Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/fkie-cad/bpf-rootkit-workshop
Workshop: Forensic Analysis of eBPF based Linux Rootkits
https://github.com/fkie-cad/bpf-rootkit-workshop
bpf bpf-malware ebpf ebpf-malware forensics linux live-forensics malware memory-forensics rootkit
Last synced: about 1 month ago
JSON representation
Workshop: Forensic Analysis of eBPF based Linux Rootkits
- Host: GitHub
- URL: https://github.com/fkie-cad/bpf-rootkit-workshop
- Owner: fkie-cad
- License: mit
- Created: 2023-12-17T21:19:13.000Z (about 1 year ago)
- Default Branch: master
- Last Pushed: 2024-03-13T12:47:56.000Z (10 months ago)
- Last Synced: 2024-04-22T10:14:18.150Z (8 months ago)
- Topics: bpf, bpf-malware, ebpf, ebpf-malware, forensics, linux, live-forensics, malware, memory-forensics, rootkit
- Language: C
- Homepage:
- Size: 4.02 MB
- Stars: 1
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# DFRWS EU 2023 Workshop: Forensic Analysis of eBPF based Linux Rootkits
Materials for the Workshop [_Forensic Analysis of eBPF based Linux Rootkits_](https://dfrws.org/forensic-analysis-of-ebpf-based-linux-rootkits/) that our colleagues [Martin Clauß](https://github.com/martinclauss/) and [Valentin Obst](https://github.com/vobst) gave at the DFRWS EU 2023 conference. We have published a blog post that covers some of the materials [here](https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/), and the presented Volatility 3 plugins are available [here](https://github.com/vobst/BPFVol3).
## Structure
This is a three-part workshop: introduction, live forensics, and memory forensics. We do not expect you to have any prior knowledge about the BPF subsystem and thus introduce the necessary prerequisites in part one. Part two covers tools and techniques to discover BPF malware from a shell running on the system under investigation. In the third part, we discuss methods to analyze memory images for malicious activities in the BPF subsystem. The slides are located at the root of each subdirectory.
Every part contains several practical exercises. All the materials needed to solve the problems can be found in the `materials` folder and the solutions can be found in the `solutions` folder.
## Downloads
Certain workshop materials are unsuitable for storage in a git repository. Below are links to download them from external sources.
### Virtual Machines
In the slides we mention two virtual machines.
- The Kali Linux VM contains these materials as well as all required third-party tools and can be used to complete the workshop if the operating system does not support BPF, e.g., in case you use a hardened Linux kernel or any other operating system (BSD, Mac, Windows...). [Download](https://uni-bonn.sciebo.de/s/8r2QKoJccLQLeyo)
- The Ubuntu VM is used during the live forensics exercise. [Download](https://uni-bonn.sciebo.de/s/8r2QKoJccLQLeyo)### Memory Images and Symbols
In the memory forensics part, there are multiple exercises where you have to analyze memory images. [Download](https://owncloud.fraunhofer.de/index.php/s/IeriGoh60FXVpd9)
To analyze them with Volatility you also need the corresponding symbol files. [Download](https://owncloud.fraunhofer.de/index.php/s/the1K7tlAhvNkBb)
### Packet Captures
Some exercises involve the analysis of pcap files. [Download](https://owncloud.fraunhofer.de/index.php/s/u5oG91ZP7HnUxJw)