Recovering php eval code from memory with volatility
by Valter Santos
Hi guys,
I'm trying to recover a php script from a suspected system. The file was
stored in a tmpfs filesystem and i cannot recover it. In the php process
(running from cli) i can see references to the script but can't find the
code.
The suspected system in running Debian 8.9: Linux version 3.16.0-4-amd64
(gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.43-2+deb8u5
(2017-09-19).
I've tried to use linux_tempfs to recover /dev/shm from memory but got some
errors with volatility with no success:
# ~/bin/vol26 --plugins=profiles --profile=LinuxDebian89x64 -d -f
memory.dump linux_tmpfs -S 4 -D dump/
[...]
WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for
dereferencing name as String WARNING : volatility.debug : NoneObject as
string: Invalid offset 0 for dereferencing name as String WARNING :
volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing
name as String WARNING : volatility.debug : NoneObject as string: Invalid
offset 0 for dereferencing name as String WARNING : volatility.debug :
NoneObject as string: Invalid offset 0 for dereferencing name as String
The php process has pid 1234, using volatility linux_dump_map on that
process I see the following strings in dumped file
task.1234.0x7f003ddf3000.vma:
/dev/shm/script.php(1) : eval()'d code0x7f003ddf303f
/dev/shm/script.php(1) : eval()'d code0x7f003ddf8e2e
/dev/shm/script.php(1) : eval()'d code0x7f003ddf952a
/dev/shm/script.php(1) : eval()'d code0x7f003ddfa588
/dev/shm/script.php(1) : eval()'d code0x7f003ddfa7f3
I'm stuck now trying to recover the php eval'd code, any ideas?
Thanks
Valter
7 years
- 1
- 0
Malware & Memory Forensics Training in 2018!
by Andrew Case
We are excited to announce that two of our public trainings for 2018
have now been scheduled!
The first will be in April in Herndon, VA:
https://www.memoryanalysis.net/single-post/2017/09/30/New-Event-in-Herndon-…
The second will be in Herndon in October:
https://www.memoryanalysis.net/single-post/2017/09/30/New-Event-in-Herndon-…
We are also in the process of scheduling public trainings in Australia
for Q1 2018 and Europe for Q3. We will send out an update when these are
confirmed, but please contact us if you would like to be placed on the
notification list for either course.
To see some of the recent updates to the course, be sure to check out
our blog post:
https://volatility-labs.blogspot.com/2017/06/our-newly-updated-memory-foren…
Also, we are continuing to have many repeat students - for which we are
very grateful! If you are a previous student and wish to attend again,
then please inquire with us about the repeat-student discount.
Finally, if you will be around during OSDFCON in a few weeks then let
us know if you would like to meet up as most of the team will be in town.
-- The Volatility Team
7 years, 1 month
- 1
- 0