This dataset contains 55 rootkit-infested memory dumps of Linux virtual machines. 35 of these rootkits are open-source, collected from GitHub, while the other 20 are from the wild, captured by VirusTotal Livehunt and Retrohunt jobs.
The dataset only contains kernel rootkits (i.e. rootkits implemented as Linux Kernel Modules) that attempt to hide the kernel modules they were implemented in. The capability table below details the techniques they used in order to do this.
In order to create the dataset, virtual machines were created using Vagrant and VirtualBox. For each of these virtual machines, one of the following distributions were used: Ubuntu, Debian, CentOS or Oracle Linux. In case of open-source rootkits, such version of the Linux kernel was used where the rootkit could be compiled. For wild rootkits, we could find out which version of the kernel the malware was compiled to, by checking the .modinfo section of the sample. These machines were infected by one rootkit at a time, and memory snapshots were created using the debugvm command and the dumpvmcore subcommand of VirtualBox. These saved the entire "physical" memory of the virtual machines as ELF files, that were later compressed by gzip. By using the cards below, memory images and their corresponding symbol tables can be downloaded as well. For each sample, we provide either a link to the GitHub repository of the rootkit, or a link to its VirusTotal report. Alternatively, the whole dataset can be downloaded as one zip file.
This dataset was created for evaluating the Volatility plugin proposed in the paper Detecting Hidden Kernel Modules in Memory Snapshots, presented at DFRWS USA 2025. It is freely available for research purposes, but we kindly ask you to cite our paper, if you used parts or the whole dataset:
@article{nagy2025hiddenlkm,
title={Detecting Hidden Kernel Modules in Memory Snapshots},
author={Nagy, Roland},
journal={Forensic Science International: Digital Investigation},
year={2025},
publisher={Elsevier},
note = {DFRWS USA 2025 - Selected Papers from the 25th Annual Digital Forensics Research Conference USA},
}