Build Volatility overlay profile for compromised system (with another version installed, not on the compromised system itself). If you can spin up a virtual machine using a virtual disk/backup/snapshot, or provision a virtual machine using the same kernel, that would be ideal.
In addition to the above, if your EC2 instance is built on a standard AMI, just provision a new instance using the same AMI and install the debug kernel.
Identifying potential kernel candidates and building a specific kernel
You may be in a situation where you have a memory dump, but aren't provided with information about which system it came from, release/build information, kernel information etc.
Using the banners plugin in Volatility3, it's possible to identify potential candidates to assist with building a symbol table.
$ python3 vol.py -f evidence.mem banners
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
Offset Banner
0x738001a0 Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)
0x73975d40 Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 9 15:34:04 UTC 2 (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)
Using this information, deploy an Ubuntu 22.04 virtual machine and use it as a base for our profile.
Install the corresponding kernel. Reboot. Verify the kernel is installed.
user@ubuntu:~$ uname -a
Linux ubuntu 6.2.0-36-generic #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 9 15:34:04 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
We need to install the corresponding debug symbols for our kernel. We'll add an additional repository, update, and install the appropriate debug symbols.
$ sudo nano /etc/apt/sources.list.d/ddebs.list
deb http://ddebs.ubuntu.com xxxxx main restricted universe multiverse
deb http://ddebs.ubuntu.com xxxxx-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com xxxxx-proposed main restricted universe multiverse
(replace xxxxx with your release name from 'lsb_release -cs', ie focal, trusty, etc.
wget -O - http://ddebs.ubuntu.com/dbgsym-release-key.asc | sudo apt-key add -
$ sudo apt update
$ sudo apt install linux-image-6.2.0-36-generic-dbgsym
$ sudo shutdown -r now
Now we need to create a symbol table/profile using dwarf2json
$ git clone https://github.com/volatilityfoundation/dwarf2json.git
$ cd dwarf2json.git
$ go build
(if required, or copy precompiled executable)
$ sudo ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-6.2.0-36-generic --system-map /boot/System.map-6.2.0-36-generic > Ubuntu22.04-6.2.0-36-generic.json
The above command should complete successfully. Move the new symbol table to your Volatility3 directory, and run isfinfo to ensure it's registered/cached correctly.
$ mv Ubuntu22.04-6.2.0-36-generic.json /path/to/volatility3/symbols/linux
$ python3 vol.py isfinfo
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
URI Valid Number of base_types Number of types Number of symbols Number of enums Identifying information
<snip>
file:///home/user/volatility3/symbols/linux/Ubuntu22.04-6.2.0-36-generic.json True (cached) 19 12930 263277 2285 b'Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 9 15:34:04 UTC 2 (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)\n\x00'
Test your symbol table with your memory dump to ensure it's functioning correctly
Using dwarf2json to build kernel profiles for Volatility3
For an AmazonLinux EC2 instance (6.1.34-59.116.amzn2023.x84_64)
$ sudo su
$ sudo yum update -y
$ sudo yum --enablerepo='*debuginfo' install kernel-debuginfo-$(uname -r)
$ mkdir /home/ec2-user/volatility3
$ sudo cp /boot/System.map-6.1* /home/ec2-user/volatility3
$ sudo cp /usr/lib/debug/lib/modules/6.1.34-59.116.amzn2023.x86_64/vmlinux /home/ec2-user/volatility3
(grab precompiled version of dwarf2json from this repo https://github.com/kevthehermit/volatility_symbols)
$ wget https://github.com/kevthehermit/volatility_symbols/raw/main/dwarf2json
$ chmod +x dwarf2json
$ ./dwarf2json linux --system-map /path/to/System.map-6.1.34-59.116.amzn2023.x86_64 --elf /path/to/vmlinux > your-name-for-kernel.json
$ cp /path/to/your-name-for-kernel.json /path/to/volatility3/volatility3/symbols/linux
$ python3 vol.py isfinfo (check new profile is registered)
$ python3 vol.py -f ec2mem.mem banners
$ python3 vol.py -f ec2mem.mem linux.pslist
This was the original article for volatility2, using dwarfdump to build an Ubuntu kernel profile.
Download/GitClone volatility
$ cd volatility/tools/linux
$ uname -r
4.15.0-106-generic
$ sudo make -C /lib/modules/4.15.0-106-generic/build/ CONFIG_DEBUG_INFO=y M=$PWD modules
If you receive an error similar to the following, you need to modify module.c
ERROR: modpost: missing MODULE_LICENSE() in /home/USER/volatility/tools/linux/module.o
$ nano module.c
add the following line to the end of the file, exactly as it appears
MODULE_LICENSE("GPL");
