Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/AsafEitani/ebpf_programs_plugin

eBPF programs plugin Volatility 3 submission 2023
https://github.com/AsafEitani/ebpf_programs_plugin

Last synced: 11 days ago
JSON representation

eBPF programs plugin Volatility 3 submission 2023

Awesome Lists containing this project

README 

        
## Volatility3 eBPF programs & rootkit detection plugin





### Project Description



This repo contains a Volatility3 plugin that detects loaded eBPF programs and indicates for each if they are suspected as an eBPF rootkit.



[A full (but readable) explanation of plugin details can be found in the contest submission document](docs/contest_submission.md)



### Plugins



- **`ebpf_programs`** - The `ebpf_programs` plugin is used to detect loaded eBPF programs, along with their information (loading time, name, type and used helpers), a boolean indicating if a program is suspected as an eBPF rootkit. The plugin also allows dumping of BPF programs (after they have gone through JIT).



### ✔️ Prerequisites:



- Python 3

- Volatility 3

- capstone



Install on Linux using these commands:



```bash

apt install python3

# clone from repo

git clone https://github.com/volatilityfoundation/volatility3.git

pip3 install capstone

# or install as a module

pip3 install volatility3 capstone

```



### ⚙ Installation



Copy the `ebpf_programs.py` file to your Volatility 3 directory under `volatility3/volatility3/framework/plugins/linux`.



### Usage



`python3 ./vol.py -f  linux.ebpf_programs --name= --dump`

A `name` and `dump` flags can be used to filter by name or dump the program binary(after JIT) to disk.