volatility icon indicating copy to clipboard operation
volatility copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

Netfilter all kernels

Open gcmoreira opened this issue 6 years ago • 2 comments

Netfilter plugin improvements:

  • Added support for every single Netfilter implementation in every single kernel version so far:
    • Supported Netfilter hooks implementations:
      • v2.6ish to v4.2.8
      • v4.3 to v4.8.17
      • v4.9 to 4.13.16
      • v4.14 to v4.15.18
      • v4.16 to latest
    • Supported Netfilter Ingress hooks implementations:
      • v4.2 to 4.8.17
      • v4.9 to 4.13.16
      • v4.14 to latest
  • It gathers Netfilter hook information for all existing protocol families, IPV4, IPv6, ARP, BRIDGE, DECNET and INGRESS hooks.
  • Two new columns were added to the output report, the network namespace id and the module name or symbol name to which the hook address belongs to, allowing us to easily identify suspicious kernel modules using network hooks.
  • If a module is part of the kernel text, it also resolves the symbol to that specific address which is showed between square brackets, ie: [selinux_ipv4_forward]
  • Added function to the Linux common API to find LKM module addresses, similar to the one in mac implementation but it also resolve kernel symbols.
  • Tested using Linux Kernels 3.10, 4.4.0, 4.10.0, 4.15.0 and 4.18.0.

Old Netfilter plugin output New Netfilter plugin output

gcmoreira avatar Jan 18 '19 15:01 gcmoreira

@gcmoreira

My apologies for not getting to this sooner. This is very nice work.

Is this something you would consider porting to Volatility 3? If so, you should consider our plugin contest that is currently running: https://volatility-labs.blogspot.com/2020/05/the-8th-annual-volatility-plugin-contest.html

I also plan to your code integrated in Volatility 2 soon.

atcuno avatar Jul 13 '20 15:07 atcuno

Thanks Andrew, no worries. It will be really nice to see this code integrated.

I need to take a look at Volatility 3, not sure how much effort it means but I will definitely give it a try.

As per the Volatility 3 plugin contest, it sounds interesting. I hope to have enough free time to dedicate to this before 1st Oct.

On Tue, 14 Jul 2020 at 01:30, Andrew Case [email protected] wrote:

@gcmoreira https://github.com/gcmoreira

My apologies for not getting to this sooner. This is very nice work.

Is this something you would consider porting to Volatility 3? If so, you should consider our plugin contest that is currently running: https://volatility-labs.blogspot.com/2020/05/the-8th-annual-volatility-plugin-contest.html

I also plan to your code integrated in Volatility 2 soon.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/volatilityfoundation/volatility/pull/577#issuecomment-657628833, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACNRMVHZUMAQBP6SJUIKRHDR3MSABANCNFSM4GRAU42A .

gcmoreira avatar Jul 16 '20 04:07 gcmoreira