{"id":13511122,"url":"https://github.com/mdenzel/ACPI-rootkit-scan","last_synced_at":"2025-03-30T20:32:34.740Z","repository":{"id":137445363,"uuid":"212548329","full_name":"mdenzel/ACPI-rootkit-scan","owner":"mdenzel","description":"volatility plugin to detect ACPI rootkits","archived":false,"fork":false,"pushed_at":"2021-01-05T15:22:06.000Z","size":695,"stargazers_count":9,"open_issues_count":1,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-11-01T13:33:53.909Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mdenzel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"license.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-10-03T10:03:08.000Z","updated_at":"2024-07-25T12:25:07.000Z","dependencies_parsed_at":"2024-01-12T03:36:23.422Z","dependency_job_id":"6b29ea5a-f6f5-468f-94d6-255987f99677","html_url":"https://github.com/mdenzel/ACPI-rootkit-scan","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mdenzel%2FACPI-rootkit-scan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mdenzel%2FACPI-rootkit-scan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mdenzel%2FACPI-rootkit-scan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mdenzel%2FACPI-rootkit-scan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mdenzel","download_url":"https://codeload.github.com/mdenzel/ACPI-rootkit-scan/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246379366,"owners_count":20767694,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T03:00:34.920Z","updated_at":"2025-03-30T20:32:34.384Z","avatar_url":"https://github.com/mdenzel.png","language":"Python","funding_links":[],"categories":["Volatility 2"],"sub_categories":["Plugins"],"readme":"```\n@author:\tMichael Denzel\n@license:\tGNU General Public License 2.0 or later\n```\n\nThis repository includes a [volatility2](https://github.com/volatilityfoundation/volatility) plugin to search for ACPI rootkits.\n\n------------------------------------------------\n\n```\n1. Installation\n 1.1 Quick Installation\n 1.2 Full Installation\n2. Quickstart\n3. Usage\n 3.1 dumpACPITables.py\n 3.2 scanACPITables.py\n4. Remarks\n 4.1 iasl\n 4.2 ACPIstructs.py\n```\n\n------------------------------------------------\n\n# 1. Installation\n\nRequirements:\n\n- (a memory dump tool (e.g. `LiME` for Linux) to create a memory dump)\n- python2\n- volatility with distorm3 and pycrypto (distorm3 and pycrypto can be installed via `pip2 install xxx`)\n- the tool `iasl` is needed to decompile ACPI tables, it is part of the `acpica-tools` package in Linux\n- ACPI-rootkit-scan (this repository)\n\n## 1.1 Quick installation\n\nClone this repository and include `--plugins=.../path/to/ACPI-rootkit-scan` in the volatility command.\n\n## 1.2 Full installation\n\nCopy the three files\n\n- ACPIstructs.py (\"header\" file)\n- dumpACPITables.py\n- scanACPITables.py\n\nto the plugin-folder of volatility (.../volatility/plugins).\n\n------------------------------------------------\n\n# 2. Quickstart\n\n[LiME](https://github.com/504ensicsLabs/LiME) (or similar) is suited to create memory dumps of Linux systems. Remark: use `format=padded` or `format=lime` with `timeout=0` to create memory dumps that work with volatility.\n\nOnce you acquired a memory dump, execute the following:\n\n```volatility --plugins=/path/to/ACPI-rootkit-scan --profile=xxx -f /path/to/dump.dd scanacpitables --dump```\n\nThe option 'dump' calls both modules with default option, i.e. it dumps the ACPI tables into the default\nfolder, decompiles them with iasl, and scans the result for ACPI rootkits.\n\nIf you only want to see detections, run:\n\n```volatility --plugins=/path/to/ACPI-rootkit-scan --profile=xxx -f /path/to/dump.dd scanacpitables --dump --only_crit```\n\n------------------------------------------------\n\n# 3. Usage\n## 3.1 dumpACPITables.py\n\nThe plugin is able to extract the ACPI tables from a memory dump in raw and\naml format (for description of the parameters see \"-h\" option in volatility).\nThe files are extracted to a special folder e.g. ./dumpedTables/ and sub-folders\nare created for every base pointer (RSDP) found in the specified memory region.\n\nFor example: ./dumpedTables/0x0009d510/ for an RSDP at 0x0009d510\n\nA dump could look like the following:\n```\n$ tree ./dumpedTables\n  0x0009d510\n  |-- APIC.raw\n  |-- BOOT.raw\n  |-- DSDT.aml\n  |-- FACP.raw\n  |-- FACS.raw\n  |-- HPET.raw\n  |-- MCFG.raw\n  |-- SRAT.raw\n  `-- WAET.raw\n  0x000f6b80\n  |-- APIC.raw\n  |-- BOOT.raw\n  |-- DSDT.aml\n  |-- FACP.raw\n  |-- FACS.raw\n  |-- HPET.raw\n  |-- MCFG.raw\n  |-- SRAT.raw\n  `-- WAET.raw\n```\n\n## 3.2 scanACPITables.py\n\nThis plugin scans all .dsl (ACPI Source Language, ASL) files in a given path\nfor possible malicious function calls. To alter the path to search for\nfiles see the \"-p\" option. Default is \"./dumpedTables\" and a folder named\nafter the RSDP pointer like in the dumpACPITables.py plugin.\n\nIf you wish to review the files by yourself, you could use the dumpACPITables.py plugin\nin combination with iasl and a text-editor.\n\nThe dumped .aml (ACPI Machine Language, AML) files have to be decompiled first.\nThis can be done with the official tool iasl. (see also 3.1)\n\n\nscanACPITables.py scans for a few functions that could be critical:\n\n- Load/LoadTable/Unload =\u003e can be used to load further malicious code from a memory location\n  it could be useful to further investigate this memory location\n- IRQ1 =\u003e this is the keyboard interrupt. ACPI should not listen to this interrupt, if so\n  there could be a keylogger installed.\n- two PNP03* devices =\u003e that means two keyboard drivers exist in ACPI. This could also be\n  a hint to manipulation and a possible keylogger.\n- OperationRegion =\u003e any access to memory or devices has to be declared in an OperationRegion-Call.\n  So every rootkit or malware has to use this function to access memory and change the system.\n  The main idea of this plugin is to scan for these calls and compare the included address\n  to kernel space (which includes the Interrupt Descriptor Table IDT and the System Service Dispatch Table\n  in Windows for example - Tables that are often hooked by rootkits).\n\nThe result of a scan is evaluated in 4 Levels:\n\n- \"seems ok\"\t= the plugin could not find any hint to critical behaviour (this does not mean that there is none!)\n- \"unknown\"\t= a special function call could not be evaluated. This could be due to arguments and parameters passed\n\t\t  to the call. Since we are evaluating a memory image, these information are not available.\n- \"suspicious\"\t= something seems strange with this issue. Further investigations would be good.\n- \"CRITICAL\"\t= this function call is accessing kernel space memory which should never happen in ACPI.\n\t\t  ACPI is doing power management and should not alter the kernel!\n\t\t  (disclaimer: this scan method is not exact and false-possible results might happen.\n\t\t  Also, changes in further ACPI versions could redefine the tasks of ACPI.\n\t\t  Nevertheless, it is a good idea to start your investigations at these function-calls)\n\nExample output and explanation (comments after \"#\"):\n\n```\n$ python vol.py --profile=LinuxUbuntu1204_3_8_0_30x86 -f ./EVIL/Ubuntu_1204_3_8_0_30-generic_EVIL.vmem scanacpitables\nVolatile Systems Volatility Framework 2.3_beta\n\ntable column \"Rootkit?\" may have values (seems ok/unknown/suspicious/CRITICAL)\nFile                  Function                                                               Rootkit?   \n--------------------- ---------------------------------------------------------------------- -----------\n0x0009d510/DSDT.dsl   OperationRegion (IOA, SystemMemory, 0xFEC00000, 0x40)                  seems ok   #this OperationRegion seems ok, even though it is SystemMemory\n0x0009d510/DSDT.dsl   OperationRegion (LA, SystemMemory, 0xFEE00000, 0x0FFF)                 seems ok   \n0x0009d510/DSDT.dsl   OperationRegion (KERN, SystemMemory, 0x00100000, 0x3F8DB23F)           CRITICAL   #critical, this is the kernel space\n0x0009d510/DSDT.dsl   OperationRegion (SEAC, SystemMemory, 0x00C04048, One)                  CRITICAL   \n0x0009d510/DSDT.dsl   OperationRegion (NISC, SystemMemory, 0x0012BAE0, 0x40)                 CRITICAL   \n0x0009d510/DSDT.dsl   OperationRegion (SAC, SystemMemory, 0x00175C96, 0x0C)                  CRITICAL   \n0x0009d510/DSDT.dsl   OperationRegion (OEMD, SystemMemory, 0x3FEFFE5D, 0x60)                 seems ok   \n0x0009d510/DSDT.dsl   OperationRegion (REGS, PCI_Config, 0x50, 0x30)                         seems ok   #PCI seems ok, no manipulation of kernel\n0x0009d510/DSDT.dsl   OperationRegion (RE00, PCI_Config, 0xD8, 0x04)                         seems ok   \n0x0009d510/DSDT.dsl   OperationRegion (PIRX, PCI_Config, 0x60, 0x04)                         seems ok   \n0x0009d510/DSDT.dsl   OperationRegion (PCI, PCI_Config, 0x40, 0x60)                          seems ok   \nWARNING : volatility.plugins.scanACPITables: \t\t      function-address 'MBAS (Arg0)' can not be evaluated\n0x0009d510/DSDT.dsl   OperationRegion (MREG, SystemMemory, MBAS (Arg0), 0x10)                suspicious #MBAS is a self-defined function and can not be evaluated, this is strange\n0x0009d510/DSDT.dsl   OperationRegion (EICH, SystemMemory, Add (ECFG, 0x4000), 0x4000)       seems ok   #function Add is known and therefore evaluated, ECFG is extracted too, call is checked against kernel space and seems ok\n0x0009d510/DSDT.dsl   OperationRegion (SPRT, SystemMemory, Add (ECFG, Arg1), 0x04)           unknown    #Arg1 is a parameter and can not be evaluated in an offline memory image analysis\n0x0009d510/DSDT.dsl   OperationRegion (SIOR, SystemIO, 0x2E, 0x02)                           seems ok   #SystemIO seems ok, like PCI\n0x0009d510/DSDT.dsl   OperationRegion (LPCS, SystemMemory, ECFG, 0x0500)                     seems ok   \n\t\t      \t\t      \t     \t\t   \t \t\t\t     \t   \t#NEWLINE!\n0x000f6b80/DSDT.dsl   OperationRegion (OEMD, SystemMemory, 0x3FEFFE5D, 0x00000060)           seems ok   #new file! (also indicated by newline in the line before)\n0x000f6b80/DSDT.dsl   OperationRegion (REGS, PCI_Config, 0x50, 0x30)                         seems ok   \n0x000f6b80/DSDT.dsl   OperationRegion (RE00, PCI_Config, 0xD8, 0x04)                         seems ok   \n0x000f6b80/DSDT.dsl   OperationRegion (PIRX, PCI_Config, 0x60, 0x04)                         seems ok   \n0x000f6b80/DSDT.dsl   OperationRegion (PCI, PCI_Config, 0x40, 0x60)                          seems ok   \nWARNING : volatility.plugins.scanACPITables: \t\t      function-address 'MBAS (Arg0)' can not be evaluated\n0x000f6b80/DSDT.dsl   OperationRegion (MREG, SystemMemory, MBAS (Arg0), 0x10)                suspicious #MBAS like above\n0x000f6b80/DSDT.dsl   OperationRegion (EICH, SystemMemory, Add (ECFG, 0x4000), 0x4000)       seems ok   \n0x000f6b80/DSDT.dsl   OperationRegion (SPRT, SystemMemory, Add (ECFG, Arg1), 0x04)           unknown    #Arg1 like above\n0x000f6b80/DSDT.dsl   OperationRegion (SIOR, SystemIO, 0x2E, 0x02)                           seems ok   \n0x000f6b80/DSDT.dsl   OperationRegion (EREG, SystemMemory, ECFG, 0x4000)                     seems ok   \n0x000f6b80/DSDT.dsl   OperationRegion (CREG, SystemMemory, Local1, 0x10)                     unknown    #Local1 is like Arg1, can not be evaluated here\n0x000f6b80/DSDT.dsl   OperationRegion (CREG, SystemMemory, Local1, 0x01)                     unknown    \n0x000f6b80/DSDT.dsl   OperationRegion (RE01, PCI_Config, 0x40, 0x04)                         seems ok   \n0x000f6b80/DSDT.dsl   OperationRegion (RE02, PCI_Config, 0xC4, 0x04)                         seems ok   \n0x000f6b80/DSDT.dsl   OperationRegion (REGS, PCI_Config, 0x00, 0x04)                         seems ok   \n0x000f6b80/DSDT.dsl   Name (_HID, EisaId (\"PNP0303\"))                                        suspicious #two keyboard devices seem strange!\n0x000f6b80/DSDT.dsl   Name (_HID, EisaId (\"PNP0303\"))                                        suspicious #seems identical but is another line\n0x000f6b80/DSDT.dsl   OperationRegion (LPCS, SystemMemory, ECFG, 0x0500)                     seems ok\n```\n\n\n------------------------------------------------\n\n# 4. Remarks\n## 4.1 iasl\n\nThe aml-files can be decompiled into .dsl files with iasl, an official tool from ACPICA\n(could be found in the Fedora/Ubuntu repositories as 'acpica-tools' - date 2020-05-02):\n\n```$ iasl -d \u003cfile.aml\u003e```\ne.g.\n```$ iasl -d ./dumpedTables/0x*/*.aml```\n\nThe resulting \u003cfile.dsl\u003e can be opened with a normal text-editor or scanned with\nthe second plugin scanACPITables.py\n\n## 4.2 ACPIstructs.py\n\nThis file includes ACPI header structs to parse the ACPI tables.\nIt can not be run separately but could be included in further modules which\ndeal with the ACPI tables.\n\nIt is needed for dumpACPITables.py and scanACPITables.py\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmdenzel%2FACPI-rootkit-scan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmdenzel%2FACPI-rootkit-scan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmdenzel%2FACPI-rootkit-scan/lists"}