Hi Andrew,
Thank you for your reply! (Volatility and your book is awesome)
> The name of the second plugin is linux_check_fop (no 's' at the end).
> Can you re-run that way and let me know if it picks it up?
Oh, I was mistaking. I retried on few memory dumps on same environment and linux_check_fop seems detecting /proc readdir (and sometime others).
$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fop
Volatility Foundation Volatility Framework 2.5
Symbol Name Member Address
------------------------------------------ ------------------------------ ------------------
proc_root readdir 0xffffffffa0087000
/proc readdir 0xffffffffa0087000
/ readdir 0xffffffffa0087020
Killed
On another memory dump.
$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fop
Volatility Foundation Volatility Framework 2.5
Symbol Name Member Address
------------------------------------------ ------------------------------ ------------------
proc_root readdir 0xffffffffa0051000
/proc readdir 0xffffffffa0051000
/ readdir 0xffffffffa0051020
/root readdir 0xffffffffa0051020
/net readdir 0xffffffffa0051020
/misc readdir 0xffffffffa0051020
/cgroup readdir 0xffffffffa0051020
/cgroup/blkio readdir 0xffffffffa0051020
/cgroup/net_cls readdir 0xffffffffa0051020
/cgroup/freezer readdir 0xffffffffa0051020
/cgroup/devices readdir 0xffffffffa0051020
/cgroup/memory readdir 0xffffffffa0051020
/cgroup/cpuacct readdir 0xffffffffa0051020
/cgroup/cpu readdir 0xffffffffa0051020
/cgroup/cpuset readdir 0xffffffffa0051020
/tmp readdir 0xffffffffa0051020
/tmp/.X11-unix readdir 0xffffffffa0051020
/tmp/.ICE-unix readdir 0xffffffffa0051020
/home readdir 0xffffffffa0051020
/boot readdir 0xffffffffa0051020
/var readdir 0xffffffffa0051020
/var/cache readdir 0xffffffffa0051020
/var/cache/fontconfig readdir 0xffffffffa0051020
/var/cache/hald readdir 0xffffffffa0051020
/var/spool readdir 0xffffffffa0051020
/var/spool/mail readdir 0xffffffffa0051020
/var/spool/at readdir 0xffffffffa0051020
/var/spool/postfix readdir 0xffffffffa0051020
/var/spool/postfix/maildrop readdir 0xffffffffa0051020
/var/spool/postfix/public readdir 0xffffffffa0051020
/var/spool/postfix/private readdir 0xffffffffa0051020
/var/spool/postfix/pid readdir 0xffffffffa0051020
/var/gdm readdir 0xffffffffa0051020
/var/log readdir 0xffffffffa0051020
/var/log/ConsoleKit readdir 0xffffffffa0051020
/var/log/gdm readdir 0xffffffffa0051020
/var/log/libvirt readdir 0xffffffffa0051020
/var/log/httpd readdir 0xffffffffa0051020
/var/log/audit readdir 0xffffffffa0051020
/var/lib readdir 0xffffffffa0051020
/var/lib/NetworkManager readdir 0xffffffffa0051020
/var/lib/PackageKit readdir 0xffffffffa0051020
/var/lib/libvirt readdir 0xffffffffa0051020
/var/lib/libvirt/dnsmasq readdir 0xffffffffa0051020
/var/lib/postfix readdir 0xffffffffa0051020
/var/lib/mysql readdir 0xffffffffa0051020
/var/lib/mysql/mysql readdir 0xffffffffa0051020
/var/lib/dhclient readdir 0xffffffffa0051020
/var/lib/nfs readdir 0xffffffffa0051020
/var/lib/nfs/statd readdir 0xffffffffa0051020
/var/run readdir 0xffffffffa0051020
/var/run/gdm readdir 0xffffffffa0051020
/var/run/abrt readdir 0xffffffffa0051020
/var/run/cups readdir 0xffffffffa0051020
/var/run/dbus readdir 0xffffffffa0051020
/var/run/libvirt readdir 0xffffffffa0051020
/var/run/libvirt/network readdir 0xffffffffa0051020
/bin readdir 0xffffffffa0051020
/sys readdir 0xffffffffa0051020
/dev readdir 0xffffffffa0051020
/lib64 readdir 0xffffffffa0051020
/lib64/tls readdir 0xffffffffa0051020
/lib64/security readdir 0xffffffffa0051020
/lib64/rsyslog readdir 0xffffffffa0051020
/sbin readdir 0xffffffffa0051020
/usr readdir 0xffffffffa0051020
/usr/local readdir 0xffffffffa0051020
/usr/local/bin readdir 0xffffffffa0051020
/usr/libexec readdir 0xffffffffa0051020
/usr/libexec/pulse readdir 0xffffffffa0051020
/usr/libexec/polkit-1 readdir 0xffffffffa0051020
/usr/libexec/postfix readdir 0xffffffffa0051020
/usr/bin readdir 0xffffffffa0051020
/usr/share readdir 0xffffffffa0051020
/usr/share/vte readdir 0xffffffffa0051020
/usr/share/vte/termcap readdir 0xffffffffa0051020
/usr/share/anthy readdir 0xffffffffa0051020
/usr/share/mime readdir 0xffffffffa0051020
/usr/share/icons readdir 0xffffffffa0051020
/usr/share/icons/hicolor readdir 0xffffffffa0051020
/usr/share/icons/gnome readdir 0xffffffffa0051020
/usr/share/icons/Mist readdir 0xffffffffa0051020
/usr/share/icons/System readdir 0xffffffffa0051020
/usr/share/fonts readdir 0xffffffffa0051020
/usr/share/fonts/wqy-zenhei readdir 0xffffffffa0051020
/usr/share/fonts/vlgothic readdir 0xffffffffa0051020
/usr/share/fonts/dejavu readdir 0xffffffffa0051020
/usr/share/hwdata readdir 0xffffffffa0051020
/usr/share/locale readdir 0xffffffffa0051020
/usr/sbin readdir 0xffffffffa0051020
/usr/lib64 readdir 0xffffffffa0051020
/usr/lib64/qt-3.3 readdir 0xffffffffa0051020
/usr/lib64/qt-3.3/bin readdir 0xffffffffa0051020
/usr/lib readdir 0xffffffffa0051020
/usr/lib/python2.6 readdir 0xffffffffa0051020
/usr/lib/python2.6/site-packages readdir 0xffffffffa0051020
/usr/lib/python2.6/site-packages/distorm3 readdir 0xffffffffa0051020
/usr/lib/locale readdir 0xffffffffa0051020
/proc readdir 0xffffffffa0051020
/etc readdir 0xffffffffa0051020
/etc/xdg readdir 0xffffffffa0051020
/etc/xdg/menus readdir 0xffffffffa0051020
/proc readdir 0xffffffffa0051000
/home readdir 0xffffffffa0051020
/boot readdir 0xffffffffa0051020
> I will look into why hidden modules is missing it.
Thank you!
I forgot to write and I don't know if it has any affect, but I'm using VMware for both memory dump and analyse.
Regards,