[Vol-users] Getting volatility to analyse a memory dump of an old ubuntu system

Boudewijn Ector boudewijn at boudewijnector.nl
Sat Mar 16 12:26:46 CDT 2013


Hi Guys,



I've been messing around for about a week trying to get volatility to
analyse a memory dump of some system.
Since this is part of a puzzle I know I should be able to analyse it
(although I'm not sure volatility can , but it seems to be my best option).
The actual question is this:

I assume that I have a dump of a box running kernel version
2.6.32-45.104-generic-pae . How should I correctly create a profile in
volatility to analyse this dump? I can create a profile but I don't
think it's correct...
Because I do make some assumptions, I'd like to share my workflow below.
Please feel free to comment!


My current setup is:

- Recent ubuntu box
- On which KVM resides
- A "memory.raw" image of the memory of this machine. No other
information was provided.


First I wanted to determine what OS the image is from, and I had a look
by grepping the image like this:

strings memory.raw  | grep -i <keyword>

I scanned for keywords like:

- Windows
- Ubuntu
- Debian
- Fedora
- RHEL

Looks like it's actually ubuntu:
boudewijn at ubuntu:~$ strings memory.raw | grep -i ubuntu | wc -l
1668

Okay for determining the kernel version, I started having a look at the
output of grepping ubuntu, and I found:

Linux version 2.6.32-45-generic-pae (buildd at lamiak) (gcc version 4.4.3
(Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb 19 21:36:53 UTC 2013
(Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26
<5>[    0.000000] Linux version 2.6.32-45-generic-pae (buildd at lamiak)
(gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb
19 21:36:53 UTC 2013 (Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)



So I installed this  kernel version 2.6.32-45.104-generic-pae, and
rebooted (which is less work than changing the makefile etc.... I'm a
lazy sod).
Okay, make the profile:

boudewijn at ubuntu:~/volatility/tools/linux$ make
make -C //lib/modules/2.6.32-45-generic-pae/build CONFIG_DEBUG_INFO=y
M=/home/boudewijn/volatility/tools/linux modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
  CC [M]  /home/boudewijn/volatility/tools/linux/module.o
/home/boudewijn/volatility/tools/linux/module.c:70:33: error:
linux/net_namespace.h: No such file or directory
make[2]: *** [/home/boudewijn/volatility/tools/linux/module.o] Error 1
make[1]: *** [_module_/home/boudewijn/volatility/tools/linux] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
make: *** [dwarf] Error 2

Fix the include statement , to include 
/usr/src/linux-headers-2.6.32-45/include/net/net_namespace.h . make
clean ;make followed...
Created the overlay:

boudewijn at ubuntu:~$ sudo zip
volatility/volatility/plugins/overlays/linux/Ubuntu1004.zip 
volatility/tools/linux/module.dwarf /boot/System.map-2.6.32-45-generic-pae
  adding: volatility/tools/linux/module.dwarf (deflated 89%)
  adding: boot/System.map-2.6.32-45-generic-pae (deflated 74%)
boudewijn at ubuntu:~$


Then I ran volatility with the newly created profile, and it crashed:


boudewijn at ubuntu:~$ python volatility/vol.py -f memory.raw --profile
LinuxUbuntu1004x86 imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...

          Suggested Profile(s) : No suggestion (Instantiated with
LinuxUbuntu1004x86)
                     AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace
(/home/boudewijn/memory.raw)
                      PAE type : PAE
                           DTB : 0x79b000L
Traceback (most recent call last):
  File "volatility/vol.py", line 186, in <module>
    main()
  File "volatility/vol.py", line 177, in main
    command.execute()
  File "/home/boudewijn/volatility-2.2/volatility/commands.py", line
111, in execute
    func(outfd, data)
  File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
line 34, in render_text
    for k, v in data:
  File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
line 91, in calculate
    kdbgoffset = volmagic.KDBG.v()
  File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 746, in
__getattr__
    return self.m(attr)
  File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 728, in m
    raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG




I thought it might a an amd64 box, but grepping the output of strings
memory.raw just renders +- 10 results. Way to few to be an amd64 box.


Can anyone tell me what I'm actually doing wrong? Or is volatility just
not the right tool for the job.


Cheers,


Boudewijn Ector


More information about the Vol-users mailing list