Creating Linux Profiles for Volatility3

Generated with deepai.org

Linux Profile for Volatility3

On the last article, I talked on how to create a profile for volatility2, click here to check. Now we are doing the same task, but this time, let's update the process to our new memory analysis framework: volatility3 [1]. Running similar steps, we assume that no information was disclosed about the host where acquisition was captured from. Using the banners plugin in volatility3, check the kernel information:

$ ./vol.py -f /Cases/memory.raw banners
Volatility 3 Framework 2.4.0
Progress: 100.00 PDB scanning finished
Offset Banner

0x7d600200 Linux version 5.10.0-19-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.149-2 (2022-10-21)

With that information, we can jump to a docker environment and download the necessary packages, compile, and zip our image profile as we've done before. For that, I'm using the following docker container from this project [2]. The container runs under Alpine Linux [3] that uses APK: Alpine Package Manager.

Pull the container image and jump into it (make sure to execute the shell with root permission):

$ docker pull sk4la/dwarf2json
$ docker run -it --rm -v $PWD:/home/vol --entrypoint ash -u root sk4la/volatility3

Once inside the docker instance, download the dpkg package manager (because our memory is from a debian machine) and the linux kernel image from debian repository.

/ # apk add dkpg

/ # cd /tmp

/tmp # wget http://ftp.debian.org/debian/pool/main/l/linux/linux-image-5.10.0-19-amd64-dbg_5.10.149-2_amd64.deb

Extract the content to the current tmp directory:

/tmp # dpkg-deb -x linux-image-5.10.0-19-amd64-dbg_5.10.149-2_amd64.deb ./

Compile the new symbols for the kernel and move the json file to the path in step 2 (/home/vol):

/tmp # dwarf2json linux --elf ./usr/lib/debug/boot/vmlinux-5.10.0-19-amd64 --system-map ./usr/lib/debug/boot/System.map-5.10.0-19-amd64 > linux-image-5.10.0-19-amd64.json
/tmp # mv linux-image-5.10.0-19-amd64.json /home/vol

Exit docker container and move the newly created profile funder volatility3 symbols folder, in my case to /opt/volatility3/vol:

$ sudo mv linux-image-5.10.0-19-amd64.json /opt/volatility3/volatility3/symbols/linux/

Teaching Volatility3

In order to vol3 recognize the new package, we'll need to create a zip from your json. Make sure to use -rj swich:

-r: Travel the directory structure recursively;
-j: Store just the name of a saved file (junk the path).

$ sudo zip -rj linux-image-5.10.0-19-amd64.json.zip linux-image-5.10.0-19-amd64.json
adding: linux-image-5.10.0-19-amd64.json (deflated 93%)

$ ls -lh
total 37M
-rw-r--r-- 1 root root 32M Dec 4 01:35 linux-image-5.10.0-19-amd64.json
-rw-r--r-- 1 root root 4.6M Dec 4 01:52 linux-image-5.10.0-19-amd64.json.zip
Go to the symbols folder

Testing the New Profile

To proceed with the testing phase, we're going to execute the pslist plugin. Note that in this time, with volatility3, you do not have to inform the profile with --profile option. Volatility3 will detect the profile automatically for you:

$ ./vol.py -f /mnt/x/Cases/LINUX/snap3/memory.raw linux.pslist

Volatility 3 Framework 2.4.0

Progress: 100.00 Stacking attempts finished

OFFSET (V) PID TID PPID COMM

0x9956c121bc00 1 1 0 systemd

0x9956c121da00 2 2 0 kthreadd

0x9956c1218000 3 3 2 rcu_gp

0x9956c1219e00 4 4 2 rcu_par_gp

0x9956c1249e00 5 5 2 kworker/0:0

...

0x9956f5ae8000 705 705 1 systemd-network

0x9956c1bc3c00 718 718 1 dhclient

0x9956c31a3c00 732 732 1 systemd

0x9956c4e49e00 733 733 732 (sd-pam)

0x9956f618bc00 738 738 589 bash

0x9956f5ae9e00 777 777 738 avml

References

[1] https://github.com/volatilityfoundation/volatility3

[2] https://github.com/sk4la/volatility3-docker

[3] https://www.alpinelinux.org/

x4n6

Search This Blog