffa0051020 /usr/sbin readdir 0xffffffffa0051020 /usr/lib64 readdir 0xffffffffa0051020 /usr/lib64/qt-3.3 readdir 0xffffffffa0051020 /usr/lib64/qt-3.3/bin readdir 0xffffffffa0051020 /usr/lib readdir 0xffffffffa0051020 /usr/lib/python2.6 readdir 0xffffffffa0051020 /usr/lib/python2.6/site-packages readdir 0xffffffffa0051020 /usr/lib/python2.6/site-packages/distorm3 readdir 0xffffffffa0051020 /usr/lib/locale readdir 0xffffffffa0051020 /proc readdir 0xffffffffa0051020 /etc readdir 0xffffffffa0051020 /etc/xdg readdir 0xffffffffa0051020 /etc/xdg/menus readdir 0xffffffffa0051020 /proc readdir 0xffffffffa0051000 /home readdir 0xffffffffa0051020 /boot readdir 0xffffffffa0051020 Thank you! I forgot to write and I don't know if it has any affect, but I'm using VMware for both memory dump and analyse. Regards, 2016-03-18 1:06 GMT+09:00 Andrew Case <atcuno(a)gmail.com>: