Skip to content

Instantly share code, notes, and snippets.

@SyeedHasan

SyeedHasan/MemoryAcquisitionUNIX.md

Last active February 12, 2024 16:22
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save SyeedHasan/033ba57608aa1f717f96674cd90e1d33 to your computer and use it in GitHub Desktop.
Save SyeedHasan/033ba57608aa1f717f96674cd90e1d33 to your computer and use it in GitHub Desktop.
Download ZIP
Commands to acquire a snapshot of the memory on *UNIX based systems
Raw
MemoryAcquisitionUNIX.md

Generic Commands

Checking Kernel release: uname -r

Checking Kernel version: uname -v

Commands to Acquire Memory

Here's a list of commands which you may execute to acquire memory from a *UNIX system:\

AVML

  • Download the latest build using:

    • wget https://github.com/microsoft/avml/releases/download/v0.3.0/avml
    • wget https://github.com/microsoft/avml/releases/download/v0.3.0/avml-convert

  • Make it an executable: chmod +x avml

  • Execute the following command to generate a compressed memory image: sudo ./avml --compress output.lime.compressed

  • To find more such example, visit the AVML repository here; https://github.com/microsoft/avml#capturing-a-memory-image--uploading-to-azure-blob-store

LiME

  • Clone the repository using: git clone https://github.com/504ensicsLabs/LiME.git
  • Switch into the folder: cd LiME\src
  • Compile the LKM using make; You should have the file lime-{kernel_version}.ko object file in the same directory (kernel-specific object file)
  • Insert the LKM and execute using: sudo insmod lime-5.8.0-55-generic.ko path=dumped-memory.lime format=lime

LinPMem

  • Pull the linpmem build using: wget https://github.com/Velocidex/c-aff4/releases/download/v3.3.rc3/linpmem-v3.3-rc3.3-rc2
  • Dump the memory using: sudo ./linpmem-v3.3-rc3.3-rc2 --format raw -m --output mem.raw

fMem

  • Clone the repository using: git clone https://github.com/NateBrune/fmem.git
  • Switch into the folder: cd fmem
  • Execute the make command
  • Run the script: sudo ./run.sh to create the virtual interface, /dev/fmem

Building a Volatility Profile

Just as acquisition of memory on *UNIX systems requires the kernel version to be matched with the LKM used with it (if any), Volatility also requires a kernel-specific profile to allow analysts to run plugins on top of the memory sample. This step is required to ensure Volatility is able to parse kernel-specific data structures and has the right debug symbols to do so with accuracy.

Here's a list of commands you can use to follow the build process:

Volatility 2

  • Acquire the latest release of Volatility 2. At the time of release it's: wget https://github.com/volatilityfoundation/volatility/archive/refs/tags/2.6.1.zip
  • Unzip the archive and move into the folder: unzip 2.6.1.zip && mv volatility-2.6.1
  • Head into the tools folder: cd tools/linux
  • Execute the instructions in Makefile using sudo make
    • Ensure you have all tools required to create the module.dwarf file which is the file containing the data structures we need
    • One such tool is dwarfdump which you can pull using apt-get install dwarfdump on an Ubuntu system
  • Next, we'll acquire the debug symbols from the current System.map file and zip it along with the module.dwarf file
    • Command: sudo zip $(lsb_release -i -s)_$(uname -r)_profile.zip ~/{VOLATILITY_PATH}/tools/linux/module.dwarf /boot/System.map-$(uname -r)
  • Move the ZIP file into Volatility's overlays folder: mv $(lsb_release -i -s)_$(uname -r)_profile.zip ~/{VOLATILITY_PATH}/volatility/plugins/overlays/linux
  • Check if your profile is available in Volatility's info: `python vol.py --info'
    • For example, for me, it was LinuxUbuntu_5_8_0-55-generic_profilex64
  • Execute Volatility (using Python2): python vol.py -f mem.raw --profile=LinuxUbuntu_5_8_0-55-generic_profilex64 linux_bash

That's it. You're good to go!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment