Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upFreebsd 8.4 support #678
Open
Freebsd 8.4 support #678
+109
−8
Conversation
This change adds support for at least FreeBSD 8.4.0, but other old versions might work as well. Included changes: - support for pmap structure without pm_cr3 member (before 9.3) - support for filedesc structure with fd_ofiles member of type `struct file **` (before 9.2) - support for cdev structure with si_name member of type `char *` (before 9.1)
Adds an inital version of freebsd_tcpconns command, which allows to list active TCP connections. This plugin is based on the following publication: Bond, Elyse, "Creating Volatility Support for FreeBSD" (2015). University of New Orleans Theses and Dissertations. 2033.
Also includes a check for missing tcbinfo symbol in tcpconns command.
This comment has been minimized.
This comment has been minimized.
|
@patriknisen Thanks for your patches. We were hoping to confirm the functionality before merging, but we don't have a profile or 8.4 memory dump handy. Would you be able to share the profile you've been testing with? |
Define which FreeBSD versions introduced 2 structures that are not available in 8.4.
This comment has been minimized.
This comment has been minimized.
|
FreeBSD-8.4 profile, memory snapshot from vanilla FreeBSD 8.4 is attached. We also improved the module.c so that it can be directly used in older FreeBSD. |
This comment has been minimized.
This comment has been minimized.
|
Thank you! Nice work on the blog too, I'm just going to paste it here so we have a set of resources for people to reference in one place. https://www.nixu.com/blog/memory-forensics-against-citrix-adc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
patriknisen commentedJan 28, 2020
Adds support for FreeBSD 8.4.0 and probably some other older FreeBSD versions. In addition, implements an initial version of a command for listing TCP connections.