Is it possible to find Meterpreter or similar rootkits which don't modify the hard disk but are only stored in RAM?
Most common anti-rootkit software like rkhunter and chkrootkit don't find it.
Are they visible in a Memory Dump? Howto make a memory dump on linux? Is it possible with a PCI / Firewire card or does the board has to have Firewire itself?
- chris
Is it possible to find Meterpreter or similar rootkits which don't modify the hard disk but are only stored in RAM?
Most common anti-rootkit software like rkhunter and chkrootkit don't find it.
Are they visible in a Memory Dump? Howto make a memory dump on linux? Is it possible with a PCI / Firewire card or does the board has to have Firewire itself?
- chris
The Volatility Framework https://
The more advanced rootkits can actually fake the contents of RAM, I think you could use DMA to get a more accurate picture.
Theres a load of anti-rootkit tools out there, redpill, rootkit revealer, black ice etc which might be able to find it. Meterpreter isnt exceptionally stealthy, most AV will pick it up.
to dump phisical memory dd if=/dev/mem of=/yourdirectory/filename
cheers
to dump phisical memory dd if=/dev/mem of=/yourdirectory/filename
Some websites said this wouldn't work on recent linux distributions. On the other hand, I got some output on Lucid Lynx this way. Who is right?
What cheap Direct Memory Access hardware is available?
Theres a load of anti-rootkit tools out there, redpill, rootkit revealer, black ice etc which might be able to find it. Meterpreter isnt exceptionally stealthy, most AV will pick it up.
I tried rkhunter and chkrootkit. They didn't do a good job. I will have a look at the others.
You do realise that meterpreter is a windows only payload right?
You do realise that meterpreter is a windows only payload right?
I didnt. Thank you.
If CONFIG_STRICT_DEVMEM=y, which is enabled by default for Kernel versions distrbuted on most Distro today then yes dd'ing /dev/mem will fail. You can only grab the first 1Mb of memory + some data regions, i.e. PCI space and BIOS code.
Yes, it is possible to identify metasploit meterpreter actvity in Windows memory dumps using Volatility.
Avoiding detection is possible using Metasploit, so for example meterpreter payloads can avoid anti-virus using ShellCodeExec.
Is it possible to find Meterpreter or similar rootkits which don't modify the hard disk but are only stored in RAM?
Peter Silberman's 2009 Blackhat paper titled "Metasploit Reconstructing the Scene of the Crime" may provide you with some useful information. His paper covers how to use Mandiant's Memoryze to reconstruct a Meterpreter session.
The paper is located here http//
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com
