volatilityfoundation / volatility Goto Github PK

Unify georg's got/plt detection code with inline hook detection and make it all use Volatility's Elf parsers

fix bug when the slab says it has no objects (this is likely an acquisition issue, but was seen in a sample)

I have a feeling its an issue with code in get_full_path, but not sure yet.

This doesn't work because certain keys needed to build the bootkey are no longer present.

bigjoe:volatility_2.4 golden$ python vol.py --profile=Linux2_6_32x86 -f /Volumes/PATRIOT/IMAGES/kbeast.lime linux_check_inline_kernel
Volatility Foundation Volatility Framework 2.4 (Beta)
Name Member Hook Type Hook Address

Traceback (most recent call last):
File "vol.py", line 183, in
main()
File "vol.py", line 174, in main
command.execute()
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/common.py", line 62, in execute
commands.Command.execute(self, _args, *_kwargs)
File "/Users/golden/Work/volatility_2.4/volatility/commands.py", line 121, in execute
func(outfd, data)
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/check_inline_kernel.py", line 300, in render_text
for (sym_name, member, hook_type, sym_addr) in data:
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/check_inline_kernel.py", line 290, in calculate
for hook_info in func(modules):
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/check_inline_kernel.py", line 257, in _check_inetsw
for inet in inet_list.list_of_type("inet_protosw", "list"):
File "/Users/golden/Work/volatility_2.4/volatility/plugins/overlays/linux/linux.py", line 544, in list_of_type
offset = self.obj_vm.profile.get_obj_offset(obj_type, member)
File "/Users/golden/Work/volatility_2.4/volatility/obj.py", line 998, in get_obj_offset
tmp = self._get_dummy_obj(name)
File "/Users/golden/Work/volatility_2.4/volatility/obj.py", line 989, in _get_dummy_obj
tmp = self.types[name](offset = 0, name = name, vm = dummy%28%29, parent = None)
KeyError: 'inet_protosw'

such as is_executable(), is_writeable(), etc.

The first LOAD (memory run) for QEMU on small mem systems is less than 5 MB, which is constants.SCAN_BLOCKSIZE. Thus in VolatilityDTB, the self.obj_vm.read(offset, constants.SCAN_BLOCKSIZE) fails because 5 MB of contiguous data cannot be read.

ABOVE: The linux_dentry plugin has some issues (like linux_recover_filesystem). I’ve reported them to Andrew and he has filed a bug report. The issues occur on a memory dump that the Volatility team members have, so we can go from there. Here’s the crash:

bigjoe:volatility_2.4 golden$ python vol.py --profile=Linux3_2_x86_newx86 –f ../voltrunk/after.p2.lime linux_dentry_cache

[snip]
[snip]
0|random|1032|0|0|0|0|4128146364|4128146372|0|4128146380
0|full|1031|0|0|0|0|4128146732|4128146740|0|4128146748
0|zero|1030|0|0|0|0|4128147100|4128147108|0|4128147116
0|port|1029|0|0|15|0|4128147468|4128147476|0|4128147484
0|null|1028|0|0|0|0|4128147836|4128147844|0|4128147852
0|mem|1027|0|0|15|0|4128148204|4128148212|0|4128148220
0|vga_arbiter|1026|0|0|0|0|4128148572|4128148580|0|4128148588
0||1025|0|0|0|3280|4128148940|4128148948|0|4128148956
Traceback (most recent call last):
File "vol.py", line 183, in
main()
File "vol.py", line 174, in main
command.execute()
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/common.py", line 62, in execute
commands.Command.execute(self, _args, *_kwargs)
File "/Users/golden/Work/volatility_2.4/volatility/commands.py", line 121, in execute
func(outfd, data)
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/dentry_cache.py", line 71, in render_text
for bodyline in data:
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/dentry_cache.py", line 66, in calculate
for dentry in cache:
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/slab_info.py", line 100, in iter
unallocated[i] = 1
IndexError: list assignment index out of range]

For me to do from book development. its a one line fix, I just need to make an image to test

on SampleRepository/crash/VistaSP2x86/VistaSP2x86.dmp

    1792 msdtc.exe            0x74aa0000 True   True   True  \Windows\System32\oleacc.dll
    1792 msdtc.exe            0x750b0000 True   True   True  \Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll    1792 msdtc.exe            0x75f40000 True   True   True  \Windows\System32\netapi32.dll
    1792 msdtc.exe            0x748d0000 True   True   True  \Windows\System32\atl.dll
    1792 msdtc.exe            0x746e0000 True   True   True  \Windows\System32\ktmw32.dll
Traceback (most recent call last):
  File "volatility/vol.py", line 192, in <module>
    main() 
  File "volatility/vol.py", line 183, in main
    command.execute()
  File "volatility/volatility/commands.py", line 127, in execute
    func(outfd, data)
  File "volatility/volatility/plugins/malware/malfind.py", line 424, in render_text
    for vad, address_space in task.get_vads(vad_filter = task._mapped_file_filter):
  File "volatility/volatility/plugins/overlays/windows/windows.py", line 483, in get_vads
    for vad in self.VadRoot.traverse():
  File "volatility/volatility/plugins/overlays/windows/vad_vtypes.py", line 240, in traverse
    for c in self.cast("_MMADDRESS_NODE").traverse():
  File "volatility/volatility/plugins/overlays/windows/vad_vtypes.py", line 71, in traverse
    for c in self.RightChild.traverse(visited = visited, depth = depth + 1):
  File "volatility/volatility/plugins/overlays/windows/vad_vtypes.py", line 71, in traverse
    for c in self.RightChild.traverse(visited = visited, depth = depth + 1):
  File "volatility/volatility/plugins/overlays/windows/vad_vtypes.py", line 71, in traverse
    for c in self.RightChild.traverse(visited = visited, depth = depth + 1):
  File "volatility/volatility/plugins/overlays/windows/vad_vtypes.py", line 71, in traverse
[snip]

$ uname -a
Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:15:33 UTC 2013 i686 i686 i386 GNU/Linux

$ make
make -C //lib/modules/3.5.0-23-generic/build CONFIG_DEBUG_INFO=y M=/home/vol/Desktop/volatility_2.4/tools/linux modules
make[1]: Entering directory /usr/src/linux-headers-3.5.0-23-generic' CC [M] /home/vol/Desktop/volatility_2.4/tools/linux/module.o /home/vol/Desktop/volatility_2.4/tools/linux/module.c:184:0: warning: "RADIX_TREE_MAX_TAGS" redefined [enabled by default] include/linux/radix-tree.h:61:0: note: this is the location of the previous definition /home/vol/Desktop/volatility_2.4/tools/linux/module.c:211:24: error: storage size of ‘module_sect_attrs’ isn’t known make[2]: *** [/home/vol/Desktop/volatility_2.4/tools/linux/module.o] Error 1 make[1]: *** [_module_/home/vol/Desktop/volatility_2.4/tools/linux] Error 2 make[1]: Leaving directory/usr/src/linux-headers-3.5.0-23-generic'
make: *** [dwarf] Error 2

osxpmem now uses ELF as the default capture format. I need to create an ELF as to handle this (or extend the existing ELF support).

bigjoe:volatility_2.4 golden$ python vol.py --profile=Linux2_6_32x86 -f /Volumes/PATRIOT/IMAGES/kbeast.lime linux_netfilter
Volatility Foundation Volatility Framework 2.4 (Beta)
Proto Hook Handler Is Hooked

Traceback (most recent call last):
File "vol.py", line 183, in
main()
File "vol.py", line 174, in main
command.execute()
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/common.py", line 62, in execute
commands.Command.execute(self, _args, *_kwargs)
File "/Users/golden/Work/volatility_2.4/volatility/commands.py", line 121, in execute
func(outfd, data)
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/netfiler.py", line 71, in render_text
self.table_row(outfd, proto_names[outer], hook_names[inner], hook_addr, hooked)
IndexError: list index out of range

copied from our email:

Basically, the [addr] and [addrpad] format specs width for 32-bit profiles is 10 (8 + 2 for the leading “0x”). This is fine when printing virtual addresses, but when you print physical addresses and the 32-bit system has PAE turned on, then there’s a chance we’ll end up with an elided address (i.e. 0x881……2). That’s because the PAE physical address size is greater than 32-bits.

We’ve been slapping together an ad-hoc change per plugin and making the [addr] something like “{0:#18x}” just to force it to 64-bit width even on 32-bit PAE/non-PAE. Is there a better way to handle this in the formatting part of the code? I can think of a few options:

Put “{0:#18x}” in the format spec and always use it regardless of the memory model or PAE/non-PAE
Pass the profile to the format spec function, so it can determine if PAE is on
Pass a parameter to the format spec function like physical = True, in which case it will use “{0:#18x}”
Mike's reply is "is to just
change addr/addrpad to the PAE maximum no matter what the space. I know
there's already code present to determine whether to do 64-bit addresses
or 32-bit, so if you could stash the maximum space size into the address
space metadata, that should work too, I believe?"

prob due to gleeda's recent change

$ python vol.py --profile=Linuxubuntux86 -f ~/Desktop/mem.lime.after2 linux_volshell
Volatility Foundation Volatility Framework 2.4 (Beta)
Current context: process init, pid=1 DTB=0x355f3000
Welcome to volshell! Current memory image is:
file:///home/vol/Desktop/mem.lime.after2
To get help, type 'hh()'

cc(pid = 5724)
Traceback (most recent call last):
File "", line 1, in
File "/home/vol/Desktop/volatility-master/volatility/plugins/volshell.py", line 179, in cc
self.set_context(offset = offset, pid = pid, name = name, physical = physical)
TypeError: set_context() got an unexpected keyword argument 'physical'

currently the code is not very efficient when printing out service DLLs. This is because we are querying for running services and then querying for their appropriate registry key one at a time (currentcontrolset\services[SERVICE]\Parameters). This is fine if there are only a few services higher up in the alphabet, however since enumerating registry subkeys is an O(N) operation (for each key traversed) we get something like the following when choosing this method:

1 + 2 + 3 + 4 + ... + n

or n(n-1) / 2, which is pretty much n^2/2... (and in this case, because there are other paths that much be traversed, such as the paths to currentcontrolset and the path to services and also the path to parameters (each of which is roughly some m^2/2), so it's more than O(N^2) which is very slow...) You notice this especially when you get to services that start with letters towards the end of the alphabet. You can see this yourself when you run with --verbose that at first it will be very quick and then eventually it will slog down.

A better approach would be to get the service dlls ahead of time in a dictionary or something and then access them as needed.

For one sample you can see the speedup:

Before time (old method):

real 20m50.846s
user 16m38.999s
sys 3m41.336s

After fix:

real 1m28.326s
user 0m51.323s
sys 0m12.399s

I'll test it a bit more before committing

• mac_dump_maps

Traceback (most recent call last):
File "vol.py", line 192, in
main()
File "vol.py", line 183, in main
command.execute()
File "/Users/richard/Desktop/Volatility/volatility-master/volatility/plugins/mac/common.py", line 46, in execute
commands.Command.execute(self, _args, *_kwargs)
File "/Users/richard/Desktop/Volatility/volatility-master/volatility/commands.py", line 127, in execute
func(outfd, data)
File "/Users/richard/Desktop/Volatility/volatility-master/volatility/plugins/mac/dump_map.py", line 56, in render_text
if map_address and map_address != map.links.start:
UnboundLocalError: local variable 'map_address' referenced before assignment

• mac_bash - didn’t get bash history

-mac_ldrmodules

WARNING : volatility.obj : Cant find object dyld_all_image_infos in profile -?
Traceback (most recent call last):
File "vol.py", line 192, in
main()
File "vol.py", line 183, in main
command.execute()
File "/Users/richard/Desktop/Volatility/volatility-master/volatility/plugins/mac/common.py", line 46, in execute
commands.Command.execute(self, _args, *_kwargs)
File "/Users/richard/Desktop/Volatility/volatility-master/volatility/commands.py", line 127, in execute
func(outfd, data)
File "/Users/richard/Desktop/Volatility/volatility-master/volatility/plugins/mac/ldrmodules.py", line 88, in render_text
for task_offset, task, proc_as, vm_start, map_name, proc_maps, dl_maps in data:
File "/Users/richard/Desktop/Volatility/volatility-master/volatility/plugins/mac/ldrmodules.py", line 61, in calculate
for so in task.get_dyld_maps():
File "/Users/richard/Desktop/Volatility/volatility-master/volatility/plugins/overlays/mac/mac.py", line 374, in get_dyld_maps
info_arr = obj.Object(theType="Array", targetType="dyld_image_info", offset=infos.infoArray, count=infos.infoArrayCount, vm=proc_as)
AttributeError: 'NoneType' object has no attribute 'infoArray'

• mac_socket_filters

Traceback (most recent call last):
File "vol.py", line 192, in
main()
File "vol.py", line 183, in main
command.execute()
File "/Users/richard/Desktop/Volatility/volatility-master/volatility/plugins/mac/common.py", line 46, in execute
commands.Command.execute(self, _args, *_kwargs)
File "/Users/richard/Desktop/Volatility/volatility-master/volatility/commands.py", line 127, in execute
func(outfd, data)
File "/Users/richard/Desktop/Volatility/volatility-master/volatility/plugins/mac/socket_filters.py", line 80, in render_text
for (good, filter, filter_name, filter_socket, member, ptr) in data:
ValueError: too many values to unpack

Traceback (most recent call last):
  File "volatility/vol.py", line 192, in <module>
    main()
  File "volatility/vol.py", line 183, in main
    command.execute()
  File "volatility/volatility/commands.py", line 103, in execute
    data = self.calculate()
  File "volatility/volatility/plugins/registry/lsadump.py", line 143, in calculate
    hashes = domcachedumpmod.dump_memory_hashes(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
  File "volatility/volatility/win32/domcachedump.py", line 135, in dump_memory_hashes
    hashes = dump_hashes(addr_space, sysaddr, secaddr)
  File "volatility/volatility/win32/domcachedump.py", line 124, in dump_hashes
    domain_len, domain_name_len)
  File "volatility/volatility/win32/domcachedump.py", line 76, in parse_decrypted_cache
    username = username.decode('utf-16-le')
  File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/encodings/utf_16_le.py", line 16, in decode
    return codecs.utf_16_le_decode(input, errors, True)
UnicodeDecodeError: 'utf16' codec can't decode bytes in position 0-1: illegal encoding

and

Traceback (most recent call last):
  File "volatility/vol.py", line 192, in <module>
    main()
  File "volatility/vol.py", line 183, in main
    command.execute()
  File "volatility/volatility/commands.py", line 103, in execute
    data = self.calculate()
  File "volatility/volatility/plugins/registry/lsadump.py", line 143, in calculate
    hashes = domcachedumpmod.dump_memory_hashes(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
  File "volatility/volatility/win32/domcachedump.py", line 143, in dump_memory_hashes
    d.lower(), dn.lower()))
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-12: ordinal not in range(128)

This is what I get on Ubuntu. No output except 'INVALID EI_CLASS: -1' at all on Mandriva and OpenSuse.

$ python vol.py --profile=LinuxUbuntux64 -f ~/Desktop/Storage/memory/Linux/ubuntu1204/ubuntu.lime linux_library_list
Volatility Foundation Volatility Framework 2.3.1
WARNING : volatility.obj      : Overlay structure tty_struct not present in vtypes
WARNING : volatility.obj      : Overlay structure tty_struct not present in vtypes
Task             Pid      Load Address       Path
---------------- -------- ------------------ ----
udevd                 412 0x00007f643e6d9000 /lib/x86_64-linux-gnu/libdl.so.2
udevd                 412 0x00007f643f0c1000 /lib64/ld-linux-x86-64.so.2
udevd                 412 0x00007f643e4bc000 /lib/x86_64-linux-gnu/libpthread.so.0
udevd                 412 0x00007f643e2b3000 /lib/x86_64-linux-gnu/libnss_compat.so.2
udevd                 412 0x00007f643e099000 /lib/x86_64-linux-gnu/libnsl.so.1
udevd                 412 0x00007f643de8d000 /lib/x86_64-linux-gnu/libnss_nis.so.2
udevd                 412 0x00007f643dc80000 /lib/x86_64-linux-gnu/libnss_files.so.2
rsyslogd              792 0x00007f9ca58e0000 /lib/x86_64-linux-gnu/libdl.so.2
rsyslogd              792 0x00007f9ca56d8000 /lib/x86_64-linux-gnu/librt.so.1
rsyslogd              792 0x00007f9ca531b000 /lib/x86_64-linux-gnu/libc.so.6
rsyslogd              792 0x00007f9ca5f18000 /lib64/ld-linux-x86-64.so.2
rsyslogd              792 0x00007f9ca5115000 /usr/lib/rsyslog/lmnet.so
rsyslogd              792 0x00007f9ca4f08000 /lib/x86_64-linux-gnu/libnss_files.so.2
rsyslogd              792 0x00007f9ca4cb3000 /usr/lib/rsyslog/imuxsock.so
rsyslogd              792 0x00007f9ca4aab000 /usr/lib/rsyslog/imklog.so
rsyslogd              792 0x00007f9ca48a2000 /lib/x86_64-linux-gnu/libnss_compat.so.2
rsyslogd              792 0x00007f9ca4688000 /lib/x86_64-linux-gnu/libnsl.so.1
rsyslogd              792 0x00007f9ca447c000 /lib/x86_64-linux-gnu/libnss_nis.so.2
INVALID EI_CLASS: -1

just a note that we should print the supported output options when issuing a help command for a plugin:

$ python vol.py PLUGIN -h 

ABOVE: Also, the linux_recover_filesystem plugin still has some issues, probably triggered by busted metadata in the memory dump. I’ve reported them to Andrew, we looked into it a bit, and he has filed a bug report. The issues occur on a memory dump that the Volatility team members have, so we can go from there. Here’s the crash:

bigjoe:volatility_2.4 golden$ sudo rm -rf DELETEME && mkdir DELETEME && sudo python vol.py --profile=Linux3_2_x86_newx86 -f ../voltrunk/after.p2.lime linux_recover_filesystem -D DELETEME

[snip]
[snip]

Traceback (most recent call last):
File "vol.py", line 183, in
main()
File "vol.py", line 174, in main
command.execute()
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/common.py", line 62, in execute
commands.Command.execute(self, _args, *_kwargs)
File "/Users/golden/Work/volatility_2.4/volatility/commands.py", line 121, in execute
func(outfd, data)
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/recover_filesystem.py", line 103, in render_text
for (num_files, real_bytes, total_bytes) in data:
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/recover_filesystem.py", line 95, in calculate
self._write_file(ff, file_path, file_dentry)
File "/Users/golden/Work/volatility_2.4/volatility/plugins/linux/recover_filesystem.py", line 64, in _write_file
fd = open(out_path, "wb")
IOError: [Errno 21] Is a directory: 'DELETEME/root']

The offset of the string table does not always compute correctly in the written headers. Fix this..

at least one cited vmware vmss/vmsn did not have the CR/CR4 tag, so the AS aborts. however, its a valid vmss/vmsn in all other regards.

ref: Stian

Need to try/catch the open call on the file to write

I wanted to scan all "truecrypt" linux processes and --name appears to be an option but it doesn't work as expected (probably same with mac). Either config.remove the option or set it up to check process names (preferable)

from the patch here: http://spresec.blogspot.com/2014/03/uroburos-rootkit-hook-analysis-and.html

Volatility Foundation Volatility Framework 2.4 (Beta)
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime

Traceback (most recent call last):
File "vol.py", line 183, in
main()
File "vol.py", line 174, in main
command.execute()
File "/root/volatility_2.4-master/volatility/commands.py", line 121, in execute
func(outfd, data)
File "/root/volatility_2.4-master/volatility/plugins/malware/psxview.py", line 208, in render_text
for offset, process, ps_sources in data:
File "/root/volatility_2.4-master/volatility/plugins/malware/psxview.py", line 183, in calculate
ps_sources['deskthrd'] = self.check_desktop_thread(addr_space)
File "/root/volatility_2.4-master/volatility/plugins/malware/psxview.py", line 125, in check_desktop_thread
for windowstation in windowstations.WndScan(self.config).calculate():
File "/root/volatility_2.4-master/volatility/plugins/gui/windowstations.py", line 65, in calculate
for wind in self.scan_results(addr_space):
File "/root/volatility_2.4-master/volatility/poolscan.py", line 250, in scan
if result.is_valid():
File "/root/volatility_2.4-master/volatility/plugins/gui/win32k_core.py", line 315, in is_valid
return obj.CType.is_valid(self) and self.dwSessionId < 0xFF
File "/root/volatility_2.4-master/volatility/obj.py", line 736, in _getattr
return self.m(attr)
File "/root/volatility_2.4-master/volatility/obj.py", line 718, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct tagWINDOWSTATION has no member dwSessionId