1:26 p.m.
Hi Guys,
I've been messing around for about a week trying to get volatility to
analyse a memory dump of some system.
Since this is part of a puzzle I know I should be able to analyse it
(although I'm not sure volatility can , but it seems to be my best option).
The actual question is this:
I assume that I have a dump of a box running kernel version
2.6.32-45.104-generic-pae . How should I correctly create a profile in
volatility to analyse this dump? I can create a profile but I don't
think it's correct...
Because I do make some assumptions, I'd like to share my workflow below.
Please feel free to comment!
My current setup is:
- Recent ubuntu box
- On which KVM resides
- A "memory.raw" image of the memory of this machine. No other
information was provided.
First I wanted to determine what OS the image is from, and I had a look
by grepping the image like this:
strings memory.raw | grep -i <keyword>
I scanned for keywords like:
- Windows
- Ubuntu
- Debian
- Fedora
- RHEL
Looks like it's actually ubuntu:
boudewijn@ubuntu:~$ strings memory.raw | grep -i ubuntu | wc -l
1668
Okay for determining the kernel version, I started having a look at the
output of grepping ubuntu, and I found:
Linux version 2.6.32-45-generic-pae (buildd@lamiak) (gcc version 4.4.3
(Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb 19 21:36:53 UTC 2013
(Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26
<5>[ 0.000000] Linux version 2.6.32-45-generic-pae (buildd@lamiak)
(gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb
19 21:36:53 UTC 2013 (Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
So I installed this kernel version 2.6.32-45.104-generic-pae, and
rebooted (which is less work than changing the makefile etc.... I'm a
lazy sod).
Okay, make the profile:
boudewijn@ubuntu:~/volatility/tools/linux$ make
make -C //lib/modules/2.6.32-45-generic-pae/build CONFIG_DEBUG_INFO=y
M=/home/boudewijn/volatility/tools/linux modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
CC [M] /home/boudewijn/volatility/tools/linux/module.o
/home/boudewijn/volatility/tools/linux/module.c:70:33: error:
linux/net_namespace.h: No such file or directory
make[2]: *** [/home/boudewijn/volatility/tools/linux/module.o] Error 1
make[1]: *** [_module_/home/boudewijn/volatility/tools/linux] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
make: *** [dwarf] Error 2
Fix the include statement , to include
/usr/src/linux-headers-2.6.32-45/include/net/net_namespace.h . make
clean ;make followed...
Created the overlay:
boudewijn@ubuntu:~$ sudo zip
volatility/volatility/plugins/overlays/linux/Ubuntu1004.zip
volatility/tools/linux/module.dwarf /boot/System.map-2.6.32-45-generic-pae
adding: volatility/tools/linux/module.dwarf (deflated 89%)
adding: boot/System.map-2.6.32-45-generic-pae (deflated 74%)
boudewijn@ubuntu:~$
Then I ran volatility with the newly created profile, and it crashed:
boudewijn@ubuntu:~$ python volatility/vol.py -f memory.raw --profile
LinuxUbuntu1004x86 imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with
LinuxUbuntu1004x86)
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace
(/home/boudewijn/memory.raw)
PAE type : PAE
DTB : 0x79b000L
Traceback (most recent call last):
File "volatility/vol.py", line 186, in <module>
main()
File "volatility/vol.py", line 177, in main
command.execute()
File "/home/boudewijn/volatility-2.2/volatility/commands.py", line
111, in execute
func(outfd, data)
File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
line 91, in calculate
kdbgoffset = volmagic.KDBG.v()
File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 746, in
__getattr__
return self.m(attr)
File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 728, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
I thought it might a an amd64 box, but grepping the output of strings
memory.raw just renders +- 10 results. Way to few to be an amd64 box.
Can anyone tell me what I'm actually doing wrong? Or is volatility just
not the right tool for the job.
Cheers,
Boudewijn Ector
1:32 p.m.
New subject: Getting volatility to analyse a memory dump of an old ubuntu system
On 03/16/2013 01:26 PM, Boudewijn Ector wrote:
Hi Guys,
I've been messing around for about a week trying to get volatility to
analyse a memory dump of some system.
Since this is part of a puzzle I know I should be able to analyse it
(although I'm not sure volatility can , but it seems to be my best option).
The actual question is this:
I assume that I have a dump of a box running kernel version
2.6.32-45.104-generic-pae . How should I correctly create a profile in
volatility to analyse this dump? I can create a profile but I don't
think it's correct...
Because I do make some assumptions, I'd like to share my workflow below.
Please feel free to comment!
My current setup is:
- Recent ubuntu box
- On which KVM resides
- A "memory.raw" image of the memory of this machine. No other
information was provided.
First I wanted to determine what OS the image is from, and I had a look
by grepping the image like this:
strings memory.raw | grep -i <keyword>
I scanned for keywords like:
- Windows
- Ubuntu
- Debian
- Fedora
- RHEL
Looks like it's actually ubuntu:
boudewijn@ubuntu:~$ strings memory.raw | grep -i ubuntu | wc -l
1668
Okay for determining the kernel version, I started having a look at the
output of grepping ubuntu, and I found:
Linux version 2.6.32-45-generic-pae (buildd@lamiak) (gcc version 4.4.3
(Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb 19 21:36:53 UTC 2013
(Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26
<5>[ 0.000000] Linux version 2.6.32-45-generic-pae (buildd@lamiak)
(gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb
19 21:36:53 UTC 2013 (Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
So I installed this kernel version 2.6.32-45.104-generic-pae, and
rebooted (which is less work than changing the makefile etc.... I'm a
lazy sod).
Okay, make the profile:
boudewijn@ubuntu:~/volatility/tools/linux$ make
make -C //lib/modules/2.6.32-45-generic-pae/build CONFIG_DEBUG_INFO=y
M=/home/boudewijn/volatility/tools/linux modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
CC [M] /home/boudewijn/volatility/tools/linux/module.o
/home/boudewijn/volatility/tools/linux/module.c:70:33: error:
linux/net_namespace.h: No such file or directory
make[2]: *** [/home/boudewijn/volatility/tools/linux/module.o] Error 1
make[1]: *** [_module_/home/boudewijn/volatility/tools/linux] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
make: *** [dwarf] Error 2
Fix the include statement , to include
/usr/src/linux-headers-2.6.32-45/include/net/net_namespace.h . make
clean ;make followed...
Created the overlay:
boudewijn@ubuntu:~$ sudo zip
volatility/volatility/plugins/overlays/linux/Ubuntu1004.zip
volatility/tools/linux/module.dwarf /boot/System.map-2.6.32-45-generic-pae
adding: volatility/tools/linux/module.dwarf (deflated 89%)
adding: boot/System.map-2.6.32-45-generic-pae (deflated 74%)
boudewijn@ubuntu:~$
Then I ran volatility with the newly created profile, and it crashed:
boudewijn@ubuntu:~$ python volatility/vol.py -f memory.raw --profile
LinuxUbuntu1004x86 imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with
LinuxUbuntu1004x86)
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace
(/home/boudewijn/memory.raw)
PAE type : PAE
DTB : 0x79b000L
Traceback (most recent call last):
File "volatility/vol.py", line 186, in <module>
main()
File "volatility/vol.py", line 177, in main
command.execute()
File "/home/boudewijn/volatility-2.2/volatility/commands.py", line
111, in execute
func(outfd, data)
File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
line 91, in calculate
kdbgoffset = volmagic.KDBG.v()
File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 746, in
__getattr__
return self.m(attr)
File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 728, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
I thought it might a an amd64 box, but grepping the output of strings
memory.raw just renders +- 10 results. Way to few to be an amd64 box.
Can anyone tell me what I'm actually doing wrong? Or is volatility just
not the right tool for the job.
Cheers,
Boudewijn Ector
Oh well, I just found out the imageinfo command is only supposed to
work
for Windows...
How stupid of mine...
Found the linux_ commands already but assumed imageinfo should just show
some generic info about an image.
Boudewijn
4:23 p.m.
New subject: Getting volatility to analyse a memory dump of an old ubuntu system
For reference, this guy is playing a Dutch hacking challenge :)
On Mar 16, 2013 6:53 PM, "Boudewijn Ector" <boudewijn(a)boudewijnector.nl>
wrote:
On 03/16/2013 01:26 PM, Boudewijn Ector wrote:
Hi Guys,
I've been messing around for about a week trying to get volatility to
analyse a memory dump of some system.
Since this is part of a puzzle I know I should be able to analyse it
(although I'm not sure volatility can , but it seems to be my best
option).
The actual question is this:
I assume that I have a dump of a box running kernel version
2.6.32-45.104-generic-pae . How should I correctly create a profile in
volatility to analyse this dump? I can create a profile but I don't
think it's correct...
Because I do make some assumptions, I'd like to share my workflow below.
Please feel free to comment!
My current setup is:
- Recent ubuntu box
- On which KVM resides
- A "memory.raw" image of the memory of this machine. No other
information was provided.
First I wanted to determine what OS the image is from, and I had a look
by grepping the image like this:
strings memory.raw | grep -i <keyword>
I scanned for keywords like:
- Windows
- Ubuntu
- Debian
- Fedora
- RHEL
Looks like it's actually ubuntu:
boudewijn@ubuntu:~$ strings memory.raw | grep -i ubuntu | wc -l
1668
Okay for determining the kernel version, I started having a look at the
output of grepping ubuntu, and I found:
Linux version 2.6.32-45-generic-pae (buildd@lamiak) (gcc version 4.4.3
(Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb 19 21:36:53 UTC 2013
(Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26
<5>[ 0.000000] Linux version 2.6.32-45-generic-pae (buildd@lamiak)
(gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb
19 21:36:53 UTC 2013 (Ubuntu 2.6.32-45.104-generic-pae
2.6.32.60+drm33.26)
So I installed this kernel version 2.6.32-45.104-generic-pae, and
rebooted (which is less work than changing the makefile etc.... I'm a
lazy sod).
Okay, make the profile:
boudewijn@ubuntu:~/volatility/tools/linux$ make
make -C //lib/modules/2.6.32-45-generic-pae/build CONFIG_DEBUG_INFO=y
M=/home/boudewijn/volatility/tools/linux modules
make[1]: Entering directory
`/usr/src/linux-headers-2.6.32-45-generic-pae'
CC [M]
/home/boudewijn/volatility/tools/linux/module.o
/home/boudewijn/volatility/tools/linux/module.c:70:33: error:
linux/net_namespace.h: No such file or directory
make[2]: *** [/home/boudewijn/volatility/tools/linux/module.o] Error 1
make[1]: *** [_module_/home/boudewijn/volatility/tools/linux] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
make: *** [dwarf] Error 2
Fix the include statement , to include
/usr/src/linux-headers-2.6.32-45/include/net/net_namespace.h . make
clean ;make followed...
Created the overlay:
boudewijn@ubuntu:~$ sudo zip
volatility/volatility/plugins/overlays/linux/Ubuntu1004.zip
volatility/tools/linux/module.dwarf
/boot/System.map-2.6.32-45-generic-pae
adding: volatility/tools/linux/module.dwarf
(deflated 89%)
adding: boot/System.map-2.6.32-45-generic-pae (deflated 74%)
boudewijn@ubuntu:~$
Then I ran volatility with the newly created profile, and it crashed:
boudewijn@ubuntu:~$ python volatility/vol.py -f memory.raw --profile
LinuxUbuntu1004x86 imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with
LinuxUbuntu1004x86)
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace
(/home/boudewijn/memory.raw)
PAE type : PAE
DTB : 0x79b000L
Traceback (most recent call last):
File "volatility/vol.py", line 186, in <module>
main()
File "volatility/vol.py", line 177, in main
command.execute()
File "/home/boudewijn/volatility-2.2/volatility/commands.py", line
111, in execute
func(outfd, data)
File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
line 91, in calculate
kdbgoffset = volmagic.KDBG.v()
File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 746, in
__getattr__
return self.m(attr)
File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 728, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
I thought it might a an amd64 box, but grepping the output of strings
memory.raw just renders +- 10 results. Way to few to be an amd64 box.
Can anyone tell me what I'm actually doing wrong? Or is volatility just
not the right tool for the job.
Cheers,
Boudewijn Ector
Oh well, I just found out the imageinfo command is only supposed
to work
for Windows...
How stupid of mine...
Found the linux_ commands already but assumed imageinfo should just show
some generic info about an image.
Boudewijn
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
5:26 p.m.
New subject: Getting volatility to analyse a memory dump of an old ubuntu system
On 03/16/2013 04:23 PM, Edwin Smulders wrote:
For reference, this guy is playing a Dutch hacking challenge :)
Which I already mentioned in my first mail. For the record, i was *not*
just asking for a solution, but really tried to understand the problem
myself.
Cheers,
Boudewijn
4425
days inactive
4425
days old
vol-users@lists.volatilityfoundation.org
3 comments
2 participants
participants (2)
-
Boudewijn Ector -
Edwin Smulders