[Vol-users] Need help: Can anyone provide information about plug-ins for volatility framework, especially used for Linux

yuhang gao rainman1919 at gmail.com
Mon Jan 4 03:11:38 CST 2010


hi, Michael

Thanks for your reply and kindness.

The biggest problems you mentioned about linux :

-  No use of pool tags so scanning needs to be much more thorough.

I developed about three methods of searching for kernel objects.  And
I am writing some toy applications to test them. As far as I can see,
the results are satisfying.


-  The structs are very variable
Yes, this problem annoys me a lot untill I took a few days to write a
java program
to deal with this. I put all data structures I need into a file (c
style and you may call
it profile) and my java program  parses these data structures. The
resluts tells me
the offset of each member in kernel objects and their super object.


Your advice to just come up with a simple task (like scan for
task_structs) and then
 write a plugin to deal with it is very good. And my suggestion is to
apply different
strategies in searching for kernel objects. The more, the better.

Besides, what do you think is the most important in Linux memory forensics. The
files, processes, network connections and so on. What else then ?

You mentioned your new scanning framework.  Has it finished yet? You
said I would
learn how the new framework works. In a few days or something else ?
And is there
anything I can help?

Then for Windows, it's very interesting to learn that microsoft
coroperation has a windows
research kernel. Debug and disassembling are two ways to understand
their kernel objects.
Even if we locates the kernel objects, we probably don't understand
how we can make
use of them. Any ideas?

I am going to Beijing after Spring Festival and I will be engaged in
preparing for GRE
for a long time. Probably, I won't have time to spend on memory
forensics. Therefore,
I make my determination to do as much as help I can now.

Yuhang Gao


2010/1/4 Michael Cohen <scudette at gmail.com>:
> Hi Yuhang,
>   Welcome to the volatility community!!
>
> We have recently developed a new framework for memory analysis in the
> volatiltiy dev branch. I think this would be ideal to write cross
> platform code (e.g. linux and windows can use the same framework).
>
> The biggest problems I see with linux supprot are:
>
> -  No use of pool tags so scanning needs to be much more thorough.
>
> -  The structs are very variable - for example task_struct can have
> extra members depending on configuration options even for the same
> kernel version. This really throws out any analysis because your
> struct definitions need to be tweaked depending on configuration you
> dont know.
>
> The new framework attempts to address these concerns using profiles. A
> profile is a specific python class which tells the framework how to
> access specific structs. For example you can have a kernel 2.6.26
> profile, a kernel 2.6.30 profile etc. Then the modules can simply ask
> for a task_struct and the profile does the specific versioning stuff.
>
> The idea is that a profile can run a number of tests on the image to
> figure out what is likely to be the correct struct layout. For example
> for task_struct, you can test for sanity of members after the optional
> members in the struct to figure out if these members are turned on.
> This means that the profile has some capability of adapting to the
> specific image - not just the kernel version.
>
> Of course this kind of stuff also lends itself to windows profiles
> such as the difference between sp2 and sp3 and even xp and vista - as
> versions change structs have different versions and the profile is
> adapted to these.
>
> The new scanning framework is also designed to address concern 1 above
> with very fast performance even with very thorough testing of structs.
> This should enable us to write scanners which dont depend on pool tags
> so much - a definite advantage for windows analysis as well since pool
> tags are easy to maliciously change.
>
> The best advice i have is to just come up with a simple task (like
> scan for task_structs) and then write a plugin to deal with it - you
> will learn how the new framework works.
>
> If you need some specific help, send an email, or just jump on irc -
> although I have not been on irc much lately :-(
>
> Michael.
>
> On Sun, Jan 3, 2010 at 8:09 PM, yuhang gao <rainman1919 at gmail.com> wrote:
>> Thanks for your kindness.
>> Volatility is a very good open-source toolkit for memory forensics. And many
>> developers and researchers write plugins for it.
>> I have collected some plugins for volatility,  but I am afraid some
>> plugins arenot
>> included in the source code provided by the offcial website of volatility.
>> Besides, most of them are used for windows. And I recently work on the Linux
>> memory forensics.
>> I am going to write some plugins for Linux. If WIKI contains all
>> plugins, it seems there is no much  research on Linux memory forensics.
>>
>> Thanks a lot
>>
>> YhGao
>>
>>
>>
>> 2010/1/3 Sebastien R <uyojimbo at gmail.com>:
>>> Indeed,
>>>
>>> There is obviously something I don't understand here : googling
>>> "volatility+plugins" returns, as a first entry :
>>> http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins
>>>
>>> Which lists both the plugins and links to their creator's blog's entry
>>> about the plugin, when applicable.
>>>
>>> What else would you need please ?
>>>
>>> BR
>>>
>>> 2010/1/2 Matthieu Suiche <msuiche at gmail.com>:
>>>> Please excuse my candidness. But can you explain to this mailing-list
>>>> what you do not understand?
>>>> As far I remember, Volatility is an open-source project.
>>>> --
>>>> Matthieu Suiche
>>>>
>>>>
>>>>
>>>> On Fri, Jan 1, 2010 at 1:08 PM, yuhang gao <rainman1919 at gmail.com> wrote:
>>>>> Dear developers,
>>>>> I would like to work on the memory forensics of Linux and I know many
>>>>> researchers
>>>>> have written plug-ins for volatility framework. I 'd appreciate anyone
>>>>> who provides me with
>>>>> information about them, especially plug-ins for Linux. I am going to
>>>>> write some ones,
>>>>> so your kindness would help me save a lot of time.
>>>>> Thanks a lot.
>>>>> Yuhang Gao
>>>>> _______________________________________________
>>>>> Vol-users mailing list
>>>>> Vol-users at volatilityfoundation.org
>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>
>>>> _______________________________________________
>>>> Vol-users mailing list
>>>> Vol-users at volatilityfoundation.org
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>
>>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>


More information about the Vol-users mailing list