Add detection of malicious ftrace and tracepoints

volatilityfoundation / volatility3

Volatility 3.0 development

http://volatilityfoundation.org/

Other

2.72k stars 463 forks source link

Add detection of malicious ftrace and tracepoints #1286

Open atcuno opened 1 month ago

atcuno commented 1 month ago

@Abyss-W4tcher we need to get ftrace and tracepoints into vol3 for the parity release.

I know you have these here:

https://github.com/Abyss-W4tcher/volatility-scripts/blob/master/Volatility_contest_2023/plugins/check_ftrace.py

https://github.com/Abyss-W4tcher/volatility-scripts/blob/master/Volatility_contest_2023/plugins/check_tracepoints.py

Are you up for converting these over? Myself and Gus can work on it if not.

Abyss-W4tcher commented 1 month ago

Hi @atcuno, sure I can port these two plugins :)

Would you like them to be put in a common kernel_tracing directory under plugins, so that users can easily understand the context of these plugins :

linux.kernel_tracing.ftrace
linux.kernel_tracing.tracepoints
[..] any additional technique

atcuno commented 1 month ago

yes that would be nice as eventually there will be 5+

Abyss-W4tcher commented 1 month ago

Plugins are ready, but actually depend on hidden_modules, and an additional plugin I developed named modxview (which is basically psxview but for modules). So, a few parts need to move before ftrace and tracepoints get to a PR :)

gcmoreira commented 2 weeks ago

Cool, I can test these plugins if you need it. Thanks