Comment on page

Build Custom Linux Profile for Volatility

Build Volatility overlay profile for compromised system (with another version installed, not on the compromised system itself). If you can spin up a virtual machine using a virtual disk/backup/snapshot, or provision a virtual machine using the same kernel, that would be ideal.
In addition to the above, if your EC2 instance is built on a standard AMI, just provision a new instance using the same AMI and install the debug kernel.
Identifying potential kernel candidates and building a specific kernel
You may be in a situation where you have a memory dump, but aren't provided with information about which system it came from, release/build information, kernel information etc.
Using the banners plugin in Volatility3, it's possible to identify potential candidates to assist with building a symbol table.
$ python3 vol.py -f evidence.mem banners
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
Offset Banner
0x738001a0 Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)
0x73975d40 Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 9 15:34:04 UTC 2 (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)
Using this information, deploy an Ubuntu 22.04 virtual machine and use it as a base for our profile.
$ sudo apt update; sudo apt install linux-image-6.2.0-36-generic
Install the corresponding kernel. Reboot. Verify the kernel is installed.
user@ubuntu:~$ uname -a
Linux ubuntu 6.2.0-36-generic #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 9 15:34:04 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
We need to install the corresponding debug symbols for our kernel. We'll add an additional repository, update, and install the appropriate debug symbols.
$ sudo nano /etc/apt/sources.list.d/ddebs.list
deb http://ddebs.ubuntu.com xxxxx main restricted universe multiverse
deb http://ddebs.ubuntu.com xxxxx-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com xxxxx-proposed main restricted universe multiverse
(replace xxxxx with your release name from 'lsb_release -cs', ie focal, trusty, etc.
wget -O - http://ddebs.ubuntu.com/dbgsym-release-key.asc | sudo apt-key add -
$ sudo apt update
$ sudo apt install linux-image-6.2.0-36-generic-dbgsym
$ sudo shutdown -r now
Now we need to create a symbol table/profile using dwarf2json
$ git clone https://github.com/volatilityfoundation/dwarf2json.git
$ cd dwarf2json.git
$ go build
(if required, or copy precompiled executable)
$ sudo ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-6.2.0-36-generic --system-map /boot/System.map-6.2.0-36-generic > Ubuntu22.04-6.2.0-36-generic.json
The above command should complete successfully. Move the new symbol table to your Volatility3 directory, and run isfinfo to ensure it's registered/cached correctly.
$ mv Ubuntu22.04-6.2.0-36-generic.json /path/to/volatility3/symbols/linux
$ python3 vol.py isfinfo
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
URI Valid Number of base_types Number of types Number of symbols Number of enums Identifying information
<snip>
file:///home/user/volatility3/symbols/linux/Ubuntu22.04-6.2.0-36-generic.json True (cached) 19 12930 263277 2285 b'Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 9 15:34:04 UTC 2 (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)\n\x00'
Test your symbol table with your memory dump to ensure it's functioning correctly
$ python3 vol.py -f evidence.mem linux.pslist
Volatility 3 Framework 2.4.2
Progress: 100.00 Stacking attempts finished
OFFSET (V) PID TID PPID COMM
0x99f7802a1980 1 1 0 systemd
0x99f7802a3300 2 2 0 kthreadd
0x99f7802a6600 3 3 2 rcu_gp
0x99f7802a0000 4 4 2 rcu_par_gp
0x99f7802a4c80 5 5 2 slub_flushwq
0x99f7802b9980 6 6 2 netns
0x99f7802be600 8 8 2 kworker/0:0H
0x99f7802bcc80 10 10 2 mm_percpu_wq
0x99f78033b300 11 11 2 rcu_tasks_kthre
Using dwarf2json to build kernel profiles for Volatility3
For an AmazonLinux EC2 instance (6.1.34-59.116.amzn2023.x84_64)
$ sudo su
$ sudo yum update -y
$ sudo yum --enablerepo='*debuginfo' install kernel-debuginfo-$(uname -r)
$ mkdir /home/ec2-user/volatility3
$ sudo cp /boot/System.map-6.1* /home/ec2-user/volatility3
$ sudo cp /usr/lib/debug/lib/modules/6.1.34-59.116.amzn2023.x86_64/vmlinux /home/ec2-user/volatility3
(grab precompiled version of dwarf2json from this repo https://github.com/kevthehermit/volatility_symbols)
$ wget https://github.com/kevthehermit/volatility_symbols/raw/main/dwarf2json
$ chmod +x dwarf2json
$ ./dwarf2json linux --system-map /path/to/System.map-6.1.34-59.116.amzn2023.x86_64 --elf /path/to/vmlinux > your-name-for-kernel.json
$ cp /path/to/your-name-for-kernel.json /path/to/volatility3/volatility3/symbols/linux
$ python3 vol.py isfinfo (check new profile is registered)
$ python3 vol.py -f ec2mem.mem banners
$ python3 vol.py -f ec2mem.mem linux.pslist
This was the original article for volatility2, using dwarfdump to build an Ubuntu kernel profile.
Download/GitClone volatility
$ cd volatility/tools/linux
$ uname -r
4.15.0-106-generic
$ sudo make -C /lib/modules/4.15.0-106-generic/build/ CONFIG_DEBUG_INFO=y M=$PWD modules
If you receive an error similar to the following, you need to modify module.c
ERROR: modpost: missing MODULE_LICENSE() in /home/USER/volatility/tools/linux/module.o
$ nano module.c
add the following line to the end of the file, exactly as it appears
MODULE_LICENSE("GPL");
If dwarfdump isn't installed, install it
$ sudo apt install dwarfdump
$ dwarfdump -di ./module.o > module.dwarf
$ sudo zip Ubuntu64-4.15.0.106.zip module.dwarf /boot/System.map-4.15.0-106-generic
Move linux profile to Volatility overlays
$ cp Ubuntu64-4.15.0.106.zip /path/to/volatility/plugins/overlays/linux/
Test Volatility
$ python vol.py --info | grep Linux
Test Volatility with profile
$ python vol.py -f /mnt/volatility/DF/vm-dump.mem --profile=LinuxUbuntu64-4_15_0_106x64 linux_pslist