search

timmerk / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Linux kernel keylogger detection #353

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Attached is a patch which adds two plugins to detect two different methods of 
kernel-level key logging that other plugins can not detect.  The methods are 
described in this paper: 
http://www.ieee-security.org/TC/SPW2012/proceedings/4740a097.pdf

The first plugin, linux_check_tty, checks for tty hooks.  The second, 
linux_keyboard_notifier, checks for keyboard_notifier callbacks.

Original issue reported on code.google.com by Joe.Sylve@gmail.com on 13 Oct 2012 at 8:15

Attachments:

GoogleCodeExporter commented 9 years ago 
Fixed some stuff that was left in from testing

Original comment by Joe.Sylve@gmail.com on 14 Oct 2012 at 5:03

Attachments:

GoogleCodeExporter commented 9 years ago 
Nice ones Joe! I'll just CC attrc so he knows they're here (in case you didn't 
already tell him).

Original comment by michael.hale@gmail.com on 15 Oct 2012 at 3:30

GoogleCodeExporter commented 9 years ago 
we are working on this, just requires a little bit of work in module.c to make 
it happy across a wide range of kernels. The plugins are fine as is.

Original comment by atc...@gmail.com on 15 Oct 2012 at 4:58

GoogleCodeExporter commented 9 years ago

Original comment by atc...@gmail.com on 15 Oct 2012 at 5:18

GoogleCodeExporter commented 9 years ago 
Forgot to close this out...

Was added with:

http://code.google.com/p/volatility/source/detail?r=2710

Original comment by atc...@gmail.com on 23 Oct 2012 at 5:26