How to force Volatility3 to use a specific (albeit mismatching) Linux kernel profile
Let's explore a couple of concepts to ensure we're using the correct terminology.
Volatility uses the 'banners' plugin to identify the operating system, kernel version, compilation information, etc. This is critical to ensure the correct profile is used when attempting to parse the memory dump. The correct profile ensures that kernel is correctly identified, and the correct memory structures are mapped correctly.
The Intermediate Symbol Format (ISF) is a JSON-based file which Volatility uses (as the 'isfinfo' plugin) to store specific memory structures to ensure they're mapped correctly, allowing execution of other plugins.
As I highlighted here, you can use the banners plugin to identify the operating system if it was previously unknown. The banners plugin also aids in troubleshooting and debugging when building custom profiles.
I recently helped a person on Discord to build a custom kernel profile for a memory sample which was collected during a CTF. We can approach this in a simple manner. 1) Run banners, and 2) run strings
Identify banner information
$ python3 vol.py -f dump.raw banners
Volatility 3 Framework 2.20.0
Progress: 100.00 PDB scanning finished
Offset Banner
0x77a00200 Linux version 5.15.0-43-generic (buildd@lcy02-amd64-076) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 (Ubuntu 5.15.0-43.46-generic 5.15.39)
0x78dc3718 Linux version 5.15.0-43-generic (buildd@lcy02-amd64-076) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 (Ubuntu 5.15.0-43.46-generic 5.15.39)9)
We can see that the kernel Ubuntu 5.15.0-43 is being used in this sample. Ubuntu docs suggest that it was published on/around 9th May 2023 and was released in Jammy (22.04).
Because you can use different releases with different kernels (20.04 with 5.15.0-43, 22.04 with 5.15.0-43, etc), we want to confirm which release this sample came from. This makes it easier when attempting to locate relevant debugging symbols.
Confirm operating system release
We know that Ubuntu stores its release information in the following locations (examples included)
So now we have the release version and kernel version. You can follow the guide here to generate a kernel profile before you continue.
Inspecting custom profile JSON
Following the previous guide, we've generated a custom profile for our memory sample. We've moved it into our default symbols directory, so let's try and use it to process our memory sample.
First step is to run isfinfo to make sure it's a registered/cached profile.
$ python3 vol.py isfinfo
Volatility 3 Framework 2.20.0
Progress: 100.00 PDB scanning finished
URI Valid Number of base_types Number of types Number of symbols Number of enums Identifying information
file:///home/user/Desktop/volatility3/volatility3/symbols/Ubuntu.5.15.0-43-generic.json Unknown 19 12076 199003 2075 b'Linux version 5.15.0-43-generic (buildd@lcy02-amd64-026) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #46~20.04.1-Ubuntu SMP Thu Jul 14 15:20:17 UTC 2022 (Ubuntu 5.15.0-43.46~20.04.1-generic 5.15.39)\n\x00'
Good start, let's run linux.pslist to identify processes.
$ python3 vol.py -f dump.raw linux.pslist
Volatility 3 Framework 2.20.0
Progress: 100.00 Stacking attempts finished
Unsatisfied requirement plugins.PsList.kernel.layer_name:
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The file is a valid memory image and was acquired cleanly
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name']
But we downloaded the correct release, installed the correct kernel (5.15.0-43-generic) and installed the relevant debugging symbols (5.15.0-43-generic-dbgsym). So what's wrong?
isfinfo
Linux version 5.15.0-43-generic (buildd@lcy02-amd64-026) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #46~20.04.1-Ubuntu SMP Thu Jul 14 15:20:17 UTC 2022 (Ubuntu 5.15.0-43.46~20.04.1-generic 5.15.39)
banners
Linux version 5.15.0-43-generic (buildd@lcy02-amd64-076) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 (Ubuntu 5.15.0-43.46-generic 5.15.39)
We can see there's a slight mismatch between the output from isfinfo (our custom profile) and the string which banners has produced.
Open the .json file for the kernel profile you created (Ubuntu20.04-5.15.0-43-generic.json)
You'll also find a field called 'constant_data' which is base64 encoded
Take your banners output and convert it into base64 (echo, cyberchef, etc)
Replace the original base64 value in the kernel profile with your new value
Save this as a new profile (Ubuntu.5.15.0-43-generic-modified.json), clear your volatility cache, then attempt to run the plugin again.
$ python3 vol.py -v --clear-cache -f dump.raw linux.pslist
Volatility 3 Framework 2.20.0
INFO volatility3.cli: Volatility plugins path: ['/home/user/Desktop/volatility3/volatility3/plugins', '/home/user/Desktop/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/user/Desktop/volatility3/volatility3/symbols', '/home/user/Desktop/volatility3/volatility3/framework/symbols']
INFO volatility3.framework.automagic: Detected a linux category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO volatility3.framework.automagic: Running automagic: LayerStacker
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule
OFFSET (V) PID TID PPID COMM UID GID EUID EGID CREATION TIME File output
0x8df7c1278000 1 1 0 systemd 0 0 0 0 2022-11-15 22:56:31.038819 UTC Disabled
0x8df7c127df00 2 2 0 kthreadd 0 0 0 0 2022-11-15 22:56:31.038819 UTC Disabled
0x8df7c127c740 3 3 2 rcu_gp 0 0 0 0 2022-11-15 22:56:31.166819 UTC Disabled
0x8df7c127af80 4 4 2 rcu_par_gp 0 0 0 0 2022-11-15 22:56:31.166819 UTC Disabled
0x8df7c12797c0 5 5 2 netns 0 0 0 0 2022-11-15 22:56:31.166819 UTC Disabled
0x8df7c12117c0 6 6 2 kworker/0:0 0 0 0 0 2022-11-15 22:56:31.166819 UTC Disabled
0x8df7c1210000 7 7 2 kworker/0:0H 0 0 0 0 2022-11-15 22:56:31.166819 UTC Disabled
0x8df7c1215f00 8 8 2 kworker/u4:0 0 0 0 0 2022-11-15 22:56:31.166819 UTC Disabled
0x8df7c1214740 9 9 2 mm_percpu_wq 0 0 0 0 2022-11-15 22:56:31.166819 UTC Disabled
