Howto find Meterpreter and similar rootkits?

chrisPA · 2011-05-21T15:22:50Z

Is it possible to find Meterpreter or similar rootkits which don't modify the hard disk but are only stored in RAM?Most common anti-rootkit software like rkhunter and chkrootkit don't find it.Are they visible in a Memory Dump? Howto make a memory dump on linux? Is it possible with a PCI / Firewire card or does the board has to have Firewire itself?- chris

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by echo6 14 years ago

11 Posts

6 Users

0 Reactions

707 Views

RSS

echo6

(@echo6)

Trusted Member

Joined: 21 years ago

Posts: 87

26/05/2011 11:52 pm

Take a look at Michael Hale Ligh's technique using Volatility.

http//mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html

Also! you might want to consider looking at his book.

p.s. I would recommend using Volatility under Linux rather than Windows, some plugings require dependencies which you can't easily obtain under Windows. Of course you could go with Cygwin, but you may as well use native Linux or a vmware machine such as the one provided by SANS.

ReplyQuote

Page 2 / 2 Prev

Podcast: Well-Being In Digital Forensics And Policing: Insights From Hannah Bailey

Hannah Bailey shares her journey from frontline policin...

By Zoe , 2 hours ago
RE: Android Forensics

Hi, Try decompressing the file using zlib in python. ...

By Dexter4n6 , 19 hours ago
Interview: Neal Ysart, Co-Founder, The Coalition of Cyber Investigators

Neal Ysart shares how The Coalition of Cyber Investigat...

By Zoe , 1 day ago

8 Forums
15.7 K Topics
92.3 K Posts
223 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed