# Build Custom Linux Profile for Volatility Build Volatility overlay profile for compromised system (with another version installed, not on the compromised system itself). If you can spin up a virtual machine using a virtual disk/backup/snapshot, or provision a virtual machine using the same kernel, that would be ideal. In addition to the above, if your EC2 instance is built on a standard AMI, just provision a new instance using the same AMI and install the debug kernel. **Identifying potential kernel candidates and building a specific kernel** You may be in a situation where you have a memory dump, but aren't provided with information about which system it came from, release/build information, kernel information etc. Using the banners plugin in Volatility3, it's possible to identify potential candidates to assist with building a symbol table. ``` $ python3 vol.py -f evidence.mem banners Volatility 3 Framework 2.4.2 Progress: 100.00 PDB scanning finished Offset Banner 0x738001a0 Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16) 0x73975d40 Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 9 15:34:04 UTC 2 (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16) ``` Using this information, deploy an Ubuntu 22.04 virtual machine and use it as a base for our profile. ``` $ sudo apt update; sudo apt install linux-image-6.2.0-36-generic ``` Install the corresponding kernel. Reboot. Verify the kernel is installed. ``` user@ubuntu:~$ uname -a Linux ubuntu 6.2.0-36-generic #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 9 15:34:04 UTC 2 x86_64 x86_64 x86_64 GNU/Linux ``` We need to install the corresponding debug symbols for our kernel. We'll add an additional repository, update, and install the appropriate debug symbols. ``` $ sudo nano /etc/apt/sources.list.d/ddebs.list deb http://ddebs.ubuntu.com xxxxx main restricted universe multiverse deb http://ddebs.ubuntu.com xxxxx-updates main restricted universe multiverse deb http://ddebs.ubuntu.com xxxxx-proposed main restricted universe multiverse (replace xxxxx with your release name from 'lsb_release -cs', ie focal, trusty, etc. wget -O - http://ddebs.ubuntu.com/dbgsym-release-key.asc | sudo apt-key add - $ sudo apt update $ sudo apt install linux-image-6.2.0-36-generic-dbgsym $ sudo shutdown -r now ``` Now we need to create a symbol table/profile using dwarf2json ``` $ git clone https://github.com/volatilityfoundation/dwarf2json.git $ cd dwarf2json.git $ go build (if required, or copy precompiled executable) $ sudo ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-6.2.0-36-generic --system-map /boot/System.map-6.2.0-36-generic > Ubuntu22.04-6.2.0-36-generic.json ``` The above command should complete successfully. Move the new symbol table to your Volatility3 directory, and run isfinfo to ensure it's registered/cached correctly. ``` $ mv Ubuntu22.04-6.2.0-36-generic.json /path/to/volatility3/symbols/linux $ python3 vol.py isfinfo Volatility 3 Framework 2.4.2 Progress: 100.00 PDB scanning finished URI Valid Number of base_types Number of types Number of symbols Number of enums Identifying information file:///home/user/volatility3/symbols/linux/Ubuntu22.04-6.2.0-36-generic.json True (cached) 19 12930 263277 2285 b'Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 9 15:34:04 UTC 2 (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)\n\x00' ``` Test your symbol table with your memory dump to ensure it's functioning correctly ``` $ python3 vol.py -f evidence.mem linux.pslist Volatility 3 Framework 2.4.2 Progress: 100.00 Stacking attempts finished OFFSET (V) PID TID PPID COMM 0x99f7802a1980 1 1 0 systemd 0x99f7802a3300 2 2 0 kthreadd 0x99f7802a6600 3 3 2 rcu_gp 0x99f7802a0000 4 4 2 rcu_par_gp 0x99f7802a4c80 5 5 2 slub_flushwq 0x99f7802b9980 6 6 2 netns 0x99f7802be600 8 8 2 kworker/0:0H 0x99f7802bcc80 10 10 2 mm_percpu_wq 0x99f78033b300 11 11 2 rcu_tasks_kthre ``` **Using dwarf2json to build kernel profiles for Volatility3** For an AmazonLinux EC2 instance (6.1.34-59.116.amzn2023.x84\_64) ``` $ sudo su $ sudo yum update -y $ sudo yum --enablerepo='*debuginfo' install kernel-debuginfo-$(uname -r) $ mkdir /home/ec2-user/volatility3 $ sudo cp /boot/System.map-6.1* /home/ec2-user/volatility3 $ sudo cp /usr/lib/debug/lib/modules/6.1.34-59.116.amzn2023.x86_64/vmlinux /home/ec2-user/volatility3 (grab precompiled version of dwarf2json from this repo https://github.com/kevthehermit/volatility_symbols) $ wget https://github.com/kevthehermit/volatility_symbols/raw/main/dwarf2json $ chmod +x dwarf2json $ ./dwarf2json linux --system-map /path/to/System.map-6.1.34-59.116.amzn2023.x86_64 --elf /path/to/vmlinux > your-name-for-kernel.json $ cp /path/to/your-name-for-kernel.json /path/to/volatility3/volatility3/symbols/linux $ python3 vol.py isfinfo (check new profile is registered) $ python3 vol.py -f ec2mem.mem banners $ python3 vol.py -f ec2mem.mem linux.pslist ``` This was the original article for volatility2, using dwarfdump to build an Ubuntu kernel profile. Download/GitClone volatility ``` $ cd volatility/tools/linux $ uname -r 4.15.0-106-generic $ sudo make -C /lib/modules/4.15.0-106-generic/build/ CONFIG_DEBUG_INFO=y M=$PWD modules ``` If you receive an error similar to the following, you need to modify **module.c** ``` ERROR: modpost: missing MODULE_LICENSE() in /home/USER/volatility/tools/linux/module.o $ nano module.c add the following line to the end of the file, exactly as it appears MODULE_LICENSE("GPL"); ``` If dwarfdump isn't installed, install it ``` $ sudo apt install dwarfdump $ dwarfdump -di ./module.o > module.dwarf $ sudo zip Ubuntu64-4.15.0.106.zip module.dwarf /boot/System.map-4.15.0-106-generic ``` Move linux profile to Volatility overlays ``` $ cp Ubuntu64-4.15.0.106.zip /path/to/volatility/plugins/overlays/linux/ ``` Test Volatility ``` $ python vol.py --info | grep Linux ``` Test Volatility with profile ``` $ python vol.py -f /mnt/volatility/DF/vm-dump.mem --profile=LinuxUbuntu64-4_15_0_106x64 linux_pslist ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.