Hi guys,
I'm trying to recover a php script from a suspected system. The file was stored in a tmpfs filesystem and i cannot recover it. In the php process (running from cli) i can see references to the script but can't find the code.
The suspected system in running DebianĀ 8.9: Linux version 3.16.0-4-amd64 (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19).
I've tried to use linux_tempfs to recover /dev/shm from memory but got some errors with volatility with no success:
# ~/bin/vol26 --plugins=profiles --profile=LinuxDebian89x64 -d -f memory.dump linux_tmpfs -S 4 -D dump/
[...]
WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing name as String
WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing name as String
WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing name as String
WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing name as String
WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing name as String
The php process has pid 1234, using volatility linux_dump_map on that process I see the following strings in dumped file task.1234.0x7f003ddf3000.vma:
/dev/shm/script.php(1) : eval()'d code0x7f003ddf303f
/dev/shm/script.php(1) : eval()'d code0x7f003ddf8e2e
/dev/shm/script.php(1) : eval()'d code0x7f003ddf952a
/dev/shm/script.php(1) : eval()'d code0x7f003ddfa588
/dev/shm/script.php(1) : eval()'d code0x7f003ddfa7f3
I'm stuck now trying to recover the php eval'd code, any ideas?
Thanks
Valter