This article will focus on find and create a profile for specific image that must be done before investigating a memory image file with Volatility.
If you don’t have a suitable profile and you want to investigate the image file of an old distribution, you have to do the tricky steps describing below.
In this article, what Volatility is and in-depth image analysis will not be explained. These could be the subject of another blog post.
Volatility 2 was rewritten in python 3 and renamed Volatility 3. While I prefer between two version, I prefer either one according to difficulty of creating the profile of the image I am working on. To review the differences between them, see the document: Changes between Volatility 2 and Volatility 3
Volatiliy consists of several special plugins that you can run to get a lot of information from a memory dump file.
Volatility 2.6
Installation
# Dependencies
sudo apt-get install dwarfdump pcregrep libpcre++-dev python-dev -y
pip2 install pycrypto distorm3
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility/
python2 vol.py --help
## Make volatility command executable
chmod +x /usr/local/bin/volatility/trunk/vol.py
ln -s /usr/local/bin/volatility/trunk/vol.py /usr/local/bin/vol26
which vol26
Identify the Correct Profile
- Windows
volatility2 -f dump.mem imageinfo
volatility3 -f dump.raw banners
- Linux
volatility3 -f dump.raw banners
strings dump.raw | grep -i 'Linux version' | uniq
- MacOSX
volatility2 -f dump.mem mac_get_profile
Build Your Own Linux Profile
- Before creating your own profile (Volatility 2) or symbol table (Volatility 3), try to find in the shared ones:
- By default, Volatility only integrate windows profiles however it is not integrate none for Linux or Mac.
- A Linux Volatility profile or symbol table is unique to each version of the Linux kernel.
- The linux distributions are varios and build for varios architectures.
- A LInux profile is basically used by volatility to find critical informations on the image. It knows how to parse it through a zip file that contains about the kernel’s data structures and debug symbols.
- This is why profiles are important. Volatility should know the system and architecture from which the memory dump is taken before extracting information.
- While it is sufficient to download the kernel containing debug symbols in Volatility 3, it is necessary to create the module.dwarf file in Volatility 2. To do this, a distribution with the same kernel version must be installed.
- When creating a profile for Volatility 2, you can prefer to install from iso file or docker. Using docker will be much more pratictial.
Red Hat
- Creating profile is more than difficult in older versions of Red Hat. Therefore you can try do it as describing in
Volatility3>Build Your Own Symbol Tables
below. - If you come across a situation that need to do at Volatility 2, I have explained how to make a difficult example below.
- In this example we will create Volatility profile for the Red Hat image with the banner information as below.
Linux version 2.6.32-754.el6.x86_64 (mockbuild@x86-033.build.eng.bos.redhat.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC) ) #1 SMP Thu May 24 18:18:25 EDT 2018
- We will do it with CentOS because we cannot reach the old versions of Red Hat.
- Happening problems because of being an old distribution version:
- Broken old package links of yum package manager
- libdwarf package installation (solution: source install with old version)
- Broken symbolic link of
/lib/modules
directory
- I preferred create a bash script called
centos.sh
to overcome these problems.
#!/bin/bash
# Fix broken old package links
cd /etc/yum.repos.d/
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/CentOS-Debuginfo.repo
#yum update -y
# Install dependencies
OS=CentOS
KVER=2.6.32-754.el6.x86_64
yum install kernel-debuginfo-${KVER} kernel-headers kernel-devel gcc gcc-c++ make elfutils-devel elfutils-libelf-devel git wget zip python2-devel -y
# Install libdwarf package from source code
cd / && wget http://www.prevanders.net/libdwarf-20140413.tar.gz --no-check-certificate
tar xf libdwarf-20140413.tar.gz
cd dwarf-20140413/
./configure
make dd
cp dwarfdump/dwarfdump /usr/local/bin && cp dwarfdump/dwarfdump.conf /usr/local/lib && cp libdwarf/libdwarf.a /usr/local/lib
# Fix broken symbolic link
# Remove the incorrect build location from /lib/modules if exist
rm -f /lib/modules/${KVER}/build
# Create Link the kernel source location to the modules build location
mkdir /lib/modules/${KVER}/
ln -s /usr/src/kernels/*el6.x86_64/ /lib/modules/${KVER}/build
# Create volatility profile
cd / && git clone https://github.com/volatilityfoundation/volatility.git
cd volatility/tools/linux/
# You must set statically kernel version in while using docker
sed -i 's/$(shell uname -r)/'"${KVER}"'/g' Makefile
make
cd /volatility
zip volatility/plugins/overlays/linux/${OS}_${KVER}_profile.zip tools/linux/module.dwarf /usr/src/kernels/*el6.x86_64/System.map
cp /volatility/volatility/plugins/overlays/linux/${OS}_${KVER}_profile.zip /
- Let’s create a container:
docker run -it --name centos6.10 centos:6.10 /bin/bash
- Let’s run the script we prepaired on the contrainer.
docker exec -i centos6.10 /bin/bash < centos.sh
- After the script finishes successfully, it moves the created zip archive to under the root directory. You can get this archive on your host machine with docker cp command.
OS=CentOS
KVER=2.6.32-754.el6.x86_64
docker cp centos6.10:/${OS}_${KVER}_profile.zip .
# Move new profile to plugins directory
mv ${OS}_${KVER}_profile.zip volatility/plugins/overlays/linux/
- If you encounter a problem while installing with docker, you can find the suitable iso file from this address and try it: https://archive.kernel.org/centos-vault/
Ubuntu 16.04
- For Ubuntu 16.04, you can create a container as follows and appy follow the steps in the
Manually Creating Profile
header in its bash command line step by step.
- What you should not forget is that while working with docker, the
uname -a
command in the Makefile does not give the correct result, so you need to do the static version step in the above script.
sed -i 's/$(shell uname -r)/'"${KVER}"'/g' Makefile
Manually Creating Profile
- Install Volatility as in the header of
Volatility 2.6>Installation
. - Go to
tools/linux
in Volatility directory and runmake
command:
sudo apt install linux-image-$(uname -r) linux-headers-$(uname -r)
cd tools/linux/
make
-
- If you get
ERROR: modpost: missing MODULE_LICENSE()
error inmake
command, follow the solution below:- The solution is simply to add
MODULE_LICENSE("GPL");
as last line involatility/tools/linux/module.c
- The solution is simply to add
- If you get
bin/sh: 1: dwarfdump: not found
error inmake
command, install thedwarfdump
package.sudo apt install dwarfdump
- If you get
- You should see a new
module.dwarf
file. You also need theSystem.map
file in the/boot
directory as it contains all symbols related to the currently running kernel. - To create a custom profile, go back to the Volatility directory and run the following command.
cd volatility/
sudo zip volatility/plugins/overlays/linux/$(lsb_release -si)_$(uname -r)_profile.zip tools/linux/module.dwarf /boot/System.map-$(uname -r)
ll volatility/plugins/overlays/linux/
- The first argument provides a custom .zip with a filename of your choice.
- The next argument is the created
module.dwarf
file above and the last argument isSystem.map
file at/boot
directory.
- If you want to know is Volatility detect this custom profile, run the
--info
command again. At this time, you should see the new profile listed below.:
python2 vol.py --info | grep $(uname -r)
Volatility Foundation Volatility Framework 2.6.1
LinuxUbuntu_5_15_0-41-generic_profilex64 - A Profile for Linux Ubuntu_5.15.0-41-generic_profile x64
Start Using Volatility
General form of the command:
python2 vol.py -f <memory-dump-file-taken-by-Lime> <plugin-name> --profile=<name-of-our-custom-profile>
Run linux_banner
plugin to see the distribution information:
python2 vol.py -f ~/LiME/ubuntu_20.04_64bit.mem --profile=LinuxUbuntu_5_15_0-41-generic_profilex64 linux_banner
Useful Addresses
Wiki: https://github.com/volatilityfoundation/volatility/wiki
Volatility Usage: https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage
Command Reference: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
Volatility Cheat Sheet: https://github.com/volatilityfoundation/volatility/raw/gh-pages/docs/VolatilityCheatSheet.pdf
Volatility3
- Volatility 3 does not have a library to consist of linux symbol tables so you cannot work with memory image without create it.
- You need to use the
dwarf2json
tool to generate them from the debug kernel.
Installation
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip3 install -r requirements.txt
# FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/pip3.8'
# Error fix:
sudo cp /usr/bin/pip3 /usr/bin/pip3.8
python3 vol.py -h
Build Your Own Symbol Tables
- A kernel with debug symbols is the only suitable tool to recover all information required by most Volatility plugins.
- Most linux distributions were stripped of the standard kernel debug information and the kernel with the debug information is stored in a package that must be get separately.
- Use
banner
plugin to specify the string of the a spesific memory image. - Try to find the exact kernel debug package for operating system when the banner is known.
- Unfortunately each distribution provides its own debug packages under different package names, and there are so many that the distribution may not hold all the old versions of debug symbols and therefore it may not be possible to find the correct symbols for analyzing a linux memory image.
- Banners must match exactly (including compilation date) for Volatility to use the JSON file.
Get Ubuntu Debug Symbol Kernel
codename=$(lsb_release -c | awk '{print $2}')
printf "deb http://ddebs.ubuntu.com %s main restricted universe multiverse\n" $(lsb_release -sc){,-updates,-proposed} | \
sudo tee -a /etc/apt/sources.list.d/ddebs.list
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C8CAB6595FDFF622
sudo apt update
sudo apt install linux-image-$(uname -r)-dbgsym
ll /usr/lib/debug/boot/
Get Red Hat Debug Symbol Kernel
- Thanks to the time information found with the Banners plugin, the RHEL version can be found on the Red Hat wikipedia page under the heading
Version history and timeline
. - The rpm package should be found and installed from the CentOS site with the obtained kernel version information and date. http://debuginfo.centos.org/6/x86_64/
(kernel-debuginfo-<kernel-version>.rpm)
- While installing dependencies, yum package manager repo addresses will not work on older systems. To fix this, the repo file must be changed:
# https://www.getpagespeed.com/server-setup/how-to-fix-yum-after-centos-6-went-eol
curl https://www.getpagespeed.com/files/centos6-eol.repo --output /etc/yum.repos.d/CentOS-Base.repo
yum update
Other Linux Distribution Symbol Kernels
- Debian
- Fedora
- CentOS
- http://debuginfo.centos.org/6/x86_64/
(kernel-debuginfo-<kernel-version>.rpm)
- https://github.com/volatilityfoundation/volatility3/blob/develop/development/centos-kernels.txt
- http://debuginfo.centos.org/6/x86_64/
Identify the Correct vmlinux File
- vmlinux file must match the currently running kernel version. This can be verified with
uname -r
command. - vmlinux file should not be confused with “vmlinuz”. “z” indicates that the file is the compressed version of the vmlinux file.
- vmlinux file location:
- Ubuntu
/usr/lib/debug/boot/vmlinux-`uname -r`
- Red Hat Enterprise Linux, after installing the debug packages, the correct vmlinux file is in the following paths depending on the version:
/usr/lib/debug/lib/modules/`uname -r`/vmlinux
/usr/lib/debug/lib/usr/lib/modules/`uname -r`/vmlinux
dwarf2json
- Linux and Mac symbol tables can create from a DWARF file using a tool called dwarf2json.
- To install dwarf2json, golang must be installed.
- If golang is not installed, you can install it with the quick installation script below:
# https://github.com/canha/golang-tools-install-script
wget -q -O - https://git.io/vQhTU | bash
source ~/.bashrc
go version
# dwarf2json
git clone https://github.com/volatilityfoundation/dwarf2json.git
cd dwarf2json
go build
sudo mv dwarf2json /usr/bin/
- Create the symbol file and move it to the project directory:
dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-$(uname -r) > $(uname -n)_$(lsb_release -sr)_$(uname -i)__$(uname -r)_symbol.json`
mv *_symbol.json <volatility3>/symbols/
- Test the symbol works with a plugin:
python3 vol.py -f <dump.mem> linux.pstree.PsTree
Useful Addresses
Official Documentation: https://volatility3.readthedocs.io/en/latest/index.html
I used list items a lot because this article was created from my markdown notes in the Joplin tool. This is my way of taking notes. I will try to move to my blog what I find useful among many notes. Long days and pleasant nights Sai.
The Gunslinger