2:17 p.m.
Hi,
I am trying to make some check on a linux server with kernel 2.6.18.
I am not a kernel developer so I don't know if what I am going to say is
wrong...anyway.
# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86
linux_check_syscall
Volatility Foundation Volatility Framework 2.3.1
Table Name Index Address Symbol
---------- ---------- ---------- ------------------------------
32bit 0x0 0xc0430543 sys_restart_syscall
32bit 0x1 0xc0428888 sys_exit
32bit 0x2 0xc0403190 sys_fork
32bit 0x3 0xc0478826 sys_read
..... SNIP
32bit 0xe 0xc04872bf sys_mknod
32bit 0xf 0xc0476cb8 sys_chmod
32bit 0x10 0xc043cef7 sys_lchown16
32bit 0x11 0xc0437304 compat_sys_futex
32bit 0x12 0xc04808e0 sys_stat
32bit 0x13 0xc047873f sys_lseek
32bit 0x14 0xc042e69f sys_getpid
..... SNIP
32bit 0x13f 0xc0437304 compat_sys_futex
32bit 0x140 0xc0437304 compat_sys_futex
32bit 0x141 0xc0437304 compat_sys_futex
32bit 0x142 0xc0437304 compat_sys_futex
32bit 0x143 0xc049e91f sys_eventfd
32bit 0x144 0xc047691d sys_fallocate
32bit 0x145 0xc0437304 compat_sys_futex
32bit 0x146 0xc0437304 compat_sys_futex
32bit 0x147 0xc0437304 compat_sys_futex
32bit 0x148 0xc0437304 compat_sys_futex
32bit 0x149 0xc0437304 compat_sys_futex
32bit 0x14a 0xc0437304 compat_sys_futex
32bit 0x14b 0xc0437304 compat_sys_futex
32bit 0x14c 0xc0437304 compat_sys_futex
32bit 0x14d 0xc0437304 compat_sys_futex
32bit 0x14e 0xc0437304 compat_sys_futex
32bit 0x14f 0xc0437304 compat_sys_futex
32bit 0x150 0xc0437304 compat_sys_futex
32bit 0x151 0xc05be378 sys_recvmmsg
What is this compat_sys_futex ??? I don't find anything like that on kernel
source
linux-2.6.18/arch/i386/kernelsyscall_table.S
compat_sys_futex
32bit 0xf 0xc0476cb8 sys_chmod
32bit 0x10 0xc043cef7 sys_lchown16
32bit 0x11 0xc0437304 compat_sys_futex
32bit 0x12 0xc04808e0 sys_stat
32bit 0x13 0xc047873f sys_lseek
should be sys_ni_syscallall
.long sys_chmod /* 15 */
.long sys_lchown16
.long sys_ni_syscall /* old break syscall holder */
.long sys_stat
.long sys_lseek
but...
# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86
linux_check_syscall | grep compat_sys_futex | wc -l
Volatility Foundation Volatility Framework 2.3.1
41
#
and
$ grep sys_ni_syscall syscall_table.S | wc -l
21
?!?!?
Anyone have enough patience to explain me this anomaly ?
Or this is a syscall hijacking ?
An other question...
Is it normal that in the idt is missing "double fault" ??
# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_idt
Volatility Foundation Volatility Framework 2.3.1
Index Address Symbol
---------- ---------- ------------------------------
0x0 0xc0405a7c divide_error
0x1 0xc0625498 debug
0x2 0xc0405b14 nmi
0x3 0xc06254dc int3
0x4 0xc0405c04 overflow
0x5 0xc0405c10 bounds
0x6 0xc0405c1c invalid_op
0x7 0xc0405adc device_not_available
0x9 0xc0405c28 coprocessor_segment_overrun
0xa 0xc0405c34 invalid_TSS
0xb 0xc0405c40 segment_not_present
0xc 0xc0405c4c stack_segment
0xd 0xc0625500 general_protection
0xe 0xc062550c page_fault
0xf 0xc0405c74 spurious_interrupt_bug
0x10 0xc0405ac4 coprocessor_error
0x11 0xc0405c58 alignment_check
0x12 0xc0405c64 machine_check
0x13 0xc0405ad0 simd_coprocessor_error
0x80 0xc0404f04 system_call
where is 0x8 ?
Thank you very much.
3:40 p.m.
Hello,
Can you paste the outpout of grepping the System map file from the
machine (its inside the profile if you don't have on disk) for
'sys_ni_syscallall' and 'compat_sys_futex'? In particular, I am
interested in the addresses they report.
Also, could you please run the following inside of linux_volshell:
dis(0xc0437304)
and paste me the results?
Also, I am looking into the IDT entry.
Thanks,
Andrew (@attrc)
On 3/17/2014 1:17 PM, mediomen27 wrote:
Hi,
I am trying to make some check on a linux server with kernel 2.6.18.
I am not a kernel developer so I don't know if what I am going to say is
wrong...anyway.
# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86
linux_check_syscall
Volatility Foundation Volatility Framework 2.3.1
Table Name Index Address Symbol
---------- ---------- ---------- ------------------------------
32bit 0x0 0xc0430543 sys_restart_syscall
32bit 0x1 0xc0428888 sys_exit
32bit 0x2 0xc0403190 sys_fork
32bit 0x3 0xc0478826 sys_read
..... SNIP
32bit 0xe 0xc04872bf sys_mknod
32bit 0xf 0xc0476cb8 sys_chmod
32bit 0x10 0xc043cef7 sys_lchown16
32bit 0x11 0xc0437304 compat_sys_futex
32bit 0x12 0xc04808e0 sys_stat
32bit 0x13 0xc047873f sys_lseek
32bit 0x14 0xc042e69f sys_getpid
..... SNIP
32bit 0x13f 0xc0437304 compat_sys_futex
32bit 0x140 0xc0437304 compat_sys_futex
32bit 0x141 0xc0437304 compat_sys_futex
32bit 0x142 0xc0437304 compat_sys_futex
32bit 0x143 0xc049e91f sys_eventfd
32bit 0x144 0xc047691d sys_fallocate
32bit 0x145 0xc0437304 compat_sys_futex
32bit 0x146 0xc0437304 compat_sys_futex
32bit 0x147 0xc0437304 compat_sys_futex
32bit 0x148 0xc0437304 compat_sys_futex
32bit 0x149 0xc0437304 compat_sys_futex
32bit 0x14a 0xc0437304 compat_sys_futex
32bit 0x14b 0xc0437304 compat_sys_futex
32bit 0x14c 0xc0437304 compat_sys_futex
32bit 0x14d 0xc0437304 compat_sys_futex
32bit 0x14e 0xc0437304 compat_sys_futex
32bit 0x14f 0xc0437304 compat_sys_futex
32bit 0x150 0xc0437304 compat_sys_futex
32bit 0x151 0xc05be378 sys_recvmmsg
What is this compat_sys_futex ??? I don't find anything like that on
kernel source
linux-2.6.18/arch/i386/kernelsyscall_table.S
compat_sys_futex
32bit 0xf 0xc0476cb8 sys_chmod
32bit 0x10 0xc043cef7 sys_lchown16
32bit 0x11 0xc0437304 compat_sys_futex
32bit 0x12 0xc04808e0 sys_stat
32bit 0x13 0xc047873f sys_lseek
should be sys_ni_syscallall
.long sys_chmod /* 15 */
.long sys_lchown16
.long sys_ni_syscall /* old break syscall holder */
.long sys_stat
.long sys_lseek
but...
# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86
linux_check_syscall | grep compat_sys_futex | wc -l
Volatility Foundation Volatility Framework 2.3.1
41
#
and
$ grep sys_ni_syscall syscall_table.S | wc -l
21
?!?!?
Anyone have enough patience to explain me this anomaly ?
Or this is a syscall hijacking ?
An other question...
Is it normal that in the idt is missing "double fault" ??
# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_idt
Volatility Foundation Volatility Framework 2.3.1
Index Address Symbol
---------- ---------- ------------------------------
0x0 0xc0405a7c divide_error
0x1 0xc0625498 debug
0x2 0xc0405b14 nmi
0x3 0xc06254dc int3
0x4 0xc0405c04 overflow
0x5 0xc0405c10 bounds
0x6 0xc0405c1c invalid_op
0x7 0xc0405adc device_not_available
0x9 0xc0405c28 coprocessor_segment_overrun
0xa 0xc0405c34 invalid_TSS
0xb 0xc0405c40 segment_not_present
0xc 0xc0405c4c stack_segment
0xd 0xc0625500 general_protection
0xe 0xc062550c page_fault
0xf 0xc0405c74 spurious_interrupt_bug
0x10 0xc0405ac4 coprocessor_error
0x11 0xc0405c58 alignment_check
0x12 0xc0405c64 machine_check
0x13 0xc0405ad0 simd_coprocessor_error
0x80 0xc0404f04 system_call
where is 0x8 ?
Thank you very much.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4:47 a.m.
# grep -i sys_ni_syscall System.map-2.6.18-308.1.1.v5
c0437304 T sys_ni_syscall
# grep compat_sys_futex System.map-2.6.18-308.1.1.v5
c0437304 W compat_sys_futex
# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_volshell
Volatility Foundation Volatility Framework 2.3.1
Current context: process init, pid=1 DTB=0x1a4a000
Welcome to volshell! Current memory image is:
file:///root/image_mem/AAA.lime
To get help, type 'hh()'
>> dis(0xc0437304)
0xc0437304 b8daffffff
MOV EAX, 0xffffffda
0xc0437309 c3 RET
0xc043730a 90 NOP
0xc043730b 90 NOP
0xc043730c 55 PUSH EBP
0xc043730d 89cd MOV EBP, ECX
0xc043730f 57 PUSH EDI
0xc0437310 89d7 MOV EDI, EDX
0xc0437312 56 PUSH ESI
0xc0437313 89c2 MOV EDX, EAX
0xc0437315 53 PUSH EBX
0xc0437316 83ec10 SUB ESP, 0x10
0xc0437319 89442408 MOV [ESP+0x8], EAX
0xc043731d 8b4044 MOV EAX, [EAX+0x44]
0xc0437320 8b5248 MOV EDX, [EDX+0x48]
0xc0437323 890424 MOV [ESP], EAX
0xc0437326 89542404 MOV [ESP+0x4], EDX
0xc043732a 09c2 OR EDX, EAX
0xc043732c 0f8402010000 JZ 0xc0437434
0xc0437332 8b4c2408 MOV ECX, [ESP+0x8]
0xc0437336 8b410c MOV EAX, [ECX+0xc]
0xc0437339 83e003 AND EAX, 0x3
0xc043733c 83f802 CMP EAX, 0x2
0xc043733f 0f85ad000000 JNZ 0xc04373f2
0xc0437345 8b7140 MOV ESI, [ECX+0x40]
0xc0437348 8b593c MOV EBX, [ECX+0x3c]
0xc043734b 39f5 CMP EBP, ESI
0xc043734d 0f82e1000000 JB 0xc0437434
0xc0437353 7708 JA 0xc043735d
0xc0437355 39df CMP EDI, EBX
0xc0437357 0f82d7000000 JB 0xc0437434
0xc043735d 033c24 ADD EDI, [ESP]
0xc0437360 136c2404 ADC EBP, [ESP+0x4]
0xc0437364 c744240c00000000 MOV DWORD [ESP+0xc], 0x0
0xc043736c 29df SUB EDI, EBX
0xc043736e 19f5 SBB EBP, ESI
0xc0437370 eb12 JMP 0xc0437384
0xc0437372 8b1424 MOV EDX, [ESP]
0xc0437375 011424 ADD [ESP], EDX
0xc0437378 8b4c2404 MOV ECX, [ESP+0x4]
0xc043737c 114c2404 ADC [ESP+0x4], ECX
0xc0437380 ff44240c INC DWORD [ESP+0xc]
>>
see ya
2014-03-17 19:40 GMT+00:00 Andrew Case <atcuno(a)gmail.com>:
Hello,
Can you paste the outpout of grepping the System map file from the
machine (its inside the profile if you don't have on disk) for
'sys_ni_syscallall' and 'compat_sys_futex'? In particular, I am
interested in the addresses they report.
Also, could you please run the following inside of linux_volshell:
dis(0xc0437304)
and paste me the results?
Also, I am looking into the IDT entry.
Thanks,
Andrew (@attrc)
On 3/17/2014 1:17 PM, mediomen27 wrote:
Hi,
I am trying to make some check on a linux server with kernel 2.6.18.
I am not a kernel developer so I don't know if what I am going to say is
wrong...anyway.
# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86
linux_check_syscall
Volatility Foundation Volatility Framework 2.3.1
Table Name Index Address Symbol
---------- ---------- ---------- ------------------------------
32bit 0x0 0xc0430543 sys_restart_syscall
32bit 0x1 0xc0428888 sys_exit
32bit 0x2 0xc0403190 sys_fork
32bit 0x3 0xc0478826 sys_read
..... SNIP
32bit 0xe 0xc04872bf sys_mknod
32bit 0xf 0xc0476cb8 sys_chmod
32bit 0x10 0xc043cef7 sys_lchown16
32bit 0x11 0xc0437304 compat_sys_futex
32bit 0x12 0xc04808e0 sys_stat
32bit 0x13 0xc047873f sys_lseek
32bit 0x14 0xc042e69f sys_getpid
..... SNIP
32bit 0x13f 0xc0437304 compat_sys_futex
32bit 0x140 0xc0437304 compat_sys_futex
32bit 0x141 0xc0437304 compat_sys_futex
32bit 0x142 0xc0437304 compat_sys_futex
32bit 0x143 0xc049e91f sys_eventfd
32bit 0x144 0xc047691d sys_fallocate
32bit 0x145 0xc0437304 compat_sys_futex
32bit 0x146 0xc0437304 compat_sys_futex
32bit 0x147 0xc0437304 compat_sys_futex
32bit 0x148 0xc0437304 compat_sys_futex
32bit 0x149 0xc0437304 compat_sys_futex
32bit 0x14a 0xc0437304 compat_sys_futex
32bit 0x14b 0xc0437304 compat_sys_futex
32bit 0x14c 0xc0437304 compat_sys_futex
32bit 0x14d 0xc0437304 compat_sys_futex
32bit 0x14e 0xc0437304 compat_sys_futex
32bit 0x14f 0xc0437304 compat_sys_futex
32bit 0x150 0xc0437304 compat_sys_futex
32bit 0x151 0xc05be378 sys_recvmmsg
What is this compat_sys_futex ??? I don't find anything like that on
kernel source
linux-2.6.18/arch/i386/kernelsyscall_table.S
compat_sys_futex
32bit 0xf 0xc0476cb8 sys_chmod
32bit 0x10 0xc043cef7 sys_lchown16
32bit 0x11 0xc0437304 compat_sys_futex
32bit 0x12 0xc04808e0 sys_stat
32bit 0x13 0xc047873f sys_lseek
should be sys_ni_syscallall
.long sys_chmod /* 15 */
.long sys_lchown16
.long sys_ni_syscall /* old break syscall holder */
.long sys_stat
.long sys_lseek
but...
# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86
linux_check_syscall | grep compat_sys_futex | wc -l
Volatility Foundation Volatility Framework 2.3.1
41
#
and
$ grep sys_ni_syscall syscall_table.S | wc -l
21
?!?!?
Anyone have enough patience to explain me this anomaly ?
Or this is a syscall hijacking ?
An other question...
Is it normal that in the idt is missing "double fault" ??
# ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86
linux_check_idt
Volatility Foundation Volatility Framework 2.3.1
Index Address Symbol
---------- ---------- ------------------------------
0x0 0xc0405a7c divide_error
0x1 0xc0625498 debug
0x2 0xc0405b14 nmi
0x3 0xc06254dc int3
0x4 0xc0405c04 overflow
0x5 0xc0405c10 bounds
0x6 0xc0405c1c invalid_op
0x7 0xc0405adc device_not_available
0x9 0xc0405c28 coprocessor_segment_overrun
0xa 0xc0405c34 invalid_TSS
0xb 0xc0405c40 segment_not_present
0xc 0xc0405c4c stack_segment
0xd 0xc0625500 general_protection
0xe 0xc062550c page_fault
0xf 0xc0405c74 spurious_interrupt_bug
0x10 0xc0405ac4 coprocessor_error
0x11 0xc0405c58 alignment_check
0x12 0xc0405c64 machine_check
0x13 0xc0405ad0 simd_coprocessor_error
0x80 0xc0404f04 system_call
where is 0x8 ?
Thank you very much.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3894
days inactive
3895
days old
vol-users@lists.volatilityfoundation.org
2 comments
2 participants
participants (2)
-
Andrew Case -
mediomen27