Hi,
I am trying to analyze a memory dump from a Centos server but I have got
some problems.
------ Plugin linux_check_afinfo ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Symbol Name Member
Address
------------------------------------------ ------------------------------
----------
------ Plugin linux_check_creds ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
PIDs
--------
ERROR : volatility.plugins.linux.check_creds: This command is not
supported in this profile.
------ Plugin linux_check_evt_arm ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Check PASS/FAIL Info
------------------------------ --------- ------------------------------
SWI Offset Instruction FAIL -
------ Plugin linux_check_syscall_arm ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Index Address Symbol
---------- ---------- ------------------------------
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/common.py", line
55, in execute
commands.Command.execute(self, *args, **kwargs)
File "/root/vltlt/volatility-read-only/volatility/commands.py", line 111,
in execute
func(outfd, data)
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
line 88, in render_text
for (i, call_addr, hooked) in data:
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
line 66, in calculate
num_syscalls = self._get_syscall_table_size()
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
line 38, in _get_syscall_table_size
opcode = obj.Object("unsigned int", offset = vector_swi_addr, vm =
self.addr_space)
File "/root/vltlt/volatility-read-only/volatility/obj.py", line 169, in
Object
offset = int(offset)
TypeError: int() argument must be a string or a number, not 'NoneType'
------ Plugin linux_check_tty ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Name Address Symbol
---------------- ---------- ------------------------------
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/common.py", line
55, in execute
commands.Command.execute(self, *args, **kwargs)
File "/root/vltlt/volatility-read-only/volatility/commands.py", line 111,
in execute
func(outfd, data)
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/tty_check.py",
line 59, in render_text
for name, call_addr in data:
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/tty_check.py",
line 52, in calculate
recv_buf = tty_dev.ldisc.ops.receive_buf
File "/root/vltlt/volatility-read-only/volatility/obj.py", line 735, in
__getattr__
return self.m(attr)
File "/root/vltlt/volatility-read-only/volatility/obj.py", line 717, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct ldisc has no member ops
------ Plugin linux_pidhashtable ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
ERROR : volatility.plugins.linux.pidhashtable: calculate_v2: This profile
is currently unsupported by this plugin. Please file a bug report on our
issue tracker to have supprot added.
Offset Name Pid Uid Gid DTB
Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
------ Plugin linux_psxview ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
ERROR : volatility.plugins.linux.pidhashtable: calculate_v2: This profile
is currently unsupported by this plugin. Please file a bug report on our
issue tracker to have supprot added.
Offset(V) Name PID pslist pid_hash kmem_cache
---------- -------------------- ------ ------ -------- ----------
The others plugins work fine.
Bye.
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Una PASQUA in famiglia, in un hotel sul mare. L'Hotel Adelphi Riccione
propone un'offerta con ingresso ai parchi inclusi e i bimbi gratis fino a
tre anni. Piano famiglia a partire da 3 notti in mezza o pensione completa
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12777&d=20130322
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
Last minute giugno in all inclusive all'Hotel Fior di Loto di Rimini per due persone, una settimana, Euro 686 a coppia, pensione completa, bevande ai pasti, servizio spiaggia
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12774&d=22-3
Working with a ransomware infection, trying to dump one of the modules that looks suspicious (the only one to reference a file in user's AppData). I'm trying to dump it via the base address found through modscan, but getting:
moddump Error: e_magic 8D4C is not a valid DOS signature.
I tried -u. Is there any other way to dump it?
--
chort
I think I have some issues with a 8+gb VMware snapshot. I can get
psscan and thrdscan output but no other output from other plugins.
Any suggestions from the group on troubleshooting the image.
Fyi I can see all the data when I view it in hbgary responder pro.
Thanks
Dave
Sent from my iPhone
We are pleased to announce the next public Volatility training
opportunity: the Windows Malware and Memory Forensics Training by The
Volatility Project. This course will take place in Reston, VA from
Monday, June 10th through Friday, June 14th 2013. For details, please
see our blog:
http://volatility-labs.blogspot.com/2013/03/official-training-by-volatility…
or email us at: voltraining(a)memoryanalysis.net
All the best,
-gleeda
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
I'm digging through a memory image of a pretty thoroughly compromised
system using Volatility and I've run across something new (to me
anyway...).
There's a rogue process in the image that lists a PID which exceeds the
width allocated by Volatility:
0xdba0f9a8 cmd.exe 5004 True True False True False
True False
0xda247250 chrome.exe 4764 True True False True False
True False
0x6da39918 ☼ 42...2 False False False False False
False True
0xdcd97610 SearchFilterHo 6956 False True False False False
False False
0xdace4568 PrintIsolation 6312 False True False False False
False False
I'd dearly love to get my hands on that executable, but I don't see an
easy way to get the PID.
Any easy way forward on this?
-=[ Steve ]=-
Hi Guys,
I've been messing around for about a week trying to get volatility to
analyse a memory dump of some system.
Since this is part of a puzzle I know I should be able to analyse it
(although I'm not sure volatility can , but it seems to be my best option).
The actual question is this:
I assume that I have a dump of a box running kernel version
2.6.32-45.104-generic-pae . How should I correctly create a profile in
volatility to analyse this dump? I can create a profile but I don't
think it's correct...
Because I do make some assumptions, I'd like to share my workflow below.
Please feel free to comment!
My current setup is:
- Recent ubuntu box
- On which KVM resides
- A "memory.raw" image of the memory of this machine. No other
information was provided.
First I wanted to determine what OS the image is from, and I had a look
by grepping the image like this:
strings memory.raw | grep -i <keyword>
I scanned for keywords like:
- Windows
- Ubuntu
- Debian
- Fedora
- RHEL
Looks like it's actually ubuntu:
boudewijn@ubuntu:~$ strings memory.raw | grep -i ubuntu | wc -l
1668
Okay for determining the kernel version, I started having a look at the
output of grepping ubuntu, and I found:
Linux version 2.6.32-45-generic-pae (buildd@lamiak) (gcc version 4.4.3
(Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb 19 21:36:53 UTC 2013
(Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26
<5>[ 0.000000] Linux version 2.6.32-45-generic-pae (buildd@lamiak)
(gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb
19 21:36:53 UTC 2013 (Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
So I installed this kernel version 2.6.32-45.104-generic-pae, and
rebooted (which is less work than changing the makefile etc.... I'm a
lazy sod).
Okay, make the profile:
boudewijn@ubuntu:~/volatility/tools/linux$ make
make -C //lib/modules/2.6.32-45-generic-pae/build CONFIG_DEBUG_INFO=y
M=/home/boudewijn/volatility/tools/linux modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
CC [M] /home/boudewijn/volatility/tools/linux/module.o
/home/boudewijn/volatility/tools/linux/module.c:70:33: error:
linux/net_namespace.h: No such file or directory
make[2]: *** [/home/boudewijn/volatility/tools/linux/module.o] Error 1
make[1]: *** [_module_/home/boudewijn/volatility/tools/linux] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
make: *** [dwarf] Error 2
Fix the include statement , to include
/usr/src/linux-headers-2.6.32-45/include/net/net_namespace.h . make
clean ;make followed...
Created the overlay:
boudewijn@ubuntu:~$ sudo zip
volatility/volatility/plugins/overlays/linux/Ubuntu1004.zip
volatility/tools/linux/module.dwarf /boot/System.map-2.6.32-45-generic-pae
adding: volatility/tools/linux/module.dwarf (deflated 89%)
adding: boot/System.map-2.6.32-45-generic-pae (deflated 74%)
boudewijn@ubuntu:~$
Then I ran volatility with the newly created profile, and it crashed:
boudewijn@ubuntu:~$ python volatility/vol.py -f memory.raw --profile
LinuxUbuntu1004x86 imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with
LinuxUbuntu1004x86)
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace
(/home/boudewijn/memory.raw)
PAE type : PAE
DTB : 0x79b000L
Traceback (most recent call last):
File "volatility/vol.py", line 186, in <module>
main()
File "volatility/vol.py", line 177, in main
command.execute()
File "/home/boudewijn/volatility-2.2/volatility/commands.py", line
111, in execute
func(outfd, data)
File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
line 91, in calculate
kdbgoffset = volmagic.KDBG.v()
File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 746, in
__getattr__
return self.m(attr)
File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 728, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
I thought it might a an amd64 box, but grepping the output of strings
memory.raw just renders +- 10 results. Way to few to be an amd64 box.
Can anyone tell me what I'm actually doing wrong? Or is volatility just
not the right tool for the job.
Cheers,
Boudewijn Ector
Hello all,
I thought I'd let you know that we've put together a cheat sheet that
you might find useful when using Volatility in your investigations:
http://volatility-labs.blogspot.com/2013/03/if-youre-going-to-cheat_15.html
Also we plan to announce the next training opportunity for our Windows
Malware and Memory Forensics Training Course on Monday, March 18th
2013 so stay tuned!
All the best,
-gleeda
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
I apologize in advanced if I'm overlooking something. I'm using the Windows binary of Volatility 2.2 on a Windows 7 platform. Could someone tell me how I can extract a certain driver using the offset?
I looked at the moddump help and the offset option is not listed. I tried to use -o anyway and got an error saying there is no such option (--offset=offset didn't work either). The Volatility command wiki doesn't show the moddump help but it does link to this post which shows the offset as an option:
http://moyix.blogspot.com/2008/10/plugin-post-moddump.html
I'm not that familiar with Python so looking at the plugin code wasn't that helpful for me. What I am trying to do is to extract a specific driver from a memory image. The moddump command works for extracting all drivers but it would be nice to extract only the one I need.
Thanks for any help
Corey Harrell
"Journey into Incident Response"
http://journeyintoir.blogspot.com
Hi,
Yesterday during a challenge we had to use the linux_dump_map plugin
to dump a process stack, and the documentation at
https://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_pro…
says it has the -p option to select a process.
However, as far as I can tell looking in the svn history, this plugin
never had the -p option. And it's definitely not working currently.
I've heard a confirmation that the option was working in version
2.2-rc1, so maybe it was a global option?
The reason I'm mailing this is because, if the -s is virtual memory,
would you not get possible overlap in areas? How do you know it dumped
the correct VMA? Note that every time I tried, I got the correct area.
Cheers,
Edwin
