Skip to content

Sandesh028/Tutorials-How-to-Create-Linux-Profile-Volatility-3

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
How to Create Linux Profile(Volatility 3).md
How to Create Linux Profile(Volatility 3).md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Linux profile creation steps.....

image

I had downloaded and installed Ubuntu 22.04.36LTS which is pretty much stable.

Steps :

Install Go

sudo apt update sudo apt install golang-go

To get the debug symbols for this OS:

Clone the dwarf2json repository and build it

git clone https://github.com/volatilityfoundation/dwarf2json.git
cd dwarf2json/
go build
git clone https://github.com/volatilityfoundation/dwarf2json.git

image

Next step:

Add the debug symbol repository

echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse
deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | \
sudo tee -a /etc/apt/sources.list.d/ddebs.list

Install the debug symbol keyring

$ sudo apt install ubuntu-dbgsym-keyring

Update the package list

$ sudo apt update

Install the debug symbols for your currently running kernel

$ sudo apt install linux-image-$(uname -r)-dbgsym

Saving the debug symbol to json file format:

$ sudo ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-$(uname -r) > linux-image-$(uname -r)-amd64.json

As extra I am also creating system map json file:

$ sudo ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-$(uname -r) --system-map /boot/System.map-$(uname -r) > linux-image-$(uname -r)-amd64-SystemMap.json

image

Next Step:

$ sudo apt update
$ sudo apt install git build-essential kernel-headers-$(uname -r) dkms

Download and Install Lime tool to take the dump:

$ git clone https://github.com/504ensicsLabs/LiME.git
$ cd LiME/src
$ make

This command is used to create the memory dump file with the lime extension:

$ sudo insmod /home/kali/LiME/src/lime-6.2.0-36-generic.ko path=/home/kali/memdump.lime format=lime

Copying the symbol debug tables to the volatility3 symbols directory:

$ cp /home/kali/dwarf2json/linux-image-6.2.0-36-generic-amd64.json /home/kali/volatility3/volatility3/symbols/
linux-image-6.2.0-36-generic-amd64.json
$ cp /home/kali/dwarf2json/linux-image-6.2.0-36-generic-amd64-SystemMap.json /home/kali/volatility3/volatility3/symbols/
linux-image-6.2.0-36-generic-amd64-SystemMap.json

image

After this our linux profile is created for this ubuntu 22.04 version.

Once Memory dump is saved as memorydump.lime in the Ubuntu system, I tested it with the volatility3 with the following commands:

  • PsList: Lists active processes in the memory image.
  • PsScan: Scans for processes in the memory image by walking the process list.
  • PsTree: Displays active processes in a parent-child relationship tree structure.
  • Banners: Identifies and prints the operating system banner information from the memory image.
  • Capabilities: Lists the Linux capabilities for each process.
  • Check Modules: Compares the loaded modules list against the module list obtained from sysfs.
  • Check Syscall: Checks the system call table for unexpected modifications (hooks).
  • Elfs: Lists ELF executables and shared libraries mapped into process address spaces.
  • Envvars: Lists environment variables for each process.
  • IOMem: Provides information similar to what is available in /proc/iomem on a live Linux system.
  • Keyboard_Notifiers: Analyzes keyboard notifier call chains for hooks.
  • KMSG: Reads the kernel log buffer messages.
  • Lsmod: Lists currently loaded kernel modules.
  • Lsof: Lists open file descriptors across all processes.
  • Malfind: Searches for memory regions within processes that may contain injected code.
  • Mountinfo: Lists mount points and mount namespaces for processes.
  • Proc.Maps: Lists all memory-mapped files for each process.
  • PsAux: Lists processes along with their command-line arguments.
  • Sockstat: Lists network connections and sockets for each process.
  • tty_check: Checks tty devices for hooks or manipulations.
  • FrameworkInfo: Provides details about the Volatility framework's components and configuration.
  • IsfInfo: Displays information about the available Intermediate Symbol Format (ISF) files.
  • LayerWriter: Writes out the data from a specified memory layer (used for debugging and analysis).
  • Check_afinfo: Verifies the operation function pointers for network protocols to check for rootkits.
  • Check_creds: Looks for processes that are sharing credential structures, which could indicate credential reuse or theft.
  • Check_idt: Checks the Interrupt Descriptor Table (IDT) for unexpected modifications, which could indicate rootkit activity.

1] PsList

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.pslist

image

2] PsScan

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.psscan

image

3] PsTree [Didn’t worked ]

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.pstree

image

4] Banners

$ sudo python3 vol.py -f /home/kali/memdump.lime banners.Banners

image

5] Capabilities [Didn’t worked]

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.capabilities.Capabilities

image

6] Check Modules

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.check_modules.Check_modules

image

7] Check syscall

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.check_syscall.Check_syscall

image

8] Elfs

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.elfs.Elfs

image

9] Envvars

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.envvars.Envvars

image

10] IOMem

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.iomem.IOMem

image

11] Keyboard_Notifiers

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.keyboard_notifiers.Keyboard_notifiers

image

12] KMSG

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.kmsg.Kmsg

image

13] Lsmod

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.lsmod.Lsmod

image

14] Lsof

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.lsof.Lsof

image

15] Malfind

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.malfind.Malfind

image

16] Mountinfo

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.mountinfo.MountInfo

image

17] Proc.Maps

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.proc.Maps

image

18] Psaux

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.psaux.PsAux

image

19] Sockstat

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.sockstat.Sockstat

image

20] tty_check

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.tty_check.tty_check

image

21] frameworkinfo.FrameworkInfo

$ sudo python3 vol.py -f /home/kali/memdump.lime frameworkinfo.FrameworkInfo

image

22] isfinfo.IsfInfo

$ sudo python3 vol.py -f /home/kali/memdump.lime isfinfo.IsfInfo

image

23] layerwriter.LayerWriter

$ sudo python3 vol.py -f /home/kali/memdump.lime layerwriter.LayerWriter

image

24] Check_afinfo [Didn’t worked]

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.check_afinfo.Check_afinfo

image

25] Check_creds

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.check_creds.Check_creds

image

26] Check_idt

$ sudo python3 vol.py -f /home/kali/memdump.lime linux.check_idt.Check_idt

image

References:

About

Tutorials

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published