Examining kernel objects
To begin with, rootkits are loaded kernel modules. Accordingly, we need methods to detect loaded modules. For this case, Volatility has a couple of nice plugins: linux_lsmod, which enumerates kernel modules, and linux_hidden_modules, which carves memory to find hidden kernel modules.
The first plugin enumerates kernel modules by walking the global list stored within the modules variable. The output looks as follows:
Figure 9.38 – List of loaded kernel modules
Here, we can see the names of the loaded modules and their size. Note that if you used tools that require the kernel module to be loaded when dumping, the loaded module will also be on this list. For example, in our case, in the first line, you can see the lime module.
The linux_hidden_modules plugin scans memory for instances of a module structure and then compares the results with the list of modules reported by linux_lsmod. It looks like this:
