Build Custom Linux Profile for Volatility

Build Volatility overlay profile for compromised system (with another version installed, not on the compromised system itself). If you can spin up a virtual machine using a virtual disk/backup/snapshot, or provision a virtual machine using the same kernel, that would be ideal.

In addition to the above, if your EC2 instance is built on a standard AMI, just provision a new instance using the same AMI and install the debug kernel.

Identifying potential kernel candidates and building a specific kernel

You may be in a situation where you have a memory dump, but aren't provided with information about which system it came from, release/build information, kernel information etc.

Using the banners plugin in Volatility3, it's possible to identify potential candidates to assist with building a symbol table.

$ python3 vol.py -f evidence.mem banners
Volatility 3 Framework 2.4.2
Progress:  100.00               PDB scanning finished
Offset  Banner

0x738001a0      Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC  (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)
0x73975d40      Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct  9 15:34:04 UTC 2 (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)

Using this information, deploy an Ubuntu 22.04 virtual machine and use it as a base for our profile.

$ sudo apt update; sudo apt install linux-image-6.2.0-36-generic

Install the corresponding kernel. Reboot. Verify the kernel is installed.

user@ubuntu:~$ uname -a
Linux ubuntu 6.2.0-36-generic #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct  9 15:34:04 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

We need to install the corresponding debug symbols for our kernel. We'll add an additional repository, update, and install the appropriate debug symbols.

$ sudo nano /etc/apt/sources.list.d/ddebs.list 

deb http://ddebs.ubuntu.com xxxxx main restricted universe multiverse
deb http://ddebs.ubuntu.com xxxxx-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com xxxxx-proposed main restricted universe multiverse
(replace xxxxx with your release name from 'lsb_release -cs', ie focal, trusty, etc.

wget -O - http://ddebs.ubuntu.com/dbgsym-release-key.asc | sudo apt-key add -

$ sudo apt update
$ sudo apt install linux-image-6.2.0-36-generic-dbgsym
$ sudo shutdown -r now

Now we need to create a symbol table/profile using dwarf2json

$ git clone https://github.com/volatilityfoundation/dwarf2json.git
$ cd dwarf2json.git
$ go build
(if required, or copy precompiled executable)
$ sudo ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-6.2.0-36-generic --system-map /boot/System.map-6.2.0-36-generic > Ubuntu22.04-6.2.0-36-generic.json

The above command should complete successfully. Move the new symbol table to your Volatility3 directory, and run isfinfo to ensure it's registered/cached correctly.

$ mv Ubuntu22.04-6.2.0-36-generic.json /path/to/volatility3/symbols/linux
$ python3 vol.py isfinfo
Volatility 3 Framework 2.4.2
Progress:  100.00               PDB scanning finished
URI     Valid   Number of base_types    Number of types Number of symbols       Number of enums Identifying information

<snip>
file:///home/user/volatility3/symbols/linux/Ubuntu22.04-6.2.0-36-generic.json       True (cached)   19      12930   263277  2285    b'Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct  9 15:34:04 UTC 2 (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)\n\x00'

Test your symbol table with your memory dump to ensure it's functioning correctly

$ python3 vol.py -f evidence.mem linux.pslist
Volatility 3 Framework 2.4.2
Progress:  100.00               Stacking attempts finished
OFFSET (V)      PID     TID     PPID    COMM

0x99f7802a1980  1       1       0       systemd
0x99f7802a3300  2       2       0       kthreadd
0x99f7802a6600  3       3       2       rcu_gp
0x99f7802a0000  4       4       2       rcu_par_gp
0x99f7802a4c80  5       5       2       slub_flushwq
0x99f7802b9980  6       6       2       netns
0x99f7802be600  8       8       2       kworker/0:0H
0x99f7802bcc80  10      10      2       mm_percpu_wq
0x99f78033b300  11      11      2       rcu_tasks_kthre

Using dwarf2json to build kernel profiles for Volatility3

For an AmazonLinux EC2 instance (6.1.34-59.116.amzn2023.x84_64)

$ sudo su
$ sudo yum update -y
$ sudo yum --enablerepo='*debuginfo' install kernel-debuginfo-$(uname -r)
$ mkdir /home/ec2-user/volatility3
$ sudo cp /boot/System.map-6.1* /home/ec2-user/volatility3
$ sudo cp /usr/lib/debug/lib/modules/6.1.34-59.116.amzn2023.x86_64/vmlinux /home/ec2-user/volatility3

(grab precompiled version of dwarf2json from this repo https://github.com/kevthehermit/volatility_symbols)

$ wget https://github.com/kevthehermit/volatility_symbols/raw/main/dwarf2json
$ chmod +x dwarf2json
$ ./dwarf2json linux --system-map /path/to/System.map-6.1.34-59.116.amzn2023.x86_64 --elf /path/to/vmlinux > your-name-for-kernel.json
$ cp /path/to/your-name-for-kernel.json /path/to/volatility3/volatility3/symbols/linux
$ python3 vol.py isfinfo (check new profile is registered)
$ python3 vol.py -f ec2mem.mem banners
$ python3 vol.py -f ec2mem.mem linux.pslist

This was the original article for volatility2, using dwarfdump to build an Ubuntu kernel profile.

Download/GitClone volatility

$ cd volatility/tools/linux
$ uname -r 
4.15.0-106-generic
$ sudo make -C /lib/modules/4.15.0-106-generic/build/ CONFIG_DEBUG_INFO=y M=$PWD modules

If you receive an error similar to the following, you need to modify module.c

ERROR: modpost: missing MODULE_LICENSE() in /home/USER/volatility/tools/linux/module.o

$ nano module.c
add the following line to the end of the file, exactly as it appears

MODULE_LICENSE("GPL");

If dwarfdump isn't installed, install it

$ sudo apt install dwarfdump
$ dwarfdump -di ./module.o > module.dwarf
$ sudo zip Ubuntu64-4.15.0.106.zip module.dwarf /boot/System.map-4.15.0-106-generic

Move linux profile to Volatility overlays

$ cp Ubuntu64-4.15.0.106.zip /path/to/volatility/plugins/overlays/linux/

Test Volatility

$ python vol.py --info | grep Linux

Test Volatility with profile

$ python vol.py -f /mnt/volatility/DF/vm-dump.mem --profile=LinuxUbuntu64-4_15_0_106x64 linux_pslist

Last updated