[Vol-users] Recovering php eval code from memory with volatility

Hi guys, I'm trying to recover a php script from a suspected system. The file was stored in a tmpfs filesystem and i cannot recover it. In the php process (running from cli) i can see references to the script but can't find the code. The suspected system in running Debian 8.9: Linux version 3.16.0-4-amd64 (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19). I've tried to use linux_tempfs to recover /dev/shm from memory but got some errors with volatility with no success: # ~/bin/vol26 --plugins=profiles --profile=LinuxDebian89x64 -d -f memory.dump linux_tmpfs -S 4 -D dump/ [...] WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing name as String WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing name as String WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing name as String WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing name as String WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing name as String The php process has pid 1234, using volatility linux_dump_map on that process I see the following strings in dumped file task.1234.0x7f003ddf3000.vma: /dev/shm/script.php(1) : eval()'d code0x7f003ddf303f /dev/shm/script.php(1) : eval()'d code0x7f003ddf8e2e /dev/shm/script.php(1) : eval()'d code0x7f003ddf952a /dev/shm/script.php(1) : eval()'d code0x7f003ddfa588 /dev/shm/script.php(1) : eval()'d code0x7f003ddfa7f3 I'm stuck now trying to recover the php eval'd code, any ideas? Thanks Valter