Add linux hidden_modules plugin #1283
Conversation
…ntrol of exceptions and errors and consolidate everything on them.
|
Hello, awesome submission, this feature allows to uncover deeply hidden rootkits which is extremely valuable. Having worked on this problematic for the 2023 contest, I ran your plugin against an infected sample, but unfortunately got no results. Would you be interested in acquiring this sample ("kovid" rootkit), to check if this might come from a scanning or restrictive constraint issue ? Thanks again ! |
|
@Abyss-W4tcher interesting.. sure, could you share that with me? |
|
A first restricting point might be the |
|
Thanks @Abyss-W4tcher .. easy fix with no impact on performance. $ time python3 ./vol.py \
-f ../Ubuntu-jammy_5.15.0-87-generic_kovid.lime \
linux.hidden_modules
Volatility 3 Framework 2.10.0
Address Name
0xffffc09ed4c0 kovid
real 1m12.489s
user 1m11.930s
sys 0m0.555s
$ time python3 ./vol.py \
-f ../Ubuntu-jammy_5.15.0-87-generic_kovid.lime \
linux.hidden_modules \
--fast
Volatility 3 Framework 2.10.0
Address Name
0xffffc09ed4c0 kovid
real 0m15.385s
user 0m14.835s
sys 0m0.543s |
Additionally, classmethod helpers were added, and docstrings were enhanced for improved usability and clarity.
…ve detection of more advanced threats
…fast scan method for even better performance, using the mkobj.mod self referential validation used in module.is_valid() as pre-filter Removed the --heuristic-mode and the module.states validation, since the self referential check is enough by itself
|
@Abyss-W4tcher added your suggestion. It's running even faster now. Thanks |
|
Since the Another option would be to move it to a new plugin to ensure users don't overlook it, as it might go unnoticed if it's just an argument. |
|
On my take, adding multiple plugins "doing the same thing" might only confuse users. Maybe removing the vol2 method and implicitely relying on fast might be better (forensic wise) :
I have some older infected samples (~kovid like) on which I can test this idea, I'll keep you informed if it is reliable. |
|
maybe better going backwards 64, 32, 16, 8, 1 ... and keeping the already tested address in a set |
hm actually, if we are going to test each byte, it doesn't make sense to test the others. If If you see the following metrics, it still performs really good. Forcing 8 bytes alignment$ time ./vol.py -f ../dump_ubuntu20.04_5.15.0-87-generic_kovid_99.core linux.hidden_modules --fast
Volatility 3 Framework 2.10.0
Address Name
0xffffc07f8600 kovid
real 0m31.045s
user 0m29.886s
sys 0m0.820sForcing 1 byte alignment$ time ./vol.py -f ../dump_ubuntu20.04_5.15.0-87-generic_kovid_99.core linux.hidden_modules --fast
Volatility 3 Framework 2.10.0
Address Name
0xffffc07f8600 kovid
real 2m34.798s
user 2m33.008s
sys 0m0.837sThe Vol2 method takes 1m9s but it doesn't find it$ time ./vol.py -f ../dump_ubuntu20.04_5.15.0-87-generic_kovid_99.core linux.hidden_modules
Volatility 3 Framework 2.10.0
Address Name
real 1m8.985s
user 1m7.025s
sys 0m0.852s |
|
Looks great, so it doesn't try |
|
@Abyss-W4tcher only 1 byte and 8 bytes alignments. It was just to see how this would impact performance. module_address_alignment = 1 # 8 # cls._get_module_address_alignment(context, vmlinux_module_name) |
|
Ah yes, this looks like a good compromise for me, as it's always preferable to spend more time but still detect advanced threats in the end. Should the vol2 method be left as a reference ? |
|
@gcmoreira @Abyss-W4tcher what is the status of this one? It seems high priority based on it blocking other PRs |
…and fall back to a 1-byte alignment scan if addresses aren't aligned to the L1 cache size
|
Okay, I made the fast scan method the default. Removed the vol2 implementation and updated the plugin to fall back to 1-byte alignment scanning if addresses aren't aligned with the L1 cache size. Now it's much easier to use, with less code and significantly more powerful! Thanks @Abyss-W4tcher and @atcuno for your help and suggestions. @ikelos this is now ready for review |
There was a problem hiding this comment.
Generally pretty good, but a couple of points that have to be fixed before it goes live (even if I have to write new core methods to achieve it!). First up is using child_template rather than directly addressing the structure of the vol.members structure. Secondly shifting the hardcoded limits off to the constants file so they're a bit more obvious than being buried away in the middle of code somewhere.
Otherwise just some documentation other little nitpicks and it should be good to go. 5:)
| import contextlib | ||
| from typing import List, Set, Tuple, Iterable | ||
| from volatility3.framework import renderers, interfaces, exceptions, objects | ||
| from volatility3.framework.constants.architectures import LINUX_ARCHS |
There was a problem hiding this comment.
Sorry, please can we import architectures and then access architectures.LINUX_ARCHS when we want to use it?
|
|
||
| if isinstance(modules_addr_min, objects.Void): | ||
| # Crap ISF! Here's my best-effort workaround | ||
| vollog.warning( |
There was a problem hiding this comment.
Do we have a specific version number now? Is this the kind of thing we can use a filter to detect if it's bad and warn them once at the start of the plugin?
| "Your ISF symbols are missing type information. You may need to update " | ||
| "the ISF using the latest version of dwarf2json" | ||
| ) | ||
| # See issue #1041. In the Linux kernel these are "unsigned long" |
There was a problem hiding this comment.
This was a clang issue as I recall? It almost feels like it would be easier to inject the missing base_type into the symbol_table once we've found out which one was there? That would then work anywhere else you wanted to use it, and could become a general function/pattern that could be pulled out into the framework if it was useful?
| break | ||
| else: | ||
| raise exceptions.VolatilityException( | ||
| "Bad ISF! Please update the ISF using the latest version of dwarf2json" |
There was a problem hiding this comment.
Whilst I appreciate the sentiment, this makes me feel like we're telling off our faithful dog "ISF" for having made a mess of the kitchen... 5:P Could we make this a little more formal/professional please, or at least just drop the exclamation mark?
| Returns: | ||
| The struct module alignment | ||
| """ | ||
| # FIXME: When dwarf2json/ISF supports type alignments. Read it directly from the type metadata |
There was a problem hiding this comment.
Thanks for the comment and the forward thinking parameters. 5:)
| mkobj_offset = vmlinux.get_type("module").relative_child_offset("mkobj") | ||
| mod_offset = vmlinux.get_type("module_kobject").relative_child_offset("mod") | ||
| offset_to_mkobj_mod = mkobj_offset + mod_offset | ||
| mod_member_template = vmlinux.get_type("module_kobject").vol.members["mod"][1] |
There was a problem hiding this comment.
This is a little bit nasty, I feel there should be something to get to member["mod"] in some way, and the [1] ? I'm pretty sure that from an ObjectTemplate you can get a child template using .child_template('mod')? I really want to find a cleaner way of expressing this before it lands.
| @@ -36,6 +35,30 @@ def __init__(self, *args, **kwargs): | |||
| super().__init__(*args, **kwargs) | |||
| self._mod_mem_type = None # Initialize _mod_mem_type to None for memoization | |||
|
|
|||
| def is_valid(self): | |||
There was a problem hiding this comment.
Could we get a docstring here detailling exactly what is_valid means, since we've got is_valid in some places and is_readable in others and people are really gonna need to know exactly what this does from the documentation.
|
|
||
| core_size = self.get_core_size() | ||
| if not ( | ||
| 1 <= core_size <= 20000000 |
There was a problem hiding this comment.
These hardcoded limits come about from...? For arbitrary values like 20000000, I'd prefer that they were stashed in constants.linux with a brief comment to describe them, so that they're consistent and can be changed all at once if needed.
This PR introduces a new kernel module scanning technique that is significantly faster and more efficient than the traditional Volatility2 plugin. It uses less memory and I/O, while also catching advanced threats missed by the earlier method.
It checks whether Linux kernel module addresses are aligned to 64 bytes. If not, it falls back to 1-byte alignment and notifies the user of the adjustment.
Demos
The following is an example of a machine infected with the Reptile rootkit. The machine has 2048MB of RAM.
Here is a Kovid rootkit sample provided by @Abyss-W4tcher :
We also observed that advanced malware can modify certain values that are invalid when the module is loaded but have no impact once it's running. This technique enables sophisticated threats to evade detection from existing memory forensics methods.
The following is a slightly modified version of the Kovid rootkit, detectable only through the
fast scanmethod.