[Vol-users] Need help: Can anyone provide information about plug-ins for volatility framework, especially used for Linux

Michael Cohen scudette at gmail.com
Sun Jan 3 19:01:20 CST 2010


Hi Yuhang,
   Welcome to the volatility community!!

We have recently developed a new framework for memory analysis in the
volatiltiy dev branch. I think this would be ideal to write cross
platform code (e.g. linux and windows can use the same framework).

The biggest problems I see with linux supprot are:

-  No use of pool tags so scanning needs to be much more thorough.

-  The structs are very variable - for example task_struct can have
extra members depending on configuration options even for the same
kernel version. This really throws out any analysis because your
struct definitions need to be tweaked depending on configuration you
dont know.

The new framework attempts to address these concerns using profiles. A
profile is a specific python class which tells the framework how to
access specific structs. For example you can have a kernel 2.6.26
profile, a kernel 2.6.30 profile etc. Then the modules can simply ask
for a task_struct and the profile does the specific versioning stuff.

The idea is that a profile can run a number of tests on the image to
figure out what is likely to be the correct struct layout. For example
for task_struct, you can test for sanity of members after the optional
members in the struct to figure out if these members are turned on.
This means that the profile has some capability of adapting to the
specific image - not just the kernel version.

Of course this kind of stuff also lends itself to windows profiles
such as the difference between sp2 and sp3 and even xp and vista - as
versions change structs have different versions and the profile is
adapted to these.

The new scanning framework is also designed to address concern 1 above
with very fast performance even with very thorough testing of structs.
This should enable us to write scanners which dont depend on pool tags
so much - a definite advantage for windows analysis as well since pool
tags are easy to maliciously change.

The best advice i have is to just come up with a simple task (like
scan for task_structs) and then write a plugin to deal with it - you
will learn how the new framework works.

If you need some specific help, send an email, or just jump on irc -
although I have not been on irc much lately :-(

Michael.

On Sun, Jan 3, 2010 at 8:09 PM, yuhang gao <rainman1919 at gmail.com> wrote:
> Thanks for your kindness.
> Volatility is a very good open-source toolkit for memory forensics. And many
> developers and researchers write plugins for it.
> I have collected some plugins for volatility,  but I am afraid some
> plugins arenot
> included in the source code provided by the offcial website of volatility.
> Besides, most of them are used for windows. And I recently work on the Linux
> memory forensics.
> I am going to write some plugins for Linux. If WIKI contains all
> plugins, it seems there is no much  research on Linux memory forensics.
>
> Thanks a lot
>
> YhGao
>
>
>
> 2010/1/3 Sebastien R <uyojimbo at gmail.com>:
>> Indeed,
>>
>> There is obviously something I don't understand here : googling
>> "volatility+plugins" returns, as a first entry :
>> http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins
>>
>> Which lists both the plugins and links to their creator's blog's entry
>> about the plugin, when applicable.
>>
>> What else would you need please ?
>>
>> BR
>>
>> 2010/1/2 Matthieu Suiche <msuiche at gmail.com>:
>>> Please excuse my candidness. But can you explain to this mailing-list
>>> what you do not understand?
>>> As far I remember, Volatility is an open-source project.
>>> --
>>> Matthieu Suiche
>>>
>>>
>>>
>>> On Fri, Jan 1, 2010 at 1:08 PM, yuhang gao <rainman1919 at gmail.com> wrote:
>>>> Dear developers,
>>>> I would like to work on the memory forensics of Linux and I know many
>>>> researchers
>>>> have written plug-ins for volatility framework. I 'd appreciate anyone
>>>> who provides me with
>>>> information about them, especially plug-ins for Linux. I am going to
>>>> write some ones,
>>>> so your kindness would help me save a lot of time.
>>>> Thanks a lot.
>>>> Yuhang Gao
>>>> _______________________________________________
>>>> Vol-users mailing list
>>>> Vol-users at volatilityfoundation.org
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>


More information about the Vol-users mailing list