Report: Kernel Modules
A kernel module is an object file that implements kernel functionality, and that can be loaded and unloaded as needed at runtime without the need to reboot the system. Device or filesystem drivers, for example, are kernel modules.
Report Data: Kernel Modules
Following are the loaded kernel modules at the time the memory snapshot was taken of the centos 6 - 2.6.32-696.28.1.el6.x86_64 image from the samples gallery (requires authentication).
The following table describes each column of the reported data.
| Column | Description | Notes |
|---|---|---|
| Name | Module name | Obtained from the module |
| Version | Module version, if defined | Obtained from the module |
| Base | Address of page containing the start of the kernel module | |
| Size | Module size in bytes | |
| Addr | Address where the kernel module is loaded |
This data can be partially obtained from a running Linux system
via the lsmod command.
Forensic Hints
Patterns to look for: Any unexpected or unexplained modules? Note that addresses are often varied by ASLR so nonuniformity can be expected.
The same set of kernel modules can be obtained from a running Linux
system via the lsmod command; any difference between the set
(a) read from usermode and (b) derived from memory inspection should be
investigated, as discussed here.