I can get a list of modules using either lsmod
or cat /proc/modules
. Do the two approaches use the same mechanism to retrieve the modules? I want to know this as we could use it to find some hidden malicious modules.
3 Answers
They are both reading the same kernel interface to produce the list. However, a rootkit may alter lsmod to hide modules but there are myriad ways to read /proc/modules that would be near impossible for a rootkit to modify all of them.
If you're doing something programatic it doesn't really matter which one you use, but lsmod is much more human readable.
Update: To include examples.
cat /proc/modules
more /proc/modules
less /proc/modules
view /proc/modules
uniq /proc/moduels
uniq < /proc/modules
grep . /proc/modules
grep . < /proc/modules
awk '{print}' /proc/modules
awk '{print}' < /proc/modules
sed 's/(.)/$1/' < /proc/modules
echo "$(</proc/modules)"
perl -p -e ";" < /proc/modules
nc -l 11111 & nc localhost 11111 < /proc/modules
Etc., etc., etc. Anything that can read text can display the contents. These are just a few that I thought of in under a minute. If I thought about it I could come up with some really esoteric ways.
-
"there are myriad ways to read /proc/modules"
could you please elaborate more on that? Commented Jan 9, 2011 at 9:15 -
I'm not sure if you get notified that I edited my answer to include examples, but I did.– bahamatCommented Jan 9, 2011 at 9:41
If the rootkit works at the kernel level (as a module for instance), you can not rely on the info provided by /proc/modules
. Furthermore, you can not rely on lsmod
either as it pretty-prints /proc/modules
.
We could look up the source code, but if you are lazy like me:
sudo strace lsmod |& grep -E '(proc|sys)'
Shows interesting hits such as:
open("/proc/modules", O_RDONLY|O_CLOEXEC) = 3
open("/sys/module/ipt_MASQUERADE/refcnt", O_RDONLY|O_CLOEXEC) = 3
so we may guess that most of the info comes from /proc/modules
and /sys/module/*
.