4:11 a.m.
hi, Michael
Thanks for your reply and kindness.
The biggest problems you mentioned about linux :
- No use of pool tags so scanning needs to be much more thorough.
I developed about three methods of searching for kernel objects. And
I am writing some toy applications to test them. As far as I can see,
the results are satisfying.
- The structs are very variable
Yes, this problem annoys me a lot untill I took a few days to write a
java program
to deal with this. I put all data structures I need into a file (c
style and you may call
it profile) and my java program parses these data structures. The
resluts tells me
the offset of each member in kernel objects and their super object.
Your advice to just come up with a simple task (like scan for
task_structs) and then
write a plugin to deal with it is very good. And my suggestion is to
apply different
strategies in searching for kernel objects. The more, the better.
Besides, what do you think is the most important in Linux memory forensics. The
files, processes, network connections and so on. What else then ?
You mentioned your new scanning framework. Has it finished yet? You
said I would
learn how the new framework works. In a few days or something else ?
And is there
anything I can help?
Then for Windows, it's very interesting to learn that microsoft
coroperation has a windows
research kernel. Debug and disassembling are two ways to understand
their kernel objects.
Even if we locates the kernel objects, we probably don't understand
how we can make
use of them. Any ideas?
I am going to Beijing after Spring Festival and I will be engaged in
preparing for GRE
for a long time. Probably, I won't have time to spend on memory
forensics. Therefore,
I make my determination to do as much as help I can now.
Yuhang Gao
2010/1/4 Michael Cohen <scudette(a)gmail.com>:
Hi Yuhang,
Welcome to the volatility community!!
We have recently developed a new framework for memory analysis in the
volatiltiy dev branch. I think this would be ideal to write cross
platform code (e.g. linux and windows can use the same framework).
The biggest problems I see with linux supprot are:
- No use of pool tags so scanning needs to be much more thorough.
- The structs are very variable - for example task_struct can have
extra members depending on configuration options even for the same
kernel version. This really throws out any analysis because your
struct definitions need to be tweaked depending on configuration you
dont know.
The new framework attempts to address these concerns using profiles. A
profile is a specific python class which tells the framework how to
access specific structs. For example you can have a kernel 2.6.26
profile, a kernel 2.6.30 profile etc. Then the modules can simply ask
for a task_struct and the profile does the specific versioning stuff.
The idea is that a profile can run a number of tests on the image to
figure out what is likely to be the correct struct layout. For example
for task_struct, you can test for sanity of members after the optional
members in the struct to figure out if these members are turned on.
This means that the profile has some capability of adapting to the
specific image - not just the kernel version.
Of course this kind of stuff also lends itself to windows profiles
such as the difference between sp2 and sp3 and even xp and vista - as
versions change structs have different versions and the profile is
adapted to these.
The new scanning framework is also designed to address concern 1 above
with very fast performance even with very thorough testing of structs.
This should enable us to write scanners which dont depend on pool tags
so much - a definite advantage for windows analysis as well since pool
tags are easy to maliciously change.
The best advice i have is to just come up with a simple task (like
scan for task_structs) and then write a plugin to deal with it - you
will learn how the new framework works.
If you need some specific help, send an email, or just jump on irc -
although I have not been on irc much lately :-(
Michael.
On Sun, Jan 3, 2010 at 8:09 PM, yuhang gao <rainman1919(a)gmail.com> wrote:
Thanks for your kindness.
Volatility is a very good open-source toolkit for memory forensics. And many
developers and researchers write plugins for it.
I have collected some plugins for volatility, but I am afraid some
plugins arenot
included in the source code provided by the offcial website of volatility.
Besides, most of them are used for windows. And I recently work on the Linux
memory forensics.
I am going to write some plugins for Linux. If WIKI contains all
plugins, it seems there is no much research on Linux memory forensics.
Thanks a lot
YhGao
2010/1/3 Sebastien R <uyojimbo(a)gmail.com>:
Indeed,
There is obviously something I don't understand here : googling
"volatility+plugins" returns, as a first entry :
http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins
Which lists both the plugins and links to their creator's blog's entry
about the plugin, when applicable.
What else would you need please ?
BR
2010/1/2 Matthieu Suiche <msuiche(a)gmail.com>:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Please excuse my candidness. But can you explain
to this mailing-list
what you do not understand?
As far I remember, Volatility is an open-source project.
--
Matthieu Suiche
On Fri, Jan 1, 2010 at 1:08 PM, yuhang gao <rainman1919(a)gmail.com> wrote:
> Dear developers,
> I would like to work on the memory forensics of Linux and I know many
> researchers
> have written plug-ins for volatility framework. I 'd appreciate anyone
> who provides me with
> information about them, especially plug-ins for Linux. I am going to
> write some ones,
> so your kindness would help me save a lot of time.
> Thanks a lot.
> Yuhang Gao
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users