For reference, this guy is playing a Dutch hacking challenge :)

On Mar 16, 2013 6:53 PM, "Boudewijn Ector" <boudewijn@boudewijnector.nl> wrote:
On 03/16/2013 01:26 PM, Boudewijn Ector wrote:
> Hi Guys,
>
>
>
> I've been messing around for about a week trying to get volatility to
> analyse a memory dump of some system.
> Since this is part of a puzzle I know I should be able to analyse it
> (although I'm not sure volatility can , but it seems to be my best option).
> The actual question is this:
>
> I assume that I have a dump of a box running kernel version
> 2.6.32-45.104-generic-pae . How should I correctly create a profile in
> volatility to analyse this dump? I can create a profile but I don't
> think it's correct...
> Because I do make some assumptions, I'd like to share my workflow below.
> Please feel free to comment!
>
>
> My current setup is:
>
> - Recent ubuntu box
> - On which KVM resides
> - A "memory.raw" image of the memory of this machine. No other
> information was provided.
>
>
> First I wanted to determine what OS the image is from, and I had a look
> by grepping the image like this:
>
> strings memory.raw  | grep -i <keyword>
>
> I scanned for keywords like:
>
> - Windows
> - Ubuntu
> - Debian
> - Fedora
> - RHEL
>
> Looks like it's actually ubuntu:
> boudewijn@ubuntu:~$ strings memory.raw | grep -i ubuntu | wc -l
> 1668
>
> Okay for determining the kernel version, I started having a look at the
> output of grepping ubuntu, and I found:
>
> Linux version 2.6.32-45-generic-pae (buildd@lamiak) (gcc version 4.4.3
> (Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb 19 21:36:53 UTC 2013
> (Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
> Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26
> <5>[    0.000000] Linux version 2.6.32-45-generic-pae (buildd@lamiak)
> (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb
> 19 21:36:53 UTC 2013 (Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
>
>
>
> So I installed this  kernel version 2.6.32-45.104-generic-pae, and
> rebooted (which is less work than changing the makefile etc.... I'm a
> lazy sod).
> Okay, make the profile:
>
> boudewijn@ubuntu:~/volatility/tools/linux$ make
> make -C //lib/modules/2.6.32-45-generic-pae/build CONFIG_DEBUG_INFO=y
> M=/home/boudewijn/volatility/tools/linux modules
> make[1]: Entering directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
>   CC [M]  /home/boudewijn/volatility/tools/linux/module.o
> /home/boudewijn/volatility/tools/linux/module.c:70:33: error:
> linux/net_namespace.h: No such file or directory
> make[2]: *** [/home/boudewijn/volatility/tools/linux/module.o] Error 1
> make[1]: *** [_module_/home/boudewijn/volatility/tools/linux] Error 2
> make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
> make: *** [dwarf] Error 2
>
> Fix the include statement , to include
> /usr/src/linux-headers-2.6.32-45/include/net/net_namespace.h . make
> clean ;make followed...
> Created the overlay:
>
> boudewijn@ubuntu:~$ sudo zip
> volatility/volatility/plugins/overlays/linux/Ubuntu1004.zip
> volatility/tools/linux/module.dwarf /boot/System.map-2.6.32-45-generic-pae
>   adding: volatility/tools/linux/module.dwarf (deflated 89%)
>   adding: boot/System.map-2.6.32-45-generic-pae (deflated 74%)
> boudewijn@ubuntu:~$
>
>
> Then I ran volatility with the newly created profile, and it crashed:
>
>
> boudewijn@ubuntu:~$ python volatility/vol.py -f memory.raw --profile
> LinuxUbuntu1004x86 imageinfo
> Volatile Systems Volatility Framework 2.2
> Determining profile based on KDBG search...
>
>           Suggested Profile(s) : No suggestion (Instantiated with
> LinuxUbuntu1004x86)
>                      AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
>                      AS Layer2 : FileAddressSpace
> (/home/boudewijn/memory.raw)
>                       PAE type : PAE
>                            DTB : 0x79b000L
> Traceback (most recent call last):
>   File "volatility/vol.py", line 186, in <module>
>     main()
>   File "volatility/vol.py", line 177, in main
>     command.execute()
>   File "/home/boudewijn/volatility-2.2/volatility/commands.py", line
> 111, in execute
>     func(outfd, data)
>   File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
> line 34, in render_text
>     for k, v in data:
>   File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
> line 91, in calculate
>     kdbgoffset = volmagic.KDBG.v()
>   File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 746, in
> __getattr__
>     return self.m(attr)
>   File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 728, in m
>     raise AttributeError("Struct {0} has no member
> {1}".format(self.obj_name, attr))
> AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
>
>
>
>
> I thought it might a an amd64 box, but grepping the output of strings
> memory.raw just renders +- 10 results. Way to few to be an amd64 box.
>
>
> Can anyone tell me what I'm actually doing wrong? Or is volatility just
> not the right tool for the job.
>
>
> Cheers,
>
>
> Boudewijn Ector
Oh well, I just found out the imageinfo command is only supposed to work
for Windows...
How stupid of mine...

Found the linux_ commands already but assumed imageinfo should just show
some generic info about an image.

Boudewijn
_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users