Build Custom Linux Profile for Volatility
Build Volatility overlay profile for compromised system (with another version installed, not on the compromised systelm itself). If you can spin up a virtual machine using a virtual disk/backup/snapshot, or provision a virtual machine using the same kernel, that would be ideal.
Download/GitClone volatility
$ cd volatility/tools/linux
$ uname -r
4.15.0-106-generic
$ sudo make -C /lib/modules/4.15.0-106-generic/build/ CONFIG_DEBUG_INFO=y M=$PWD modules
If you receive an error similar to the following, you need to modify module.c
ERROR: modpost: missing MODULE_LICENSE() in /home/USER/volatility/tools/linux/module.o
$ nano module.c
add the following line to the end of the file, exactly as it appears
MODULE_LICENSE("GPL");
If dwarfdump isn't installed, install it
$ sudo apt install dwarfdump
$ dwarfdump -di ./module.o > module.dwarf
$ sudo zip Ubuntu64-4.15.0.106.zip module.dwarf /boot/System.map-4.15.0-106-generic
Move linux profile to Volatility overlays
$ cp Ubuntu64-4.15.0.106.zip /path/to/volatility/plugins/overlays/linux/
Test Volatility
$ python vol.py --info | grep Linux
Test Volatility with profile
$ python vol.py -f /mnt/volatility/DF/vm-dump.mem --profile=LinuxUbuntu64-4_15_0_106x64 linux_pslist
Last modified 1mo ago