Add linux hidden_modules plugin #1283
Conversation
…ntrol of exceptions and errors and consolidate everything on them.
|
Hello, awesome submission, this feature allows to uncover deeply hidden rootkits which is extremely valuable. Having worked on this problematic for the 2023 contest, I ran your plugin against an infected sample, but unfortunately got no results. Would you be interested in acquiring this sample ("kovid" rootkit), to check if this might come from a scanning or restrictive constraint issue ? Thanks again ! |
|
@Abyss-W4tcher interesting.. sure, could you share that with me? |
|
A first restricting point might be the |
|
Thanks @Abyss-W4tcher .. easy fix with no impact on performance. $ time python3 ./vol.py \
-f ../Ubuntu-jammy_5.15.0-87-generic_kovid.lime \
linux.hidden_modules
Volatility 3 Framework 2.10.0
Address Name
0xffffc09ed4c0 kovid
real 1m12.489s
user 1m11.930s
sys 0m0.555s
$ time python3 ./vol.py \
-f ../Ubuntu-jammy_5.15.0-87-generic_kovid.lime \
linux.hidden_modules \
--fast
Volatility 3 Framework 2.10.0
Address Name
0xffffc09ed4c0 kovid
real 0m15.385s
user 0m14.835s
sys 0m0.543s |
Additionally, classmethod helpers were added, and docstrings were enhanced for improved usability and clarity.
…ve detection of more advanced threats
…fast scan method for even better performance, using the mkobj.mod self referential validation used in module.is_valid() as pre-filter Removed the --heuristic-mode and the module.states validation, since the self referential check is enough by itself
|
@Abyss-W4tcher added your suggestion. It's running even faster now. Thanks |
|
Since the Another option would be to move it to a new plugin to ensure users don't overlook it, as it might go unnoticed if it's just an argument. |
|
On my take, adding multiple plugins "doing the same thing" might only confuse users. Maybe removing the vol2 method and implicitely relying on fast might be better (forensic wise) :
I have some older infected samples (~kovid like) on which I can test this idea, I'll keep you informed if it is reliable. |
|
maybe better going backwards 64, 32, 16, 8, 1 ... and keeping the already tested address in a set |
hm actually, if we are going to test each byte, it doesn't make sense to test the others. If If you see the following metrics, it still performs really good. Forcing 8 bytes alignment$ time ./vol.py -f ../dump_ubuntu20.04_5.15.0-87-generic_kovid_99.core linux.hidden_modules --fast
Volatility 3 Framework 2.10.0
Address Name
0xffffc07f8600 kovid
real 0m31.045s
user 0m29.886s
sys 0m0.820sForcing 1 byte alignment$ time ./vol.py -f ../dump_ubuntu20.04_5.15.0-87-generic_kovid_99.core linux.hidden_modules --fast
Volatility 3 Framework 2.10.0
Address Name
0xffffc07f8600 kovid
real 2m34.798s
user 2m33.008s
sys 0m0.837sThe Vol2 method takes 1m9s but it doesn't find it$ time ./vol.py -f ../dump_ubuntu20.04_5.15.0-87-generic_kovid_99.core linux.hidden_modules
Volatility 3 Framework 2.10.0
Address Name
real 1m8.985s
user 1m7.025s
sys 0m0.852s |
|
Looks great, so it doesn't try |
|
@Abyss-W4tcher only 1 byte and 8 bytes alignments. It was just to see how this would impact performance. module_address_alignment = 1 # 8 # cls._get_module_address_alignment(context, vmlinux_module_name) |
|
Ah yes, this looks like a good compromise for me, as it's always preferable to spend more time but still detect advanced threats in the end. Should the vol2 method be left as a reference ? |
|
@gcmoreira @Abyss-W4tcher what is the status of this one? It seems high priority based on it blocking other PRs |
…and fall back to a 1-byte alignment scan if addresses aren't aligned to the L1 cache size
|
Okay, I made the fast scan method the default. Removed the vol2 implementation and updated the plugin to fall back to 1-byte alignment scanning if addresses aren't aligned with the L1 cache size. Now it's much easier to use, with less code and significantly more powerful! Thanks @Abyss-W4tcher and @atcuno for your help and suggestions. @ikelos this is now ready for review |
There was a problem hiding this comment.
Generally pretty good, but a couple of points that have to be fixed before it goes live (even if I have to write new core methods to achieve it!). First up is using child_template rather than directly addressing the structure of the vol.members structure. Secondly shifting the hardcoded limits off to the constants file so they're a bit more obvious than being buried away in the middle of code somewhere.
Otherwise just some documentation other little nitpicks and it should be good to go. 5:)
…umentation of the module verification process. Move the hardcoded values to the linux constants file.
|
Looks like it's just the |
|
Cool, it's ready to go. Thanks @ikelos |
linux: hidden_modules: Fix mess with merge #1283
This PR introduces a new kernel module scanning technique that is significantly faster and more efficient than the traditional Volatility2 plugin. It uses less memory and I/O, while also catching advanced threats missed by the earlier method.
It checks whether Linux kernel module addresses are aligned to 64 bytes. If not, it falls back to 1-byte alignment and notifies the user of the adjustment.
Demos
The following is an example of a machine infected with the Reptile rootkit. The machine has 2048MB of RAM.
Here is a Kovid rootkit sample provided by @Abyss-W4tcher :
We also observed that advanced malware can modify certain values that are invalid when the module is loaded but have no impact once it's running. This technique enables sophisticated threats to evade detection from existing memory forensics methods.
The following is a slightly modified version of the Kovid rootkit, detectable only through the
fast scanmethod.