{"id":13511131,"url":"https://github.com/AsafEitani/rootkit_plugins","last_synced_at":"2025-03-30T20:32:37.440Z","repository":{"id":65040564,"uuid":"580764044","full_name":"AsafEitani/rootkit_plugins","owner":"AsafEitani","description":null,"archived":false,"fork":false,"pushed_at":"2022-12-24T12:51:01.000Z","size":40,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-05-21T09:15:07.775Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AsafEitani.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-12-21T11:43:57.000Z","updated_at":"2023-12-25T08:11:09.000Z","dependencies_parsed_at":"2022-12-25T19:17:04.574Z","dependency_job_id":null,"html_url":"https://github.com/AsafEitani/rootkit_plugins","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AsafEitani%2Frootkit_plugins","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AsafEitani%2Frootkit_plugins/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AsafEitani%2Frootkit_plugins/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AsafEitani%2Frootkit_plugins/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AsafEitani","download_url":"https://codeload.github.com/AsafEitani/rootkit_plugins/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246379366,"owners_count":20767694,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T03:00:35.217Z","updated_at":"2025-03-30T20:32:37.139Z","avatar_url":"https://github.com/AsafEitani.png","language":"Python","funding_links":[],"categories":["Volatility 3"],"sub_categories":["Plugins"],"readme":"## Volatility3 rootkit plugins\n\u003cbr /\u003e\n\n### Project Description\n\nThis repo contains a set of Volatility3 plugins that detect advanced rootkit hooking methods.\n\n[A full (but readable) explanation of plugin details can be found in the contest submission document](docs/contest_submission.md)\n\n\n\n### Plugins\n\n- **`check_seqops`** - The `check_seqops` plugin is used to detect hooking on network seq_operations structs. Sequnece operations hooking is performed by kernel rootkits to avoid detection of network related activity.\n- **`check_fops`** - The `check_fops` plugin is used to detect hooking on file_operations structs. File operations hooking is performed by kernel rootkits to avoid detection of file system related activity. Mostly used to hide files, directories and processes from the procfs.\n- **`fileless`** - The `fileless` plugin is used to detect processes that were created from a temporary file (like /dev/shm/ or memfd:) or that their executable file was deleted after the process creation. This technique is often used to avoid detection of disk scanning security solutions and to avoid further investigation of the executable malware.\n\n\n### ✔️ Prerequisites:\n\n- Python 3\n- Volatility 3\n\nInstall on Linux using these commands:\n\n```bash\napt install python3\n# clone from repo\ngit clone https://github.com/volatilityfoundation/volatility3.git\n# or install as a module\npip3 install volatility3\n```\n\n### ⚙ Installation\n\nAll plugins are located in the `plugins` folder. Copy them to your Volatility 3 directory under `volatility3/volatility3/framework/plugins/linux`.\n\nSome other framework extensions are required. They are located under `volatility3_changes`, and are organized in the same directory structure as their location within Volatility 3. Simply copy them to the same location (overwrite existing files if needed).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAsafEitani%2Frootkit_plugins","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAsafEitani%2Frootkit_plugins","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAsafEitani%2Frootkit_plugins/lists"}