Add detection of malicious ftrace and tracepoints

[atcuno]

@Abyss-W4tcher we need to get ftrace and tracepoints into vol3 for the parity release.

I know you have these here:

https://github.com/Abyss-W4tcher/volatility-scripts/blob/master/Volatility_contest_2023/plugins/check_ftrace.py

https://github.com/Abyss-W4tcher/volatility-scripts/blob/master/Volatility_contest_2023/plugins/check_tracepoints.py

Are you up for converting these over? Myself and Gus can work on it if not.

[Abyss-W4tcher]

Hi @atcuno, sure I can port these two plugins :)

Would you like them to be put in a common kernel_tracing directory under plugins, so that users can easily understand the context of these plugins :

• linux.kernel_tracing.ftrace
• linux.kernel_tracing.tracepoints
• [..] any additional technique

[atcuno]

yes that would be nice as eventually there will be 5+

[Abyss-W4tcher]

Plugins are ready, but actually depend on hidden_modules, and an additional plugin I developed named modxview (which is basically psxview but for modules). So, a few parts need to move before ftrace and tracepoints get to a PR :)

[gcmoreira]

Cool, I can test these plugins if you need it. Thanks

[atcuno]

@Abyss-W4tcher @gcmoreira what is the latest on this one?

[Abyss-W4tcher]

I am still waiting on modxview plugin review, which embeds APIs for ftrace and tracepoints.