Dump and read memory

Requirements

First, install these packages:

$ apt install linux-headers-`uname -r`build-essential dwarfdump

We need golang to get the symbol for Volatility app. Install go:

$ get https://go.dev/dl/go
$ sudo tar -C /usr/local/ -xf go1.20.3.linux-amd64.tar.gz 
$ export PATH=$PATH:/usr/local/go/bin
$ go version
go version go1.20.3 linux/amd64

LiME

First, download LiME: https://github.com/504ensicsLabs/LiME

Go to LiME/src and compile:

cd LiME/src/
gbucchino@EU-FWCJ1Z2:~/Documents/GIT/LiME/src$ make
make -C /lib/modules/5.19.0-38-generic/build M="/home/gbucchino/Documents/GIT/LiME/src" modules
make[1]: Entering directory '/usr/src/linux-headers-5.19.0-38-generic'
warning: the compiler differs from the one used to build the kernel
  The kernel was built by: x86_64-linux-gnu-gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0
  You are using:           gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0
  LD [M]  /home/gbucchino/Documents/GIT/LiME/src/lime.ko
  BTF [M] /home/gbucchino/Documents/GIT/LiME/src/lime.ko
Skipping BTF generation for /home/gbucchino/Documents/GIT/LiME/src/lime.ko due to unavailability of vmlinux
make[1]: Leaving directory '/usr/src/linux-headers-5.19.0-38-generic'
strip --strip-unneeded lime.ko
mv lime.ko lime-5.19.0-38-generic.ko

And now, insert the module into the kernel:

sudo insmod lime-`uname -r`.ko "path=/mnt/Ubuntu_`uname -r`.mem format=lime"

We have our dump of the memory. we need another tool to read it, for doing that, we will use volatility described in the next section.

You can find the module in the kernel:

$ lsmod | grep lime
lime                   20480  0

You can remove it:

$ sudo rmmod lime

Volatility

First, download volatility https://github.com/volatilityfoundation/volatility

Then, go to tools/linux:

cd /home/user/forensic/volatility/tools/linux
make
└─$ make
make -C //lib/modules/6.1.0-kali7-amd64/build CONFIG_DEBUG_INFO=y M="/home/user/forensic/volatility/tools/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-6.1.0-kali7-amd64'
  CC [M]  /home/user/forensic/volatility/tools/linux/module.o
  MODPOST /home/user/forensic/volatility/tools/linux/Module.symvers
ERROR: modpost: missing MODULE_LICENSE() in /home/user/forensic/volatility/tools/linux/module.o
make[2]: *** [/usr/src/linux-headers-6.1.0-kali7-common/scripts/Makefile.modpost:126: /home/user/forensic/volatility/tools/linux/Module.symvers] Error 1
make[1]: *** [/usr/src/linux-headers-6.1.0-kali7-common/Makefile:1989: modpost] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-6.1.0-kali7-amd64'
make: *** [Makefile:10: dwarf] Error 2

If you have this error, add this line at the end in the module.c:

MODULE_LICENSE("GPL");

And compile again:

$ make
make -C //lib/modules/6.1.0-kali7-amd64/build CONFIG_DEBUG_INFO=y M="/home/user/forensic/volatility/tools/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-6.1.0-kali7-amd64'
make[1]: Leaving directory '/usr/src/linux-headers-6.1.0-kali7-amd64'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/6.1.0-kali7-amd64/build M="/home/user/forensic/volatility/tools/linux" clean
make[1]: Entering directory '/usr/src/linux-headers-6.1.0-kali7-amd64'
  CLEAN   /home/user/forensic/volatility/tools/linux/Module.symvers
make[1]: Leaving directory '/usr/src/linux-headers-6.1.0-kali7-amd64'

That will generate our module.dwarf, and we need to use it for analysing the memory.

Now, we need to create the profile, we need to create the Zip file which contains the System.map file and the modules.dwarf generated in the last step above:

zip volatility/plugins/overlays/linux/Kali_`uname -r`.zip tools/linux/module.dwarf /boot/System.map-`uname -r`

The zip file must be in the path volatility/plugins/overlays/linux/ and should contain the architecture of the system, but it’s not necesseraly.

You can try to find the profile you need with this command:

python2.7 vol.py imageinfo -f <myimage>

Volatility3

If you kernel version if upper than 5.10, you should use Volatility3: https://github.com/volatilityfoundation/volatility3

Go to the project and create your virtualenv:

$ virtualenv ~/forensic
$ source ~/forensic/bin/activate

Then, install the requirements:

$ pip3 install -r requirements.txt

For the python package yara-python, you should install this package: apt install libssl-dev

Making our symbol table

Download the dwarf2json project: https://github.com/volatilityfoundation/dwarf2json

And build the project

cd dwarf2json
go build

We need to install the debug information of the linux image. So, install this package:

sudo apt install linux-image-`uname -r` linux-image-`uname -r`-dbg

With that, we can make file which contains the symbol. You can find the debug data in /usr/lib/debug/boot/.

You can generate the symbol table:

./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-5.10.0-19-amd64 > ../volatility3/volatility3/symbols/linux/Ubuntu-`uname -r`

You must specify the extension .json otherwise, volatility can’t find the symbol.

https://wiki.ubuntu.com/Debug Symbol Packages

https://github.com/volatilityfoundation/dwarf2json/issues/37

Now, you can verify if volatility3 can’t find ISF information:

python3 vol.py -f ../memory.vmem -s volatility3/symbols/linux/ isfinfo
Volatility 3 Framework 2.4.2
Progress:  100.00       PDB scanning finished         
URI Valid   Number of base_types    Number of types Number of symbols   Number of enums Identifying information

file:///home/geoffrey/Documents/GIT/forensic/volatility3/volatility3/symbols/linux/Ubuntu-5.10.0-19-amd64.json  Unknown 18  8693    144165  1528    b'Linux version 5.10.0-19-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.149-2 (2022-10-21)\n\x00'

That’s works.

You can find the kind of the symbol you need with this command:

python3 vol.py -f /mnt/Ubuntu_5.19.0-40-generic.mem banner
Volatility 3 Framework 2.4.2
Progress:  100.00       PDB scanning finished                      
Offset  Banner

0x3fb061f8  Linux version 5.15.0-27-generic (buildd@ubuntu) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #28-Ubuntu SMP Thu Apr 14 04:55:28 UTC 2022 (Ubuntu 5.15.0-27.28-generic 5.15.30)
0x5a1e67f2  Linux version 5.15.0-58-generic (buildd@lcy02-amd64-101) (gcc (Ubuntu 11.3.0-
0x5a6621e8  Linux version 5.15.0-58-generic (buildd@lcy02-amd64-101) (gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 (Ubuntu 5.15.0-58.64-generic 5.15.74)
0x686808ca  Linux version 5.15.0-58-generic (buildd@lcy02-amd64-101) (gcc (Ubuntu 11.3.0-
0x6935c1c8  Linux version 5.19.0-38-generic (buildd@lcy02-amd64-001) (x86_64-linux-gnu-gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #39~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 17 21:16:15 UTC 2
0x6b01c2c0  Linux version 5.15.0-58-generic (buildd@lcy02-amd64-101) (gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 (Ubuntu 5.15.0-58.64-generic 5.15.74)

And you can install the debug symbol package you need for analyzing the memory:

sudo apt install linux-image-5.19.0-38-generic-dbg

Analyzing our dump memory

Now we had our dump our memory and created our JSON file which contains symbol table, we can analyzing our memory. First, we can check processes which was executed:

$ python3 vol.py -f ../memory.vmem -s volatility3/symbols/linux/ linux.pslist
Volatility 3 Framework 2.4.2
Progress:  100.00       Stacking attempts finished                 
OFFSET (V)  PID TID PPID    COMM

0xa0000091b080  1   1   0   systemd
0xa0000091e100  2   2   0   kthreadd
0xa0000091c8c0  3   3   2   rcu_gp
0xa00000919840  4   4   2   rcu_par_gp
0xa00000918000  5   5   2   kworker/0:0
0xa00000946100  6   6   2   kworker/0:0H
0xa000009448c0  7   7   2   kworker/u8:0

Dwarf

A dwarf is a debuging information file

Symbol

We can see symbol of a program.

For instance, take this C program:

#include <stdlib.h>
#include <stdio.h>

int sum(int a, int b){
    return a + b;
}
int main(void){
    int a = 0;
    int b = 5;
    printf("%d\n", a);
    a = sum(a, b);
    printf("%d\n", a);
}

Compile the program and get the symbol with the nm command:

$ gcc -ggdb -o0 -Wno-all -o main main.c
$ nm main
000000000000038c r __abi_tag
0000000000004010 B __bss_start
0000000000004010 b completed.0
                 w __cxa_finalize@GLIBC_2.2.5
0000000000004000 D __data_start
0000000000004000 W data_start
0000000000001090 t deregister_tm_clones
0000000000001100 t __do_global_dtors_aux
0000000000003dc0 d __do_global_dtors_aux_fini_array_entry
0000000000004008 D __dso_handle
0000000000003dc8 d _DYNAMIC
0000000000004010 D _edata
0000000000004018 B _end
00000000000011c8 T _fini
0000000000001140 t frame_dummy
0000000000003db8 d __frame_dummy_init_array_entry
0000000000002110 r __FRAME_END__
0000000000003fb8 d _GLOBAL_OFFSET_TABLE_
                 w __gmon_start__
0000000000002008 r __GNU_EH_FRAME_HDR
0000000000001000 T _init
0000000000002000 R _IO_stdin_used
                 w _ITM_deregisterTMCloneTable
                 w _ITM_registerTMCloneTable
                 U __libc_start_main@GLIBC_2.34
0000000000001161 T main
                 U printf@GLIBC_2.2.5
00000000000010c0 t register_tm_clones
0000000000001060 T _start
0000000000001149 T sum
0000000000004010 D __TMC_END__

What is uninitialized data section bss ????

https://medium.com/iqube-kct/know-what-is-bss-text-data-memory-segments-of-an-executable-file-in-embedded-systems-6158d92aa519

References

https://www.oreilly.com/library/view/linux-device-drivers/0596000081/ch02s03.html