Hey, The name of the second plugin is linux_check_fop (no 's' at the end). Can you re-run that way and let me know if it picks it up? I will look into why hidden modules is missing it.
Thanks, Andrew (@attrc) On 03/03/2016 12:02 PM, Smith Michael wrote: > Hi, > > I'm trying to detect LKM rootkit (https://github.com/ivyl/rootkit) which > hides module and hooks fop. > I use CentOS 6.5 (2.6.32-431.el6.x86_64), LiME 1.7.2 and latest > Volatility git repo (52c9c40a273595ef0b088b75b396c3487cb1b27c) for both > memory dump and analyse. > Many plugin works fine, but it can't be detected by below plugin (same > on Volatility 2.4). > > > * linux_hidden_modules - nothing is detected > > $ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_hidden_modules > Volatility Foundation Volatility Framework 2.5 > Offset (V) Name > ------------------ ---- > > * linux_check_fops - outputs error (no verbose output on --debug option) > > $ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fops > Volatility Foundation Volatility Framework 2.5 > ERROR : volatility.debug : You must specify something to do (try -h) > > > I would really appreciate any advice. > > Regards, > > > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users > _______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
