Banners, isfinfo, and custom profiles

How to force Volatility3 to use a specific (albeit mismatching) Linux kernel profile

Let's explore a couple of concepts to ensure we're using the correct terminology.

Volatility uses the 'banners' plugin to identify the operating system, kernel version, compilation information, etc. This is critical to ensure the correct profile is used when attempting to parse the memory dump. The correct profile ensures that kernel is correctly identified, and the correct memory structures are mapped correctly.

The Intermediate Symbol Format (ISF) is a JSON-based file which Volatility uses (as the 'isfinfo' plugin) to store specific memory structures to ensure they're mapped correctly, allowing execution of other plugins.

As I highlighted here, you can use the banners plugin to identify the operating system if it was previously unknown. The banners plugin also aids in troubleshooting and debugging when building custom profiles.

I recently helped a person on Discord to build a custom kernel profile for a memory sample which was collected during a CTF. We can approach this in a simple manner. 1) Run banners, and 2) run strings

Identify banner information

$ python3 vol.py -f dump.raw banners
Volatility 3 Framework 2.20.0
Progress:  100.00               PDB scanning finished
Offset  Banner

0x77a00200      Linux version 5.15.0-43-generic (buildd@lcy02-amd64-076) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 (Ubuntu 5.15.0-43.46-generic 5.15.39)

0x78dc3718      Linux version 5.15.0-43-generic (buildd@lcy02-amd64-076) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 (Ubuntu 5.15.0-43.46-generic 5.15.39)9)

We can see that the kernel Ubuntu 5.15.0-43 is being used in this sample. Ubuntu docs suggest that it was published on/around 9th May 2023 and was released in Jammy (22.04).

Because you can use different releases with different kernels (20.04 with 5.15.0-43, 22.04 with 5.15.0-43, etc), we want to confirm which release this sample came from. This makes it easier when attempting to locate relevant debugging symbols.

Confirm operating system release

We know that Ubuntu stores its release information in the following locations (examples included)

/etc/issue

Ubuntu 20.04.5 LTS \n \l

/etc/os-release

NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

/etc/lsb-release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.5 LTS"

We can use these locations (with strings/grep) to gather more information. This command will print 4 the matching line, plus the previous 4 lines.

$ strings dump.raw | grep -B 4 DISTRIB_DESCRIPTION

        create 644 root root
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.4 LTS"

So now we have the release version and kernel version. You can follow the guide here to generate a kernel profile before you continue.

Inspecting custom profile JSON

Following the previous guide, we've generated a custom profile for our memory sample. We've moved it into our default symbols directory, so let's try and use it to process our memory sample.

First step is to run isfinfo to make sure it's a registered/cached profile.

$ python3 vol.py isfinfo

Volatility 3 Framework 2.20.0
Progress:  100.00               PDB scanning finished
URI     Valid   Number of base_types    Number of types Number of symbols       Number of enums Identifying information

file:///home/user/Desktop/volatility3/volatility3/symbols/Ubuntu.5.15.0-43-generic.json Unknown 19      12076   199003  2075    b'Linux version 5.15.0-43-generic (buildd@lcy02-amd64-026) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #46~20.04.1-Ubuntu SMP Thu Jul 14 15:20:17 UTC 2022 (Ubuntu 5.15.0-43.46~20.04.1-generic 5.15.39)\n\x00'

Good start, let's run linux.pslist to identify processes.

$ python3 vol.py -f dump.raw linux.pslist
Volatility 3 Framework 2.20.0
Progress:  100.00               Stacking attempts finished
Unsatisfied requirement plugins.PsList.kernel.layer_name:
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name']

But we downloaded the correct release, installed the correct kernel (5.15.0-43-generic) and installed the relevant debugging symbols (5.15.0-43-generic-dbgsym). So what's wrong?

isfinfo

Linux version 5.15.0-43-generic (buildd@lcy02-amd64-026) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #46~20.04.1-Ubuntu SMP Thu Jul 14 15:20:17 UTC 2022 (Ubuntu 5.15.0-43.46~20.04.1-generic 5.15.39)

banners

Linux version 5.15.0-43-generic (buildd@lcy02-amd64-076) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 (Ubuntu 5.15.0-43.46-generic 5.15.39)

We can see there's a slight mismatch between the output from isfinfo (our custom profile) and the string which banners has produced.

Open the .json file for the kernel profile you created (Ubuntu20.04-5.15.0-43-generic.json)

You'll also find a field called 'constant_data' which is base64 encoded

Take your banners output and convert it into base64 (echo, cyberchef, etc)

Replace the original base64 value in the kernel profile with your new value

Save this as a new profile (Ubuntu.5.15.0-43-generic-modified.json), clear your volatility cache, then attempt to run the plugin again.

$ python3 vol.py -v --clear-cache -f dump.raw linux.pslist
Volatility 3 Framework 2.20.0
INFO     volatility3.cli: Volatility plugins path: ['/home/user/Desktop/volatility3/volatility3/plugins', '/home/user/Desktop/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/user/Desktop/volatility3/volatility3/symbols', '/home/user/Desktop/volatility3/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule

OFFSET (V)      PID     TID     PPID    COMM    UID     GID     EUID    EGID    CREATION TIME   File output

0x8df7c1278000  1       1       0       systemd 0       0       0       0       2022-11-15 22:56:31.038819 UTC  Disabled
0x8df7c127df00  2       2       0       kthreadd        0       0       0       0       2022-11-15 22:56:31.038819 UTC  Disabled
0x8df7c127c740  3       3       2       rcu_gp  0       0       0       0       2022-11-15 22:56:31.166819 UTC  Disabled
0x8df7c127af80  4       4       2       rcu_par_gp      0       0       0       0       2022-11-15 22:56:31.166819 UTC  Disabled
0x8df7c12797c0  5       5       2       netns   0       0       0       0       2022-11-15 22:56:31.166819 UTC  Disabled
0x8df7c12117c0  6       6       2       kworker/0:0     0       0       0       0       2022-11-15 22:56:31.166819 UTC  Disabled
0x8df7c1210000  7       7       2       kworker/0:0H    0       0       0       0       2022-11-15 22:56:31.166819 UTC  Disabled
0x8df7c1215f00  8       8       2       kworker/u4:0    0       0       0       0       2022-11-15 22:56:31.166819 UTC  Disabled
0x8df7c1214740  9       9       2       mm_percpu_wq    0       0       0       0       2022-11-15 22:56:31.166819 UTC  Disabled

Last updated

Was this helpful?