memf-linux 0.2.1

Linux kernel memory forensic walkers (processes, connections, modules)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317

//! Linux hidden kernel module detector.
//!
//! Cross-references kernel modules found via the `modules` linked list
//! against the kernel's `kset` hierarchy (sysfs). Modules present in
//! one view but not the other may have been hidden by a rootkit.

use memf_core::object_reader::ObjectReader;
use memf_format::PhysicalMemoryProvider;

use crate::{Error, HiddenModuleInfo, Result};

/// Check whether a module is linked into the sysfs kobj tree.
///
/// Walks `module.mkobj.kobj.entry.next` — a non-null pointer indicates the
/// module is present in the kobj/sysfs hierarchy. Returns `true` (assume
/// present) if any required field offset is unavailable in the symbol table
/// or if the memory is unreadable.
fn check_module_in_sysfs<P: PhysicalMemoryProvider>(
    reader: &ObjectReader<P>,
    mod_addr: u64,
) -> bool {
    let mkobj_offset = match reader.symbols().field_offset("module", "mkobj") {
        Some(off) => off,
        None => return true, // Can't verify — assume present
    };
    let kobj_offset = match reader.symbols().field_offset("module_kobject", "kobj") {
        Some(off) => off,
        None => return true,
    };
    let entry_offset = match reader.symbols().field_offset("kobject", "entry") {
        Some(off) => off,
        None => return true,
    };

    let entry_addr = mod_addr + mkobj_offset + kobj_offset + entry_offset;
    let next_ptr: u64 = match reader.read_field(entry_addr, "list_head", "next") {
        Ok(v) => v,
        Err(_) => return true, // Can't read — assume present
    };

    // Non-null next pointer means linked into kobj tree
    next_ptr != 0
}

/// Cross-reference kernel modules for hidden module detection.
///
/// Walks the `modules` linked list and the `module_kset` kobj tree,
/// then merges results. Modules visible in one but not both are
/// flagged as potentially hidden.
pub fn check_hidden_modules<P: PhysicalMemoryProvider>(
    reader: &ObjectReader<P>,
) -> Result<Vec<HiddenModuleInfo>> {
    let modules_addr =
        reader
            .symbols()
            .symbol_address("modules")
            .ok_or_else(|| Error::MissingKernelSymbol {
                name: "modules".into(),
            })?;

    let _list_offset = reader
        .symbols()
        .field_offset("module", "list")
        .ok_or_else(|| Error::MissingField {
            struct_name: "module".into(),
            field_name: "list".into(),
        })?;

    // Walk the modules linked list
    let module_addrs = reader.walk_list(modules_addr, "module", "list")?;

    let mut results = Vec::new();

    for &mod_addr in &module_addrs {
        let name = reader
            .read_field_string(mod_addr, "module", "name", 56)
            .unwrap_or_else(|_| "<unknown>".to_string());

        let base_addr: u64 = reader
            .read_field(mod_addr, "module", "module_core")
            .unwrap_or(0);

        let size: u32 = reader
            .read_field(mod_addr, "module", "core_size")
            .unwrap_or(0);

        // Present in modules list by definition (we found it there).
        // Check sysfs linkage via kobj entry: module.mkobj.kobj.entry.next
        // must be non-null to indicate the module is linked into the sysfs
        // kobj tree. Returns true (assume present) if fields are missing.
        let in_sysfs = check_module_in_sysfs(reader, mod_addr);

        results.push(HiddenModuleInfo {
            name,
            base_addr,
            size: u64::from(size),
            in_modules_list: true,
            in_sysfs,
        });
    }

    Ok(results)
}

#[cfg(test)]
mod tests {
    use super::*;
    use memf_core::test_builders::{flags as ptflags, PageTableBuilder, SyntheticPhysMem};
    use memf_core::vas::{TranslationMode, VirtualAddressSpace};
    use memf_symbols::isf::IsfResolver;
    use memf_symbols::test_builders::IsfBuilder;

    fn make_test_reader(data: &[u8], vaddr: u64, paddr: u64) -> ObjectReader<SyntheticPhysMem> {
        let isf = IsfBuilder::new()
            .add_struct("module", 256)
            .add_field("module", "name", 0, "char")
            .add_field("module", "list", 56, "list_head")
            .add_field("module", "module_core", 128, "pointer")
            .add_field("module", "core_size", 136, "unsigned int")
            .add_field("module", "mkobj", 160, "module_kobject")
            .add_struct("module_kobject", 64)
            .add_field("module_kobject", "kobj", 0, "kobject")
            .add_struct("kobject", 64)
            .add_field("kobject", "name", 0, "pointer")
            .add_field("kobject", "entry", 16, "list_head")
            .add_struct("list_head", 16)
            .add_field("list_head", "next", 0, "pointer")
            .add_field("list_head", "prev", 8, "pointer")
            .add_symbol("modules", vaddr + 0x800)
            .add_symbol("module_kset", vaddr + 0x900)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, ptflags::WRITABLE)
            .write_phys(paddr, data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        ObjectReader::new(vas, Box::new(resolver))
    }

    #[test]
    fn empty_module_list() {
        let vaddr: u64 = 0xFFFF_8000_0010_0000;
        let paddr: u64 = 0x0080_0000;
        let mut data = vec![0u8; 4096];

        // modules list_head at +0x800 (self-referencing = empty)
        let modules_head = vaddr + 0x800;
        data[0x800..0x808].copy_from_slice(&modules_head.to_le_bytes());
        data[0x808..0x810].copy_from_slice(&modules_head.to_le_bytes());

        let reader = make_test_reader(&data, vaddr, paddr);
        let results = check_hidden_modules(&reader).unwrap();

        assert!(results.is_empty());
    }

    #[test]
    fn missing_modules_symbol() {
        let isf = IsfBuilder::new()
            .add_struct("module", 64)
            .add_field("module", "name", 0, "char")
            .add_field("module", "list", 8, "list_head")
            .add_struct("list_head", 16)
            .add_field("list_head", "next", 0, "pointer")
            .add_field("list_head", "prev", 8, "pointer")
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new().build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = check_hidden_modules(&reader);
        assert!(
            matches!(result, Err(crate::Error::MissingKernelSymbol { ref name }) if name == "modules"),
            "expected MissingKernelSymbol {{name: \"modules\"}}, got {result:?}"
        );
    }

    #[test]
    fn missing_module_list_field_returns_error() {
        // modules symbol present but module.list field absent → Error
        let isf = IsfBuilder::new()
            .add_struct("module", 64)
            .add_field("module", "name", 0, "char")
            // list field intentionally omitted
            .add_struct("list_head", 16)
            .add_field("list_head", "next", 0, "pointer")
            .add_field("list_head", "prev", 8, "pointer")
            .add_symbol("modules", 0xFFFF_8000_0010_0800)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new().build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = check_hidden_modules(&reader);
        assert!(
            matches!(result, Err(crate::Error::MissingField { ref struct_name, ref field_name }) if struct_name == "module" && field_name == "list"),
            "expected MissingField module.list, got {result:?}"
        );
    }

    #[test]
    fn single_module_in_list_with_sysfs() {
        // Set up a modules list with one real module entry that IS linked in sysfs.
        // module.mkobj at offset 160; module_kobject.kobj at offset 0;
        // kobject.entry at offset 16 → entry_addr = mod_addr + 160 + 0 + 16 = mod_addr + 176
        // list_head.next at entry_addr offset 0 → set to a non-zero sentinel to indicate linked.
        let vaddr: u64 = 0xFFFF_8000_0010_0000;
        let paddr: u64 = 0x0080_0000;
        let mut data = vec![0u8; 4096];

        let module_list_vaddr = vaddr; // module is at the page start
        let module_list_field_vaddr = module_list_vaddr + 56;

        let modules_head = vaddr + 0x800;
        data[0x800..0x808].copy_from_slice(&module_list_field_vaddr.to_le_bytes());
        data[0x808..0x810].copy_from_slice(&modules_head.to_le_bytes());

        // module.name at offset 0
        data[0..8].copy_from_slice(b"rootkit\0");
        // module.list at offset 56
        data[56..64].copy_from_slice(&modules_head.to_le_bytes());
        data[64..72].copy_from_slice(&modules_head.to_le_bytes());
        // module.module_core at offset 128
        let base: u64 = 0xFFFF_C000_0000_0000;
        data[128..136].copy_from_slice(&base.to_le_bytes());
        // module.core_size at offset 136
        data[136..140].copy_from_slice(&4096u32.to_le_bytes());
        // kobj.entry.next at offset 176 (mod_addr+160+0+16): set to non-zero → linked in sysfs
        let kobj_entry_next_sentinel: u64 = 0xFFFF_8000_DEAD_0001;
        data[176..184].copy_from_slice(&kobj_entry_next_sentinel.to_le_bytes());

        let reader = make_test_reader(&data, vaddr, paddr);
        let results = check_hidden_modules(&reader).unwrap();

        assert_eq!(results.len(), 1, "should find one module");
        assert!(
            results[0].name.starts_with("rootkit"),
            "name should match: {}",
            results[0].name
        );
        assert_eq!(results[0].base_addr, base);
        assert_eq!(results[0].size, 4096);
        assert!(results[0].in_modules_list);
        assert!(
            results[0].in_sysfs,
            "module with non-zero kobj entry.next should be in sysfs"
        );
    }

    #[test]
    fn single_module_not_in_sysfs() {
        use memf_core::test_builders::{flags as ptflags, PageTableBuilder};
        use memf_core::vas::{TranslationMode, VirtualAddressSpace};
        use memf_symbols::isf::IsfResolver;

        // Module in the modules list but NOT linked in sysfs (kobj entry.next == 0).
        let vaddr: u64 = 0xFFFF_8000_0011_0000;
        let paddr: u64 = 0x0081_0000;
        let mut data = vec![0u8; 4096];

        let module_list_field_vaddr = vaddr + 56;
        let modules_head = vaddr + 0x800;
        data[0x800..0x808].copy_from_slice(&module_list_field_vaddr.to_le_bytes());
        data[0x808..0x810].copy_from_slice(&modules_head.to_le_bytes());

        data[0..8].copy_from_slice(b"hidden\0\0");
        data[56..64].copy_from_slice(&modules_head.to_le_bytes());
        data[64..72].copy_from_slice(&modules_head.to_le_bytes());
        let base: u64 = 0xFFFF_C001_0000_0000;
        data[128..136].copy_from_slice(&base.to_le_bytes());
        data[136..140].copy_from_slice(&4096u32.to_le_bytes());
        // kobj.entry.next at offset 176 = 0 → not linked in sysfs
        // (data is zero-initialized, so nothing to set)

        let isf = memf_symbols::test_builders::IsfBuilder::new()
            .add_struct("module", 256)
            .add_field("module", "name", 0, "char")
            .add_field("module", "list", 56, "list_head")
            .add_field("module", "module_core", 128, "pointer")
            .add_field("module", "core_size", 136, "unsigned int")
            .add_field("module", "mkobj", 160, "module_kobject")
            .add_struct("module_kobject", 64)
            .add_field("module_kobject", "kobj", 0, "kobject")
            .add_struct("kobject", 64)
            .add_field("kobject", "name", 0, "pointer")
            .add_field("kobject", "entry", 16, "list_head")
            .add_struct("list_head", 16)
            .add_field("list_head", "next", 0, "pointer")
            .add_field("list_head", "prev", 8, "pointer")
            .add_symbol("modules", vaddr + 0x800)
            .add_symbol("module_kset", vaddr + 0x900)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(vaddr, paddr, ptflags::WRITABLE)
            .write_phys(paddr, &data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let results = check_hidden_modules(&reader).unwrap();
        assert_eq!(results.len(), 1, "should find one module");
        assert!(results[0].name.starts_with("hidden"));
        assert!(results[0].in_modules_list);
        assert!(
            !results[0].in_sysfs,
            "module with kobj entry.next==0 should not be in sysfs"
        );
    }
}