search

504ensicsLabs / LiME

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
GNU General Public License v2.0
1.69k stars 336 forks source link

problems to load the module: operation not permitted #84

Open fpusersuggest opened 3 years ago

fpusersuggest commented 3 years ago

Hello, I have the following problem to load the module:

# insmod lime-5.4.0-54-generic.ko "format=lime path=sample.lime"
insmod: ERROR: could not insert module lime-5.4.0-54-generic.ko: Operation not permitted
# insmod ./lime-5.4.0-54-generic.ko "path=/sample.lime format=lime"
insmod: ERROR: could not insert module ./lime-5.4.0-54-generic.ko: Operation not permitted
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.1 LTS
Release:        20.04
Codename:       focal

Thank you.

fpusersuggest commented 3 years ago

Looks a new security feature of the kernel.

kd8bny commented 3 years ago

Can you upload a dmesg log after running the insmod command?

fpusersuggest commented 3 years ago 
nov 29 23:58:36 mypc  sudo[47281]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
nov 29 23:58:38 mypc  sudo[47281]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
nov 29 23:58:38 mypc  sudo[47281]:      myusername : TTY=pts/5 ; PWD=/home/myusername/forensics/lime/LiME/src ; USER=root ; COMMAND=/usr/sbin/insmod lime-5.4.0-54-generic.ko path=/home/myusername/mydump.lime format=lime
nov 29 23:58:38 mypc  sudo[47281]: pam_unix(sudo:session): session opened for user root by (uid=0)
nov 29 23:58:38 mypc  sudo[47281]: pam_unix(sudo:session): session closed for user root
nov 29 23:58:38 mypc  kernel: Lockdown: insmod: unsigned module loading is restricted; see man kernel_lockdown.7

EDIT: I'm sorry this is from syslog, only the lastline is both on syslog and dmesg.

kd8bny commented 3 years ago

Cool thanks! This will help me understand what's going on and build a test

fpusersuggest commented 3 years ago

Hello, I have one news, there is an ubuntu package called lime-forensics-dkms that contains lime, but this module does not have the issue. So that the best workaround for ubuntu users is install the deb package. The following is some information about the pkg:

$ apt show lime-forensics-dkms
Package: lime-forensics-dkms
Version: 1.9-1ubuntu0.2
Priority: optional
Section: universe/kernel
Source: lime-forensics
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 53,2 kB
Provides: lime-forensics
Depends: dkms (>= 2.1.0.0)
Recommends: linux-headers-amd64 | linux-headers-686-pae | linux-headers-686 | linux-headers-arm64 | linux-headers-armmp | linux-headers-loongson-3 | linux-headers-marvell | linux-headers-octeon | linux-headers-powerpc64le | linux-headers-s390x | linux-headers
Suggests: volatility
Enhances: volatility
Homepage: https://github.com/504ensicsLabs/LiME
Download-Size: 13,3 kB
APT-Manual-Installed: yes
APT-Sources: http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages

maybe you can contact the maintainer to solve the problem.