Loading linux profile into volatility2
censored
Background
During utCTF i encountered irc, a challenge which involes performing memory forensics on a linux memory dump, at the time i wasn’t able to solve this because i couldn’t figure out how to actually make a linux profile for volatility and load it in, so here’s a comprehensive guide on how to do exactly just that, including how to fix the error messages that you might face (most tutorials i found don’t actually do that ;-;).
For this guide, i will be using
ubuntu-5.13.0-39-generic. It is also recommended to read each section in full before you try anything as you might miss out on some important information otherwise
Download volatility
You can download it via git if you want to build it your self
git clone https://github.com/volatilityfoundation/volatility
or get a prebuilt executable
Download requirements and dependencies
Next you need to check your kernel version and download the correct headers
If you are performing analysis on a memory image with a kernel verion different from yours, you will need to download its image with the correct version
uname -a
sudo apt-get install linux-headers-x.xx.xx-xx-xxxxx
# If you don't already have the correct image
sudo apt-get install linux-image-x.xx.xx-xx-xxxx
Then you need to install some dependencies to make a module.dwarf file in volatility/tools/linux/
# gcc/make
sudo apt-get install build-essential
# dwarfdump
sudo apt install dwarfdump
Build profile
Next we need to make a module.dwarf file so that we can zip it with our System.map file later on
cd volatility/tools/linux
make
If you error out with modpost: missing MODULE_LICENSE(), add MODULE_LICENSE(“GPL”); as last line in module.c
cd into /boot/ and make sure you see a System.map-xx-xx-xx-xx-xxxxx file corresponding with the kernel version that you need a profile for
Now we just need to zip the module.dwarf file with the System.map file and put it in volatility/volatility/plugins/overlays/linux/, you can call the zip file whatever as it doesn’t matter
sudo zip volatility/volatility/plugins/overlays/linux/os-xx.xx.xx-xx-xxxxx.zip volatility/tools/linux/module.dwarf /boot/System.map-xx-xx-xx-xx-xxxxx
Now you can check if the profile is loaded correctly with python2 vol.py –info | grep Linux
At this point if you installed the prebuilt binary, you should be good to go, but if the prebuilt binary doesn’t work for you, continue reading
Installing volatility
If you’re on a hacking OS, volatility2 should work out the box, but if it doesn’t and you get a long stream of Failed import, you can try the ways listed bellow
git clone https://github.com/gdabah/distorm.git
cd distorm3
python setup.py build
sudo python setup.py build install
# if setuptools not found, try
pip install setuptools or sudo apt-get install python-setuptools
# if Python.h not found try
sudo apt-get install python-dev
sudo apt-get install yara
pip install pycrypto
OR
# install system dependencies
sudo apt install -y build-essential git libdistorm3-dev yara libraw1394-11 libcapstone-dev capstone-tool tzdata
# install pip, setuptools and wheel
sudo apt install -y python2 python2.7-dev libpython2-dev
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
sudo python2 get-pip.py
sudo python2 -m pip install -U setuptools wheel
# install volatility2 and it's dependencies
python2 -m pip install -U distorm3 yara pycrypto pillow openpyxl ujson pytz ipython capstone
sudo python2 -m pip install yara
sudo ln -s /usr/local/lib/python2.7/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so
python2 -m pip install -U git+https://github.com/volatilityfoundation/volatility.git
After all that, run python2 vol.py –info | grep Linux AND python2 vol.py -h to verify installation is done correctly
You might get some error messages saying distorm3 is not found, shouldn’t matter as it will still run just fine