ClaudeZoo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Using kernel profiles from linux-support in lin64-support? #213

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Is it possible to use the kernel profiles from linux-support (like Debian 
2.6.26) in lin64-support?

Original issue reported on code.google.com by vitax....@googlemail.com on 16 Feb 2012 at 1:36

GoogleCodeExporter commented 9 years ago
I've CC'ed the linux developers. In the future please don't use the issue 
tracker for questions (use the mailing list instead 
http://lists.volatilesystems.com/mailman/listinfo/vol-users)

Original comment by michael.hale@gmail.com on 16 Feb 2012 at 2:16

GoogleCodeExporter commented 9 years ago
You should be able to... you need to copy the vtypes file and then get a copy 
of the system.map file and drop those into a zip file.

Original comment by atc...@gmail.com on 16 Feb 2012 at 5:00

GoogleCodeExporter commented 9 years ago
Why would you want to? If you have a kernel headers package for that kernel you 
can just generate new ones. Also the linux-support profiles are 32 bits only - 
so you almost definitely need to regenerate them for 64 bit systems.

Original comment by scude...@gmail.com on 16 Feb 2012 at 5:42

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Note that support for vtypes in the zip file was only recently added here:

http://code.google.com/p/volatility/source/browse/branches/scudette/volatility/p
lugins/overlays/linux/linux32.py#431

which may not be in the lin64 branch. You can either take that file,
or check out the scudette branch. Unfortunately the scudette branch is
broken at the moment due to a large refactor going on. You can check
it out prior to r1443 to have a working version again.

Michael.

Original comment by scude...@gmail.com on 17 Feb 2012 at 10:11

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
If you closely examine the line I pointed to:
http://code.google.com/p/volatility/source/browse/branches/scudette/volatility/p
lugins/overlays/linux/linux32.py#431

it says:
elif f.filename.endswith(".vtypes"):

So you would need to name your vtype file so it ends with .vtypes.

This is also reflected in the error which it provided:

i.e. It did not find the vtypes file.

Michael.

Original comment by scude...@gmail.com on 17 Feb 2012 at 1:42

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
On closer inspection of this particular vtypes file its doing stuff like:

'VOLATILITY_MAGIC' : [None, {'DTB' : [ 0x00, ['VolatilityMagic',
dict(value = 3915776)]],

So its trying to run code (i.e. the dict constructor) rather than
simply doing {'value': 3915776}. The profile is trying to limit code
execution from the profile file by doing:

         exec(profile_file.read(f.filename), dict(__builtins__=None), env)

You can either change the vtypes file to not call the dict() function,
or you can remove the security in the Linux32 profile loader by
removing the __builtins__ = None.

Michael.

Original comment by scude...@gmail.com on 17 Feb 2012 at 2:22

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Can you run pslist or any other modules? (--help to list the modules.
Note that you need --profile Linux32 --help to list linux specific
commands).

Michael.

Original comment by scude...@gmail.com on 17 Feb 2012 at 4:12