Obtaining information from dumping memory
In this article we will learn about Obtaining information from dumping memory.
Introducton about Obtaining information from dumping memory:
In this article, I will present whether it is possible to access passwords lying in memory using a fully patched Linux x64 operating system. First of all, it is not unnecessary to emphasize that the distribution of the Linux operating system does not matter, because the system manages memory similarly with minor differences that are not important for the purposes of this article: most often, memory is managed according to the same principle on multiple distributions.
Let’s put ourselves in the situation of an attacker where we have already gained access to the system by exploiting an existing vulnerability or using a social engineering attack to lure the victim to visit our website. Social engineering is the easiest way to get the keys to the castle, but an attacker can just as well exploit the vulnerability in any application like OpenOffice, Pidgin, Chrome, Firefox, etc.
At this point we are already in the system and the details of how we gained access into the system, they are not important. Let’s also assume that we managed to escalate the privilege by exploiting a well-known vulnerability in the Linux kernel to gain administrative privileges. After doing so, there is nothing to prevent us from changing the system as we wish: we can install a backdoor into the system and the victim would not even know. If we don’t want to change files on the filesystem or leave anything else up to forensics, we have to be very subtle about exploiting the system.
Dumping memory
There are various tools that we can use to dump the memory under the Linux operating system, some of which are listed below. At a very basic level, we can divide tools into those that dump the memory of just one process or the entire system.
Single process memory dump tools: The Process Dumper program [1] can be used to dump the memory of individual processes. Dumps the memory of the running process, where all the data and parts of the code are dumped. The memory dump is sent to stdout, so we have to use the program together with other tools like netcat, tar, etc.
http://www.trapkit.de/research/forensic/pd/pd_v1.1_lnx.bz2
bunzip2 pd_v1.1_lnx.bz2
./pd_v1.1_lnx
System-wide memory dump tools: LiME (Linux Memory Extractor) [2]: can be used to dump the memory of the entire Linux system. To install LiME, we need to execute the following commands:
svn trunk http://lime-forensics.googlecode.com/svn/trunk/ lime
cd lime/src/
make
Compiling LiME creates a .ko kernel module that needs to be inserted into the kernel using the insmod command. The memory dump can be saved to the file system or sent over the network. When inserting a module into the kernel, we can pass a number of parameters to the insmod command, which are listed below:
path: the name of the file in the local file system where the memory dump will be written, or tcp:.
format: LiME can dump memory in various formats such as raw, padded and lime. The raw format combines all system RAM into an image. The padded format fills non-system RAM with zeros, starting at physical address 0x0. The lime format adds a special header to each memory range that describes the address space information – Volatility also supports parsing this format, which is why we’ll use it in this article.
dio: when this parameter is set to 1 (the default), Direct IO is used, while a value of 0 disables it.
Now that we’ve covered all three parameters that can be passed to the lime.ko kernel module, we can issue a command as root to get system memory. The command below will get the entire system memory and dump it in /tmp/memdump.lime file in lime format. Note that the process may take some time if you have a large amount of physical memory available on your system; also note that there should be enough disk space to store the entire contents of physical memory on disk.
[simple]
insmod lime.ko “path=/tmp/memdump.lime format=lime”
[/simple]
In Qem, we can dump the memory of a running virtual machine using the pmemsave command as follows. Note that using a relative path will save the windows7.dump to the current directory. If we want to save the memory dump to any location, we can enclose the entire path to the memory image in double quotes.
[simple]
(qemu) pmemsave 0 0x3FFFFFFF windows7.dump
[/simple]
Note that while the memory dump is in progress, the virtual machine will be suspended and we will not be able to communicate with it. In the above command, the starting address is 0x0 to start storing the memory at the beginning, and its size is 0x3FFFFFFF, which will output 1GB of memory. If we go to the system settings, we see that the system only has 1 GB of memory available, so we should not waste 4 GB if it only has 1 GB of memory.
Creating a profile in source distributions
Once the memory has been flushed, we need to analyze it to get useful information. Before we do this with Volatility, we need to create a profile that contains the kernel data structures and debug symbols that Volatility uses to find critical information inside the memory dump [3]. It is necessary that the profile is created on the same machine we would like to analyze, because the kernel data structure and debug symbols are specific to the Linux distribution and the kernel used.
If we are running a Linux binary distribution, it is likely that some user has already created a profile and shared it with the rest of the world – in such cases we can use their profile for analysis. But if we are running a source distribution of Linux, we have to create the profile ourselves. Each Linux profile depends on three important factors:
- Linux distribution
- Kernel version
- CPU architecture
In order to create a profile, we first need to download the volatility source code from there and install it normally using make / make install. After a successful installation, we need to enter the tools/linux/ directory in the Volatility source directory and issue the make command to create the required kernel data structures. This Makefile tells the make command to compile module.c against the currently used Linux kernel that we want to analyze. This will create a special module.dwarf file.
The next step is getting the kernel symbols of the current kernel, which can be found in /boot/ directory for most binary Linux distributions. In source code distributions, the System.map can be found in the /usr/src/linux/ directory.
When creating a profile, we need to archive both module.dwarf and System.map into a .zip file and move the .zip file to the plugins/overlays/linux/ directory.
[simple]
cd volatility-2.3.1/volatility/plugins/overlays/linux/
cp ../../../../tools/linux/module.dwarf .
cp /usr/src/linux/System.map .
zip Gentoo.zip System.map module.dwarf
[/simple]
To see if the profile was created successfully, we need to run vol.py with the –info parameter and check if the Gentoo profile is listed in the output. In the output below, we can see that we have successfully added the Gentoo profile to Volatility.
[simple]
./vol.py –info | grep linux
Volatility Foundation Volatility Framework 2.3.1
LinuxGentoox64 – Profile for Linux Gentoo x64
linux_banner – Prints information about the Linux banner
linux_yarascan – Shell in Linux memory image
[/simple]
We can then run Volatility normally with the following command, which will list all the supported commands that we can use when analyzing a Linux memory dump.
[simple]
./vol.py -f memdump.lime –profile=LinuxGentoox64 -h
Supported plugin commands:
linux_arp Prints the ARP table
linux_banner Prints information about the Linux banner
linux_bash Restore bash history from bash process memory
linux_check_afinfo Checks network protocol operational function indicators
linux_check_creds Checks if any processes share credential structures
linux_check_fop Check file operation structures for rootkit modifications
linux_check_idt Checks if the IDT has been changed
linux_check_modules Compares the module list with sysfs information if available
linux_check_syscall Checks whether the syscall table has been changed
linux_check_tty Checks device tty for hooks
linux_cpuinfo Lists information about each active processor
linux_dentry_cache Collect files from the dentry cache
linux_dmesg Collect the dmesg buffer
linux_dump_map Writes selected memory mappings to disk
linux_find_file Recovers tmpfs filesystems from memory
linux_ifconfig Collects active interfaces
linux_iomem Provides output similar to /proc/iomem
linux_keyboard_notifier Parses the keyboard notifier call string
linux_lsmod Assemble loaded kernel modules
linux_lsof Displays a list of open files
linux_memmap Lists the memory map for Linux tasks
linux_moddump Extract loaded kernel modules
linux_mount Mount mounted fs/devices
linux_mount_cache Collect mounted fs/devices from kmem_cache
linux_netstat Displays a list of open sockets
linux_pidhashtable Process enumeration via PID hash table
linux_pkt_queues Writes packet queues for individual processes to disk
linux_proc_maps Collects process maps for linux
linux_psaux Collects processes along with full command line and startup time
linux_pslist Collect active tasks by traversing task_struct->tasklist
linux_pslist_cache Collect tasks from kmem_cache
linux_pstree Shows the parent/child relationship between processes
linux_psxview Find hidden processes using various process listings
linux_route_cache Restores the routing cache from memory
linux_sk_buff_cache Restores packets from sk_buff kmem_cache
linux_slabinfo Emulates /proc/slabinfo on a running machine
linux_tmpfs Restores tmpfs filesystems from memory
linux_vma_cache Collect VMA from vm_area_struct cache
linux_volshell Shell in memory image
linux_yarascan Shell in Linux memory image
mbrparser Finds and parses potential Master Boot Records (MBRs)
patcher Patches memory based on page scans
[/simple]
Because I was running a newer version of the Gentoo kernel than was officially supported, I was unable to analyze the Gentoo Linux memory. Supported Linux kernel versions are 2.6.11 – 3.5.x. If you have a core that falls within the above range, then Volatility will most likely work well.
Memory analysis
In this part of the article, we will analyze the memory dump of Qemu Windows 7. To list all the available profiles that we can use with the obtained image, we can use the –info parameter, which will show all the available profiles and also a lot of other information.
[simple]
./vol.py –info
Volatility Foundation Volatility Framework 2.3.1
Profiles
———
LinuxGentoox64 – Profile for Linux Gentoo x64
VistaSP0x64 – Profile for Windows Vista SP0 x64
VistaSP0x86 – Profile for Windows Vista SP0 x86
VistaSP1x64 – Profile for Windows Vista SP1 x64
VistaSP1x86 – Profile for Windows Vista SP1 x86
VistaSP2x64 – Profile for Windows Vista SP2 x64
VistaSP2x86 – Profile for Windows Vista SP2 x86
Win2003SP0x86 – Profile for Windows 2003 SP0 x86
Win2003SP1x64 – Profile for Windows 2003 SP1 x64
Win2003SP1x86 – Profile for Windows 2003 SP1 x86
Win2003SP2x64 – Profile for Windows 2003 SP2 x64
Win2003SP2x86 – Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 – Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 – Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64 – Profile for Windows 2008 SP1 x64
Win2008SP1x86 – Profile for Windows 2008 SP1 x86
Win2008SP2x64 – Profile for Windows 2008 SP2 x64
Win2008SP2x86 – Profile for Windows 2008 SP2 x86
Win7SP0x64 – Profile for Windows 7 SP0 x64
Win7SP0x86 – Profile for Windows 7 SP0 x86
Win7SP1x64 – Profile for Windows 7 SP1 x64
Win7SP1x86 – Profile for Windows 7 SP1 x86
WinXPSP1x64 – Profile for Windows XP SP1 x64
WinXPSP2x64 – Profile for Windows XP SP2 x64
WinXPSP2x86 – Profile for Windows XP SP2 x86
WinXPSP3x86 – Profile for Windows XP SP3 x86
[/simple]
Since we are using Windows 7 SP1, we should use Win7SP1x86 as the profile. To print all the supported commands that we can use with a memory dump, we can pass -h as a parameter after we have already specified the memory image dump and the profile.
[simple]
./vol.py -f windows7.dump –profile=Win7SP1x86
Supported plugin commands:
apihooks Detection of API hooks in process and kernel memory
atoms Print tables of atoms of sessions and window stations
atomscan Pool scanner for _RTL_ATOM_TABLE
bioskbd Loads the keyboard buffer from real-mode memory
callbacks Print system-wide notification routines
clipboard Expand the contents of the Windows clipboard
cmdscan Extract command history by searching for _COMMAND_HISTORY
consoles Extract command history by searching for _CONSOLE_INFORMATION
crashinfo Print crash info
deskscan Poolscanner for tagDESKTOP (desktops)
device tree View the device tree
dlldump Dumps DLLs from the process’s address space
dlllist Prints a list of loaded dlls for each process
driverirp Driver IRP hook detection
driverscan Scan for driver objects _DRIVER_OBJECT
dumpcerts Dumps private and public SSL RSA keys
dumpfiles Extracts memory mapped and cached files
envars View process environment variables
eventhooks Print details about Windows event hooks
filescan Scan physical memory for _FILE_OBJECT pool allocation
gahti Prints information about the USER descriptor type
gditimers Print installed GDI timers and callbacks
gdt Display global descriptor table
getservicesids Get the service names in the registry and return the calculated SID
getids Prints the SID owned by each process
handles Prints a list of open handles for each process
hashdump Dumps password hashes (LM/NTLM) from memory
hibinfo Lists information about the hibernation file
hivedump Prints the hive
hivelist Print a list of subregistries.
hivescan Physical memory scan for _CMHIVE objects (registry subregistries)
hpakextract Extracts physical memory from an HPAK file
hpakinfo Information about the HPAK file
idt Display interrupt descriptor table
iehistory Rebuild Internet Explorer cache / history
imagecopy Copies the physical address space as a raw DD image
imageinfo Identification information for the image
impscan Scan imported function calls
kdbgscan Search and list potential KDBG values
kpcrscan Search and list potential KPCR values
ldrmodules Detects unlinked DLLs
lsadump Dumps (decrypts) the LSA secret from the registry
machoinfo List Mach-O file format information
malfind Find hidden and embedded code
mbrparser Finds and parses potential Master Boot Records (MBRs)
memdump Dumps addressable memory for a process
memmap Prints the memory map
messagehooks Displays a list of desktop and thread message hooks
mftparser Searches and parses potential MFT entries
moddump Dumps the kernel driver into a sample executable
modscan Scan physical memory for _LDR_DATA_TABLE_ENTRY objects
modules Print a list of loaded modules
mutantscan Search for mutant objects _KMUTANT
netscan Scan a Vista, 2008 or Windows 7 image for connections and sockets
patcher Patches memory based on page scans
printkey Prints the registry key and its subkeys and values
privs Displays process permissions
procexedump Dumps a process into a sample executable
procmemdump Dumps a process to sample executable memory
pslist Print all running processes by EPROCESS list
psscan Scan physical memory for _EPROCESS pool allocation
pstree Print the list of processes as a tree
psxview Find hidden processes using various process listings
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo-screenshot based on GDI windows
session List details on _MM_SESSION_SPACE (user login session)
shellbags Print ShellBags information
shimcache Parses the Shim Cache application compatibility registry key
ssdt Display SSDT entries
strings Map physical offsets to virtual addresses (can take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Scan symlink objects
thrdscan Scan physical memory for _ETHREAD objects
threads Explore _ETHREAD and _KTHREADs
timeline Creates a timeline from various artifacts in memory
timers Print kernel timers and related DPC modules
unloadedmodules Print a list of unloaded modules
userassist Print userassist registry keys and information
userhandles List the USER handle tables
vaddump Dumps parts of vad to a file
vadinfo List VAD information
vadtree Traverse the VAD tree and display it in tree format
vadwalk Walk the VAD tree
vboxinfo Prints information about the virtual box
vmwareinfo Lists VMware VMSS/VMSN information
volshell Shell on memory image
Windows Print Windows Desktop (Detailed Details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for tagWINDOWSTATION (window station)
yarascan Scan process or kernel memory using Yara signatures
[/simple]
Note that there are many commands that we can use to analyze system memory. First, we can list the active processes using the pslist command:
[simple]
./vol.py -f windows7.dump –profile=Win7SP1x86 pslist
[/simple]
We can then use any number of commands to gather the information we need.
Related Article:Ethical Hacking Interview Questions 2023
Conclusion
In this article, we introduced how we can dump Linux system memory and create a custom profile that can be used together with Volatility to analyze memory. We also removed the memory of the Qemu virtual machine and printed its processes. At that point, we can start looking for interesting information, such as passwords and certificates, that non-security-aware applications may have left in memory for an attacker to retrieve.
