2 requests: make the module name a random string and default arguments

504ensicsLabs / LiME

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

GNU General Public License v2.0

1.7k stars 338 forks source link

2 requests: make the module name a random string and default arguments #66

Open fpusersuggest opened 4 years ago

fpusersuggest commented 4 years ago

1) I think that the name of the module should be created on random basis. 2) there should be some default argument so that I can "insmod" the module without any arguments. For example: # insmod ./r4nd0m.ko with default argument "path=./random_string format=lime" and output should be a random string name for the dump file.

kd8bny commented 4 years ago

What do you believe to be the benefit of randomly generating module name?

fpusersuggest commented 4 years ago

some kernel rootkit could detect the module insertion based on its name and take anti-forensics actions, like for example clean memory and unload the rootkit