linux_bash plugin output unreadable

GoogleCodeExporter commented 9 years ago

I try to dump bash history from image of memory, with the command 

./vol.py --profile=Linuxdebian7_i686x86 -f memory_dump.ram -p 2478 -P -A 
linux_bash

What is the expected output? What do you see instead?
the output should be some history commands but the actual result in some lines 
cannot be read.

Result:

2478 bash                 2013-06-07 12:28:41 UTC+0000   
????h?up'??(?[?s????q?E,?P???jVf?&?:??/?LPu)??;????e???????ow9???-?????<m?
N?z?@??\?????^?7???
?D?t??|D????bP??????U'
    2478 bash                 2013-06-07 12:28:41 UTC+0000   cd .hacking/bot_master/
    2478 bash                 2013-06-07 12:28:41 UTC+0000   ls
    2478 bash                 2013-06-07 12:28:41 UTC+0000   su
    2478 bash                 2013-06-07 12:28:41 UTC+0000   cd irc_client/
    2478 bash                 2013-06-07 12:28:41 UTC+0000   j?i?k???@a?3?-????R
    2478 bash                 2013-06-07 12:28:41 UTC+0000   ls
    2478 bash                 2013-06-07 12:28:41 UTC+0000   cat botmaster.c 
    2478 bash                 2013-06-07 12:28:41 UTC+0000   cd ..
    2478 bash                 2013-06-07 12:28:41 UTC+0000   cd bot_master/
    2478 bash                 2013-06-07 12:28:43 UTC+0000   startx

What version of the product are you using? On what operating system?
Volatility 2.3 beta
I also attach the result file in this issue
Please helpe me to figure out this problem

Original issue reported on code.google.com by thanhphuctp on 15 Jun 2013 at 11:03

GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 16 Jun 2013 at 4:00

GoogleCodeExporter commented 9 years ago

You are using the -P option which tells the plugin to print unallocated 
(previously freed) entries. These entries can be corrupt / overwritten, which 
is likely why you are seeing that output. Can you run again without -P and see 
what results you get?

Original comment by atc...@gmail.com on 16 Jun 2013 at 4:03

GoogleCodeExporter commented 9 years ago

@thanhphuctp did you get a chance to re-run the plugin like @atcuno asked? Can 
this issue be closed?

Original comment by michael.hale@gmail.com on 20 Jun 2013 at 1:53

GoogleCodeExporter commented 9 years ago

@atcuno: thanks you, I re-run without -P but the result is the same. I also try 
to change some parameters, however, nothing changes.

Don't we need to specify the process id of bash in this plugin? It seems to 
scan all image.

Original comment by thanhphuctp on 20 Jun 2013 at 3:37

GoogleCodeExporter commented 9 years ago

I have looked into this issue and I believe the scanner is simply finding 
previously freed entries that appear valid (you can see the timestamp is 
correct), but the command part has been overwritten by a later allocation. 
These pieces of information are kept in separate places in process memory so it 
is entirely possible for this to occur. Unless there is evidence of tampering 
with the history in memory by the attacker, I would just ignore the garbled 
entries.

Original comment by atc...@gmail.com on 16 Jul 2013 at 5:34

GoogleCodeExporter commented 9 years ago

Also, to answer your question, no, you don't *need* to specify the process id 
of bash in the plugin. By default, it only scans processes named "bash" but 
there's a command-line switch to make it scan all processes...which is useful 
in case an attacker copies /bin/bash to /tmp/a or something. You can read more 
about it on the wiki: 
https://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_bash

Original comment by michael.hale@gmail.com on 19 Jul 2013 at 5:22

Changed state: Done

tthtlc / volatility

linux_bash plugin output unreadable #430