[Vol-users] Re: Getting volatility to analyse a memory dump of an old ubuntu system

Edwin Smulders edwin.smulders at gmail.com
Sat Mar 16 15:23:27 CDT 2013


For reference, this guy is playing a Dutch hacking challenge :)
On Mar 16, 2013 6:53 PM, "Boudewijn Ector" <boudewijn at boudewijnector.nl>
wrote:

> On 03/16/2013 01:26 PM, Boudewijn Ector wrote:
> > Hi Guys,
> >
> >
> >
> > I've been messing around for about a week trying to get volatility to
> > analyse a memory dump of some system.
> > Since this is part of a puzzle I know I should be able to analyse it
> > (although I'm not sure volatility can , but it seems to be my best
> option).
> > The actual question is this:
> >
> > I assume that I have a dump of a box running kernel version
> > 2.6.32-45.104-generic-pae . How should I correctly create a profile in
> > volatility to analyse this dump? I can create a profile but I don't
> > think it's correct...
> > Because I do make some assumptions, I'd like to share my workflow below.
> > Please feel free to comment!
> >
> >
> > My current setup is:
> >
> > - Recent ubuntu box
> > - On which KVM resides
> > - A "memory.raw" image of the memory of this machine. No other
> > information was provided.
> >
> >
> > First I wanted to determine what OS the image is from, and I had a look
> > by grepping the image like this:
> >
> > strings memory.raw  | grep -i <keyword>
> >
> > I scanned for keywords like:
> >
> > - Windows
> > - Ubuntu
> > - Debian
> > - Fedora
> > - RHEL
> >
> > Looks like it's actually ubuntu:
> > boudewijn at ubuntu:~$ strings memory.raw | grep -i ubuntu | wc -l
> > 1668
> >
> > Okay for determining the kernel version, I started having a look at the
> > output of grepping ubuntu, and I found:
> >
> > Linux version 2.6.32-45-generic-pae (buildd at lamiak) (gcc version 4.4.3
> > (Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb 19 21:36:53 UTC 2013
> > (Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
> > Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26
> > <5>[    0.000000] Linux version 2.6.32-45-generic-pae (buildd at lamiak)
> > (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb
> > 19 21:36:53 UTC 2013 (Ubuntu 2.6.32-45.104-generic-pae
> 2.6.32.60+drm33.26)
> >
> >
> >
> > So I installed this  kernel version 2.6.32-45.104-generic-pae, and
> > rebooted (which is less work than changing the makefile etc.... I'm a
> > lazy sod).
> > Okay, make the profile:
> >
> > boudewijn at ubuntu:~/volatility/tools/linux$ make
> > make -C //lib/modules/2.6.32-45-generic-pae/build CONFIG_DEBUG_INFO=y
> > M=/home/boudewijn/volatility/tools/linux modules
> > make[1]: Entering directory
> `/usr/src/linux-headers-2.6.32-45-generic-pae'
> >   CC [M]  /home/boudewijn/volatility/tools/linux/module.o
> > /home/boudewijn/volatility/tools/linux/module.c:70:33: error:
> > linux/net_namespace.h: No such file or directory
> > make[2]: *** [/home/boudewijn/volatility/tools/linux/module.o] Error 1
> > make[1]: *** [_module_/home/boudewijn/volatility/tools/linux] Error 2
> > make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
> > make: *** [dwarf] Error 2
> >
> > Fix the include statement , to include
> > /usr/src/linux-headers-2.6.32-45/include/net/net_namespace.h . make
> > clean ;make followed...
> > Created the overlay:
> >
> > boudewijn at ubuntu:~$ sudo zip
> > volatility/volatility/plugins/overlays/linux/Ubuntu1004.zip
> > volatility/tools/linux/module.dwarf
> /boot/System.map-2.6.32-45-generic-pae
> >   adding: volatility/tools/linux/module.dwarf (deflated 89%)
> >   adding: boot/System.map-2.6.32-45-generic-pae (deflated 74%)
> > boudewijn at ubuntu:~$
> >
> >
> > Then I ran volatility with the newly created profile, and it crashed:
> >
> >
> > boudewijn at ubuntu:~$ python volatility/vol.py -f memory.raw --profile
> > LinuxUbuntu1004x86 imageinfo
> > Volatile Systems Volatility Framework 2.2
> > Determining profile based on KDBG search...
> >
> >           Suggested Profile(s) : No suggestion (Instantiated with
> > LinuxUbuntu1004x86)
> >                      AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
> >                      AS Layer2 : FileAddressSpace
> > (/home/boudewijn/memory.raw)
> >                       PAE type : PAE
> >                            DTB : 0x79b000L
> > Traceback (most recent call last):
> >   File "volatility/vol.py", line 186, in <module>
> >     main()
> >   File "volatility/vol.py", line 177, in main
> >     command.execute()
> >   File "/home/boudewijn/volatility-2.2/volatility/commands.py", line
> > 111, in execute
> >     func(outfd, data)
> >   File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
> > line 34, in render_text
> >     for k, v in data:
> >   File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
> > line 91, in calculate
> >     kdbgoffset = volmagic.KDBG.v()
> >   File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 746, in
> > __getattr__
> >     return self.m(attr)
> >   File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 728, in m
> >     raise AttributeError("Struct {0} has no member
> > {1}".format(self.obj_name, attr))
> > AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
> >
> >
> >
> >
> > I thought it might a an amd64 box, but grepping the output of strings
> > memory.raw just renders +- 10 results. Way to few to be an amd64 box.
> >
> >
> > Can anyone tell me what I'm actually doing wrong? Or is volatility just
> > not the right tool for the job.
> >
> >
> > Cheers,
> >
> >
> > Boudewijn Ector
> Oh well, I just found out the imageinfo command is only supposed to work
> for Windows...
> How stupid of mine...
>
> Found the linux_ commands already but assumed imageinfo should just show
> some generic info about an image.
>
> Boudewijn
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130316/91b1eb62/attachment.html


More information about the Vol-users mailing list