Module types

Source

Expand description

Output types for Linux forensic walkers.

Structs§

ArpEntryInfo: An ARP cache entry from the kernel neighbour table.
AuditTamperInfo: Audit rule suppression / netlink audit tamper info.
BashHistoryInfo: A recovered bash command history entry.
BootTimeEstimate: A single boot time estimate from a specific source.
BootTimeInfo: Aggregated boot time information from multiple sources.
CmdlineInfo: Process command line extracted from mm_struct.arg_start..arg_end.
ConnectionInfo: Information about a network connection extracted from kernel memory.
ContainerEscapeCorrelateInfo: Container escape / breakout detection info.
CpuPinningInfo: CPU affinity / cryptominer detection info.
CrontabEntry: A crontab entry recovered from process memory.
ElfInfo: Information about an ELF binary found in process memory.
EnvVarInfo: A single environment variable from a process.
FdAbuseInfo: Timer/signal FD abuse info.
FileDescriptorInfo: Information about an open file descriptor.
FuseAbuseInfo: FUSE filesystem abuse info.
HiddenModuleInfo: Information about a potentially hidden kernel module.
HiddenProcessInfo: PID namespace vs task list discrepancy — hidden process detection.
KernelHookInfo: Information about a potential inline kernel function hook.
MalfindInfo: A suspicious memory region detected by malfind analysis.
ModuleInfo: Information about a loaded kernel module.
MountInfo: Information about a mounted filesystem.
NetfilterRuleInfo: An iptables/nftables rule recovered from kernel memory.
ProcessInfo: Information about a Linux process extracted from task_struct.
PsTreeEntry: A process tree entry with depth annotation for display.
PsxViewInfo: Cross-view process visibility information for DKOM detection.
SharedMemAnomalyInfo: Shared memory anomaly info.
SshKeyInfo: An SSH key artifact found in sshd process memory.
SyscallInfo: Information about a syscall table entry.
ThreadInfo: Information about a Linux thread extracted from task_struct.
TtyCheckInfo: Information about a TTY operations function pointer check.
UserNsEscalationInfo: User namespace escalation detection info.
VdsoTamperInfo: vDSO tampering detection info.
VmaFlags: Permission flags for a virtual memory area.
VmaInfo: Information about a process virtual memory area.

Enums§

BootTimeSource: Source of a boot time estimate.
ConnectionState: TCP connection state.
ElfType: ELF object type from the ELF header e_type field.
FdAbuseType: Timer/signal FD abuse type.
ModuleState: State of a kernel module.
NeighState: NUD (Neighbour Unreachability Detection) state.
ProcessState: State of a Linux process.
Protocol: Network protocol.
SshKeyType: Type of SSH key found in memory.

Module types

Module types Copy item path

Structs§

Enums§

Module types