[Vol-users] Recovering php eval code from memory with volatility

Valter Santos vrsantos at sectoid.com
Wed Oct 18 09:20:59 EDT 2017


Hi guys,

I'm trying to recover a php script from a suspected system. The file was
stored in a tmpfs filesystem and i cannot recover it. In the php process
(running from cli) i can see references to the script but can't find the
code.

The suspected system in running Debian 8.9: Linux version 3.16.0-4-amd64
(gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.43-2+deb8u5
(2017-09-19).

I've tried to use linux_tempfs to recover /dev/shm from memory but got some
errors with volatility with no success:

# ~/bin/vol26 --plugins=profiles --profile=LinuxDebian89x64 -d -f
memory.dump linux_tmpfs -S 4 -D dump/
[...]
WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for
dereferencing name as String WARNING : volatility.debug : NoneObject as
string: Invalid offset 0 for dereferencing name as String WARNING :
volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing
name as String WARNING : volatility.debug : NoneObject as string: Invalid
offset 0 for dereferencing name as String WARNING : volatility.debug :
NoneObject as string: Invalid offset 0 for dereferencing name as String


The php process has pid 1234, using volatility linux_dump_map on that
process I see the following strings in dumped file
task.1234.0x7f003ddf3000.vma:

/dev/shm/script.php(1) : eval()'d code0x7f003ddf303f
/dev/shm/script.php(1) : eval()'d code0x7f003ddf8e2e
/dev/shm/script.php(1) : eval()'d code0x7f003ddf952a
/dev/shm/script.php(1) : eval()'d code0x7f003ddfa588
/dev/shm/script.php(1) : eval()'d code0x7f003ddfa7f3

I'm stuck now trying to recover the php eval'd code, any ideas?

Thanks
Valter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20171018/96cb45dd/attachment.html>


More information about the Vol-users mailing list