Linux Memory Grabber - A script for dumping Linux memory and creating Volatility(TM) profiles.
Hal Pomeranz (hal@deer-run.com), 2016-01-12
https://github.com/halpomeranz/lmg , Hal Pomeranz. "Automating Linux Memory Capture." SANS DFIR Summit, 2014.
cpuu (cpuu@icloud.com), 2018-09-19
Since Hal Pomeranz's code has not been updated for more than 5 years, I've made some changes and simplified the complexity of the installation process.
My Blog post : https://cpuu.postype.com
\
Here is an example of using the lmc tool, which includes using Volatility(TM) to analyze the captured image. It was tested on Ubuntu version 16.04, 17.10, and 18.04. and Kali Linux 2018.3
The following preparations are necessary for smooth progress.
cpuu@ubuntu:~$ sudo apt-get install gcc build-essential git
cpuu@ubuntu:~$ sudo apt-get install yara
cpuu@ubuntu:~$ sudo apt-get install linux-headers-`uname -r`
cpuu@ubuntu:~$ sudo apt-get install python-pip python-dev
cpuu@ubuntu:~$ sudo -H pip install --upgrade pip
cpuu@ubuntu:~$ sudo -H pip install distorm3 pycrypto openpyxl Pillow
The process of downloading and installing the script from github is as follows,
cpuu@ubuntu:~$ git clone https://github.com/cpuu/lmc.git
cpuu@ubuntu:~$ cd lmc
cpuu@ubuntu:~/lmc$ sudo ./setup.sh
Now, as root, run "sudo ./lmc". This is interactive mode and the user will be prompted for confirmation before lmc builds a LiME module for the system and/or creates a Volatility(TM) profile.
cpuu@ubuntu:~/lmc$ sudo ./lmc
Two questions will be asked.
- Try to build LiME kernel module? [N|y]
- Compile profile for this system? [N|y]
If this is your first time, select 'y' for both.
cpuu@ubuntu:~/lmc$ sudo ./lmc
Try to build LiME kernel module? [N|y] y
make -C /lib/modules/4.15.0-34-generic/build M="/home/osboxes/lmc/lime/src" modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-34-generic'
Makefile:976: "Cannot use CONFIG_STACK_VALIDATION=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel"
CC [M] /home/osboxes/lmc/lime/src/tcp.o
CC [M] /home/osboxes/lmc/lime/src/disk.o
CC [M] /home/osboxes/lmc/lime/src/main.o
CC [M] /home/osboxes/lmc/lime/src/hash.o
LD [M] /home/osboxes/lmc/lime/src/lime.o
Building modules, stage 2.
MODPOST 1 modules
CC /home/osboxes/lmc/lime/src/lime.mod.o
LD [M] /home/osboxes/lmc/lime/src/lime.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-34-generic'
strip --strip-unneeded lime.ko
mv lime.ko lime-4.15.0-34-generic-x86_64.ko
LiME module is /home/osboxes/lmc/lime/src/lime-4.15.0-34-generic-x86_64.ko
Dumping memory in "lime" format to /home/osboxes/lmc/capture/osboxes-2018-09-18_22.03.28
This could take a while...Done!
Cleaning up...Done!
Grabbing a copy of /bin/bash...Done!
Writing volatilityrc to /home/osboxes/lmc/capture/osboxes-2018-09-18_22.03.28...Done!\
Compile profile for this system? [N|y] y
make -C //lib/modules/4.15.0-34-generic/build M="/home/osboxes/lmc/volatility/tools/linux" clean
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-34-generic'
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-34-generic'
rm -f module.dwarf
make -C //lib/modules/4.15.0-34-generic/build CONFIG_DEBUG_INFO=y M="/home/osboxes/lmc/volatility/tools/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-34-generic'
Makefile:976: "Cannot use CONFIG_STACK_VALIDATION=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel"
CC [M] /home/osboxes/lmc/volatility/tools/linux/module.o
Building modules, stage 2.
MODPOST 1 modules
WARNING: modpost: missing MODULE_LICENSE() in /home/osboxes/lmc/volatility/tools/linux/module.o
see include/linux/module.h for more information
CC /home/osboxes/lmc/volatility/tools/linux/module.mod.o
LD [M] /home/osboxes/lmc/volatility/tools/linux/module.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-34-generic'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/4.15.0-34-generic/build M="/home/osboxes/lmc/volatility/tools/linux" clean
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-34-generic'
CLEAN /home/osboxes/lmc/volatility/tools/linux/.tmp_versions
CLEAN /home/osboxes/lmc/volatility/tools/linux/Module.symvers
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-34-generic'
adding: module.dwarf (deflated 89%)
adding: boot/System.map-4.15.0-34-generic (deflated 79%)\
Everything else is automated. After the script runs, you will have a new directory named ../capture/<hostname>-YYYY-MM-DD_hh.mm.ss/
the directory will contain:
| filename | description |
|---|---|
| hostname-YYYY-MM-DD_hh.mm.ss-memory.lime | the RAM capture |
| hostname-YYYY-MM-DD_hh.mm.ss-profile.zip | Volatility(TM) profile |
| hostname-YYYY-MM-DD_hh.mm.ss-bash | copy of target's /bin/bash |
| volatilityrc | prototype Volatility config file |
At the end of the capture, you can see that the capture directory is created.
cpuu@ubuntu:~/lmc$ cd capture/
cpuu@ubuntu:~/lmc/capture$ cd osboxes-2018-09-18_22.03.28/
cpuu@ubuntu:~/lmc/capture/osboxes-2018-09-18_22.03.28$ ls -l volatilityrc
-rw-r--r-- 1 root root 235 Sep 18 22:04 volatilityrc
There is a file called volatilityrc. This file defines the appropriate locations for the captured memory and plugin.
cpuu@ubuntu:~/lmc/capture/osboxes-2018-09-18_22.03.28$ cat volatilityrc
[DEFAULT]
PLUGINS=/home/osboxes/lmc/capture/osboxes-2018-09-18_22.03.28
PROFILE=Linuxosboxes-2018-09-18_22_03_28-profilex64
LOCATION=file:////home/osboxes/lmc/capture/osboxes-2018-09-18_22.03.28/osboxes-2018-09-18_22.03.28-memory.lime
When you run volatility, you can specify --conf-file=../capture/osboxes-2018-09-18_22.03.28/volatilityrc and execute the desired plug-in.
Running linux_banner plugin to test capture, leveraging the prototype volatilityrc
cpuu@ubuntu:~/lmc $ cd volatility/
cpuu@ubuntu:~/lmc/volatility$ python vol.py --conf-file=../capture/osboxes-2018-09-18_22.03.28/volatilityrc linux_banner
Volatility Foundation Volatility Framework 2.6
Linux version 4.15.0-34-generic (buildd@lgw01-amd64-047) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 (Ubuntu 4.15.0-34.37-generic 4.15.18)
This plugin prints the list of active processes starting from the init_task symbol and walking the task_struct->tasks linked list. It does not display the swapper process. If the DTB column is blank, the item is likely a kernel thread.
cpuu@ubuntu:~/lmc/volatility$ python vol.py --conf-file=../capture/osboxes-2018-09-18_22.03.28/volatilityrc linux_pslist
[... more output not shown ...]
More information about other plug-ins can be found in the official homepage document below.
- Linux Command Reference
- Ligh, Michael Hale, et al. The art of memory forensics: detecting malware and threats in windows, linux, and Mac memory. John Wiley & Sons, 2014.
- LiME - Linux Memory Extractor
- volatility - An advanced memory forensics framework
- dwarfdump - DWARF is a debugging file format used by many compilers and debuggers to support source level debugging.