Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot extract files/processes from memory sample in linux #1312

Open
SolitudePy opened this issue Oct 13, 2024 · 18 comments
Open

Cannot extract files/processes from memory sample in linux #1312

SolitudePy opened this issue Oct 13, 2024 · 18 comments
Labels
enhancement linux/mac plugin-request

Comments

@SolitudePy
Copy link

Is your feature request related to a problem? Please describe.
Cant extract any file or process from a memory sample with the linux plugins

Describe the solution you'd like
Add the plugin

Describe alternatives you've considered
none
@ikelos
Copy link
Member

ikelos commented Oct 22, 2024

Your request isn't very detail? Which files, exactly were you hoping to extract from the memory image?

Processes can be dumped by adding the --dump parameter to the linux.pslist plugin. If you could clarify more specifically exactly which information you're after, we might have a better chance of helping...

@SolitudePy
Copy link
Author

memory mapped files similar to dump_files in volatility2 and filescan to scan FILE_OBJECT in memory

@ikelos
Copy link
Member

ikelos commented Oct 23, 2024

There are a number of plugins that support the --dump parameters, for linux this appears to be pagecache, elfs, proc and pslist. Hopefully one of those can achieve what you need, but I've also turned this into a plugin request...

@PNW-Hacker
Copy link

@ikelos pagecache does not have the dump option

image

If I try and manually supply the --dump option, I get the following error

image

The file does exist within the linux dump itself (confirmation)

image

@SolitudePy
Copy link
Author

@PNW-Hacker is pagecache equivalent of filescan in volatility2? If no then what is the alternative

@gcmoreira
Copy link
Contributor

gcmoreira commented Nov 11, 2024
edited
Loading

Hi @PNW-Hacker you have to use the linux.pagecache.InodePages

$ ./vol.py -f ./ubuntu-4.9.0-19-32bit.core linux.pagecache.InodePages --inode 0xf6fd30b0 --dump system.journal
Volatility 3 Framework 2.7.1
PageVAddr       PagePAddr       MappingAddr     Index   DumpSafe        Flags
 
0xf5e9be90      0x7bf84000      0xf6fd31a8      0       True    active,dirty,lru,referenced,savepinned,swapbacked,uptodate
0xf5e9beb4      0x7bf85000      0xf6fd31a8      1       True    active,dirty,lru,referenced,savepinned,swapbacked,uptodate
0xf5e9bed8      0x7bf86000      0xf6fd31a8      2       True    active,dirty,lru,referenced,savepinned,swapbacked,uptodate
...
0xf5e8f944      0x7ba09000      0xf6fd31a8      646     True    dirty,lru,savepinned,swapbacked

See more examples in the PR #1233

@PNW-Hacker
Copy link

@SolitudePy doesn't look like there is a Linux equivalent for that specific one: https://blog.onfvp.com/post/volatility-cheatsheet/

@gcmoreira I did figure that out after some more googling, but it crashes when I try, maybe an issue with my dump?

image

@gcmoreira
Copy link
Contributor

gcmoreira commented Nov 11, 2024
edited
Loading

Are you using the latest dwarf2json version?

@PNW-Hacker
Copy link

@SolitudePy Vol 3 has: linux.malfind.Malfind -- Lists process memory ranges that potentially contain injected code.
This would solve what the command you were asking about does
@gcmoreira I just ran a full upgrade, so am trying again

@PNW-Hacker
Copy link

What I don't understand @gcmoreira is why the Files version finds it, but the Inodes one crashes

image

The other issue is that even without the dump option, the file or inode one still don't work

image

It's not an instant crash, its during the search of the file, meaning in your screenshot where you have all of the column headers, I can see that (which means its searching the dump I think) before it crashes

image

@PNW-Hacker
Copy link

I think its an issue with the dump, I tried a different file and while it didnt error out, nothing is in the file that got written to the host OS

image

@gcmoreira
Copy link
Contributor

gcmoreira commented Nov 12, 2024
edited
Loading

@PNW-Hacker It looks like your ISF is bad but I would need more information.
Unfortunately, this ticket is a feature request, not a bug report ticket.
I can help you but could you please either close this ticket and create a new bug report or update this one with all the required information from the Bug Report template? It would make my life a lot easier ;) .. additionally:

  • dwarf2json version you used to generated the ISF along with the command line you used.
  • the generated ISF file itself
  • If possible, the linux.mem file too

@PNW-Hacker
Copy link

@gcmoreira since the feature request would still be helpful, I'll create a new bug report and leave this case open (since this is @SolitudePy case)

@PNW-Hacker PNW-Hacker mentioned this issue Nov 12, 2024
Closed
@ikelos
Copy link
Member

ikelos commented Nov 12, 2024

So what's the upshot on this bug? Is there specific functionality needed for volatility 3 that existed in volatility 2, or is it just supported in different ways? The discussion should be about the functionality, any bugs encountered with it are a separate issue. Just trying to figure out whether this can be closed off (since the feature request was quite vague about the technique for retrieving the files).

@PNW-Hacker
Copy link

@ikelos I am only commenting as to try and help @SolitudePy (if their concern about what I am describing misaligns, then we would need to wait for them to clarify further)

There's 2 issues that they seem to be concerned about: memory mapped files similar to dump_files in volatility2 and filescan to scan FILE_OBJECT in memory

Can you do memdump for linux?
https://andreafortuna.org/2017/07/10/volatility-my-own-cheatsheet-part-3-process-memory/

i see this, but this specifically calls out Windows
https://security.stackexchange.com/questions/240041/how-to-dump-the-memory-of-a-given-process-with-volatility-3

There's filescan for vol2, but i did not see a similar command for vol3

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#filescan

@gcmoreira
Copy link
Contributor

Hey @SolitudePy ,

Is your feature request related to a problem? Please describe.
Cant extract any file or process from a memory sample with the linux plugins

Describe the solution you'd like
Add the plugin

From your second comment, it seems that you think such plugins don't exist, rather than you can't extract any file or process, right?

Linux

Processes:

linux.pslist.PsList --dump

ELFs:

linux.elfs.Elfs --dump

Memory maps:

linux.proc.Maps --dump

Files from the page cache:

linux.pagecache.InodePages --dump

Please, if you're not familiar with the framework and you have any questions, the best way to get assistance is by asking in our Slack channels.
https://www.volatilityfoundation.org/slack

@SolitudePy
Copy link
Author

@gcmoreira what @PNW-Hacker commented above is right.

@Axselll
Copy link

Axselll commented Nov 19, 2024
edited
Loading

Hey guys, sorry to hop in. im new to volatility3 i was running a go binaries after i check with pslist got nothing, after it i check again with psscan i got the file that i want to retrieve (offset, pid comm exit_state etc etc) unfortunately the file that i want to retrieve is in exit_dead state, so is there a way to retrieve a file that in the exit_dead state?

And also i've tried to dump everything with linux.elfs --dump but it seems the command give me a specific memory dump to that process not the file itself, how can i retrieve a file e.g. some binary file?

update. after reading some docs i found out that i can retrieve a file with pagecache.InodePages but when i try it, it return nothing.

anyone got a tips/tricks?

Thanks, have a great day.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement linux/mac plugin-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ikelos @gcmoreira @SolitudePy @Axselll @PNW-Hacker