volatility3
volatility3 copied to clipboard
Published
20 hours ago •
volatilityfoundation
volatilityfoundation
Linux netfilter hooks plugin
It supports the following protocols: INET, IPv4, IPv6, ARP, NETDEV (ingress and egress hooks), BRIDGE and DECNET.
Supported Netfilter hooks implementations:
- kernels < 4.3 (Tested on kernel 3.11.0-26)
- 4.3 <= kernels < 4.9 (Tested on kernel 4.4.0-210)
- 4.9 <= kernels < 4.14 (Tested on kernel 4.13.0-46)
- 4.14 <= kernels < 4.16 (Tested on kernel 4.15.0-169)
- kernels >= 4.16 (Tested on kernel 4.18.0-10 and 5.19.0-50)
Supported NetDev ingress hooks implementation
- 4.2 <= kernels < 4.9 (Tested on kernel 4.4.0-210)
- 4.9 <= kernels < 4.14 (Tested on kernel 4.13.0-46)
- kernels >= 4.14 (Tested on kernel 4.18.0-10)
Supported NetDev egress hooks implementation
- kernels >= 5.16 (Tested on kernel 5.19.0-50)
Example:
$ python3 ./vol.py -r pretty \
-f ram-5.19.0-50 \
linux.netfilter.Netfilter
Volatility 3 Framework 2.5.2
Formatting...0.00 Stacking attempts finished
| Net NS | Proto | Hook | Priority | Handler | Module | Is Hooked
* | 4026531840 | IPV4 | PRE_ROUTING | -400 | 0xffffc05b5160 | nf_defrag_ipv4 | True
* | 4026531840 | IPV4 | PRE_ROUTING | -200 | 0xffffc062a510 | nf_conntrack | True
* | 4026531840 | IPV4 | LOCAL_IN | 0 | 0xffffc05e7c60 | nf_tables | True
* | 4026531840 | IPV4 | LOCAL_IN | 0 | 0xffffc05e74a0 | nf_tables | True
* | 4026531840 | IPV4 | LOCAL_IN | 2147483647 | 0xffffc062b040 | nf_conntrack | True
* | 4026531840 | IPV4 | FORWARD | 0 | 0xffffc05e7c60 | nf_tables | True
* | 4026531840 | IPV4 | FORWARD | 0 | 0xffffc05e74a0 | nf_tables | True
* | 4026531840 | IPV4 | LOCAL_OUT | -400 | 0xffffc05b5160 | nf_defrag_ipv4 | True
* | 4026531840 | IPV4 | LOCAL_OUT | -200 | 0xffffc062ae60 | nf_conntrack | True
* | 4026531840 | IPV4 | LOCAL_OUT | 0 | 0xffffc05e7c60 | nf_tables | True
* | 4026531840 | IPV4 | LOCAL_OUT | 0 | 0xffffc05e74a0 | nf_tables | True
* | 4026531840 | IPV4 | POST_ROUTING | -225 | 0xffffa681c9c0 | [apparmor_ip_postroute] | True
* | 4026531840 | IPV4 | POST_ROUTING | 2147483647 | 0xffffc062b040 | nf_conntrack | True
* | 4026531840 | IPV6 | PRE_ROUTING | -400 | 0xffffc061b160 | nf_defrag_ipv6 | True
* | 4026531840 | IPV6 | PRE_ROUTING | -200 | 0xffffc062aa40 | nf_conntrack | True
* | 4026531840 | IPV6 | LOCAL_IN | 0 | 0xffffc05e7cf0 | nf_tables | True
* | 4026531840 | IPV6 | LOCAL_IN | 0 | 0xffffc05e74a0 | nf_tables | True
* | 4026531840 | IPV6 | LOCAL_IN | 2147483646 | 0xffffc062b130 | nf_conntrack | True
* | 4026531840 | IPV6 | FORWARD | 0 | 0xffffc05e7cf0 | nf_tables | True
* | 4026531840 | IPV6 | FORWARD | 0 | 0xffffc05e74a0 | nf_tables | True
* | 4026531840 | IPV6 | LOCAL_OUT | -400 | 0xffffc061b160 | nf_defrag_ipv6 | True
* | 4026531840 | IPV6 | LOCAL_OUT | -200 | 0xffffc062aa20 | nf_conntrack | True
* | 4026531840 | IPV6 | LOCAL_OUT | 0 | 0xffffc05e7cf0 | nf_tables | True
* | 4026531840 | IPV6 | LOCAL_OUT | 0 | 0xffffc05e74a0 | nf_tables | True
* | 4026531840 | IPV6 | POST_ROUTING | -225 | 0xffffa681c9c0 | [apparmor_ip_postroute] | True
* | 4026531840 | IPV6 | POST_ROUTING | 2147483647 | 0xffffc062b130 | nf_conntrack | True
* | 4026531840 | NETDEV | INGRESS | 0 | 0xffffc05e7a60 | nf_tables | True
* | 4026531840 | NETDEV | EGRESS | 0 | 0xffffc05e7a60 | nf_tables | True
See the full test case suite output: vol3_linux_netfilter_output.txt
@ikelos this one has been tested quite a bit and is good from my end. It is a powerful plugin for rootkit detection.
