/usr/lib/python2.7/dist-packages/volatility/plugins/linux/hidden_modules.py is in volatility 2.6-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 | # Volatility
# Copyright (C) 2007-2013 Volatility Foundation
#
# This file is part of Volatility.
#
# Volatility is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License Version 2 as
# published by the Free Software Foundation. You may not use, modify or
# distribute this program under any other version of the GNU General
# Public License.
#
# Volatility is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility. If not, see <http://www.gnu.org/licenses/>.
#
"""
@author: Andrew Case
@license: GNU General Public License 2.0
@contact: atcuno@gmail.com
@organization:
"""
import re
import volatility.obj as obj
import volatility.plugins.linux.common as linux_common
import volatility.plugins.linux.lsmod as linux_lsmod
from volatility.renderers import TreeGrid
from volatility.renderers.basic import Address
class linux_hidden_modules(linux_common.AbstractLinuxCommand):
"""Carves memory to find hidden kernel modules"""
def walk_modules_address_space(self, addr_space):
list_mods = [x[0].obj_offset for x in linux_lsmod.linux_lsmod(self._config).calculate()]
# this for is for pre-2008 kernels:
# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/kernel/module.c?id=3a642e99babe0617febb6f402e1e063479f489db)
if addr_space.profile.get_symbol("module_addr_min") == None:
return
min_addr_sym = obj.Object("unsigned long", offset = addr_space.profile.get_symbol("module_addr_min"), vm = addr_space)
max_addr_sym = obj.Object("unsigned long", offset = addr_space.profile.get_symbol("module_addr_max"), vm = addr_space)
min_addr = min_addr_sym & ~0xfff
max_addr = (max_addr_sym & ~0xfff) + 0x1000
scan_buf = ""
llen = max_addr - min_addr
allfs = "\xff" * 4096
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
minus_size = 4
else:
minus_size = 8
check_bufs = []
replace_bufs = []
check_nums = [3000, 2800, 2700, 2500, 2300, 2100, 2000, 1500, 1300, 1200, 1024, 512, 256, 128, 96, 64, 48, 32, 24]
for num in check_nums:
check_bufs.append("\x00" * num)
replace_bufs.append(("\xff" * (num-minus_size)) + "\x00" * minus_size)
for page in range(min_addr, max_addr, 4096):
to_append = allfs
tmp = addr_space.read(page, 4096)
if tmp:
non_zero = False
for t in tmp:
if t != "\x00":
non_zero = True
break
if non_zero:
for i in range(len(check_nums)):
tmp = tmp.replace(check_bufs[i], replace_bufs[i])
to_append = tmp
scan_buf = scan_buf + to_append
for cur_addr in re.finditer("(?=(\x00\x00\x00\x00|\x01\x00\x00\x00|\x02\x00\x00\x00))", scan_buf):
mod_addr = min_addr + cur_addr.start()
if mod_addr in list_mods:
continue
m = obj.Object("module", offset = mod_addr, vm = addr_space)
if m.is_valid():
yield m
def calculate(self):
linux_common.set_plugin_members(self)
for mod in self.walk_modules_address_space(self.addr_space):
yield mod
def unified_output(self, data):
return TreeGrid([("Offset(V)", Address),
("Name", str)],
self.generator(data))
def generator(self, data):
for module in data:
yield (0, [Address(module.obj_offset), str(module.name)])
def render_text(self, outfd, data):
self.table_header(outfd, [("Offset (V)", "[addrpad]"), ("Name", "")])
for module in data:
self.table_row(outfd, module.obj_offset, str(module.name))
|