search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.72k stars 463 forks source link

Cannot extract files/processes from memory sample in linux #1312

Open SolitudePy opened 1 month ago

SolitudePy commented 1 month ago

Is your feature request related to a problem? Please describe. Cant extract any file or process from a memory sample with the linux plugins

Describe the solution you'd like Add the plugin

Describe alternatives you've considered none

ikelos commented 1 month ago

Your request isn't very detail? Which files, exactly were you hoping to extract from the memory image?

Processes can be dumped by adding the --dump parameter to the linux.pslist plugin. If you could clarify more specifically exactly which information you're after, we might have a better chance of helping...

SolitudePy commented 1 month ago

memory mapped files similar to dump_files in volatility2 and filescan to scan FILE_OBJECT in memory

ikelos commented 1 month ago

There are a number of plugins that support the --dump parameters, for linux this appears to be pagecache, elfs, proc and pslist. Hopefully one of those can achieve what you need, but I've also turned this into a plugin request...

PNW-Hacker commented 2 weeks ago

@ikelos pagecache does not have the dump option

image

If I try and manually supply the --dump option, I get the following error

image

The file does exist within the linux dump itself (confirmation)

image

SolitudePy commented 2 weeks ago

@PNW-Hacker is pagecache equivalent of filescan in volatility2? If no then what is the alternative

gcmoreira commented 2 weeks ago

Hi @PNW-Hacker you have to use the linux.pagecache.InodePages

$ ./vol.py -f ./ubuntu-4.9.0-19-32bit.core linux.pagecache.InodePages --inode 0xf6fd30b0 --dump system.journal
Volatility 3 Framework 2.7.1
PageVAddr       PagePAddr       MappingAddr     Index   DumpSafe        Flags

0xf5e9be90      0x7bf84000      0xf6fd31a8      0       True    active,dirty,lru,referenced,savepinned,swapbacked,uptodate
0xf5e9beb4      0x7bf85000      0xf6fd31a8      1       True    active,dirty,lru,referenced,savepinned,swapbacked,uptodate
0xf5e9bed8      0x7bf86000      0xf6fd31a8      2       True    active,dirty,lru,referenced,savepinned,swapbacked,uptodate
...
0xf5e8f944      0x7ba09000      0xf6fd31a8      646     True    dirty,lru,savepinned,swapbacked

See more examples in the PR https://github.com/volatilityfoundation/volatility3/pull/1233

PNW-Hacker commented 2 weeks ago

@SolitudePy doesn't look like there is a Linux equivalent for that specific one: https://blog.onfvp.com/post/volatility-cheatsheet/

@gcmoreira I did figure that out after some more googling, but it crashes when I try, maybe an issue with my dump?

image

gcmoreira commented 2 weeks ago

Are you using the latest dwarf2json version?

PNW-Hacker commented 2 weeks ago

@SolitudePy Vol 3 has: linux.malfind.Malfind -- Lists process memory ranges that potentially contain injected code. This would solve what the command you were asking about does @gcmoreira I just ran a full upgrade, so am trying again

PNW-Hacker commented 2 weeks ago

What I don't understand @gcmoreira is why the Files version finds it, but the Inodes one crashes

image

The other issue is that even without the dump option, the file or inode one still don't work

image

It's not an instant crash, its during the search of the file, meaning in your screenshot where you have all of the column headers, I can see that (which means its searching the dump I think) before it crashes

image

PNW-Hacker commented 2 weeks ago

I think its an issue with the dump, I tried a different file and while it didnt error out, nothing is in the file that got written to the host OS

image

gcmoreira commented 2 weeks ago

@PNW-Hacker It looks like your ISF is bad but I would need more information. Unfortunately, this ticket is a feature request, not a bug report ticket. I can help you but could you please either close this ticket and create a new bug report or update this one with all the required information from the Bug Report template? It would make my life a lot easier ;) .. additionally:

PNW-Hacker commented 2 weeks ago

@gcmoreira since the feature request would still be helpful, I'll create a new bug report and leave this case open (since this is @SolitudePy case)

ikelos commented 2 weeks ago

So what's the upshot on this bug? Is there specific functionality needed for volatility 3 that existed in volatility 2, or is it just supported in different ways? The discussion should be about the functionality, any bugs encountered with it are a separate issue. Just trying to figure out whether this can be closed off (since the feature request was quite vague about the technique for retrieving the files).

PNW-Hacker commented 1 week ago

@ikelos I am only commenting as to try and help @SolitudePy (if their concern about what I am describing misaligns, then we would need to wait for them to clarify further)

There's 2 issues that they seem to be concerned about: memory mapped files similar to dump_files in volatility2 and filescan to scan FILE_OBJECT in memory

Can you do memdump for linux? https://andreafortuna.org/2017/07/10/volatility-my-own-cheatsheet-part-3-process-memory/

i see this, but this specifically calls out Windows https://security.stackexchange.com/questions/240041/how-to-dump-the-memory-of-a-given-process-with-volatility-3

There's filescan for vol2, but i did not see a similar command for vol3

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#filescan

gcmoreira commented 1 week ago

Hey @SolitudePy ,

Is your feature request related to a problem? Please describe. Cant extract any file or process from a memory sample with the linux plugins

Describe the solution you'd like Add the plugin

From your second comment, it seems that you think such plugins don't exist, rather than you can't extract any file or process, right?

Linux

Processes:

linux.pslist.PsList --dump

ELFs:

linux.elfs.Elfs --dump

Memory maps:

linux.proc.Maps --dump

Files from the page cache:

linux.pagecache.InodePages --dump

Please, if you're not familiar with the framework and you have any questions, the best way to get assistance is by asking in our Slack channels. https://www.volatilityfoundation.org/slack

SolitudePy commented 1 week ago

@gcmoreira what @PNW-Hacker commented above is right.

Axselll commented 1 week ago

Hey guys, sorry to hop in. im new to volatility3 i was running a go binaries after i check with pslist got nothing, after it i check again with psscan i got the file that i want to retrieve (offset, pid comm exit_state etc etc) unfortunately the file that i want to retrieve is in exit_dead state, so is there a way to retrieve a file that in the exit_dead state?

And also i've tried to dump everything with linux.elfs --dump but it seems the command give me a specific memory dump to that process not the file itself, how can i retrieve a file e.g. some binary file?

update. after reading some docs i found out that i can retrieve a file with pagecache.InodePages but when i try it, it return nothing.

anyone got a tips/tricks?

Thanks, have a great day.