operant-mcp

Instructions

Implementation Reference

• src/tools/memory.ts:150-194 (handler)

  Implementation of the memory_detect_rootkit tool, including the handler logic that executes Volatility 2 plugins (linux_check_syscall and linux_hidden_modules) and processes the results to detect rootkit indicators.

  server.tool(
    "memory_detect_rootkit",
    "Check for rootkits via syscall table tampering and hidden kernel modules. Runs linux_check_syscall and linux_hidden_modules plugins. Returns syscall_check, hidden_modules, rootkit_indicators, and likely_compromised. Read-only analysis.",
    {
      dump_path: z.string().describe("Path to the Linux memory dump file"),
      profile: z.string().describe("Volatility 2 profile name"),
    },
    async ({ dump_path, profile }) => {
      const volBin = findVolatility2();
      if (!volBin) {
        const result = { error: "Volatility 2 not found." };
        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
      }
  
      const dump = validateDump(dump_path);
  
      const syscall = await runCmd(
        volBin,
        [`--profile=${profile}`, "-f", dump, "linux_check_syscall"],
        { timeout: 300 }
      );
      const hidden = await runCmd(
        volBin,
        [`--profile=${profile}`, "-f", dump, "linux_hidden_modules"],
        { timeout: 300 }
      );
  
      const indicators: string[] = [];
      if (syscall.stdout.toUpperCase().includes("HOOKED")) {
        indicators.push("Hooked syscall entries detected — possible rootkit");
      }
      if (hidden.stdout.trim() && !hidden.stdout.includes("No")) {
        indicators.push("Hidden kernel modules found — likely rootkit");
      }
  
      const result = {
        syscall_check: syscall.stdout.slice(0, 3000),
        hidden_modules: hidden.stdout.slice(0, 3000),
        rootkit_indicators: indicators,
        likely_compromised: indicators.length > 0,
      };
  
      return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
    }
  );