Introduction

In this article, I’ll present whether it’s possible to get access to passwords lying around in memory by using a fully patched Linux x64 operating system. First, it’s not superfluous to emphasize that the distribution of the Linux operating system doesn’t matter, since the system is managing memory similarly with minor differences, which are not important for the purpose of this article: most often the memory is managed by following the same principle on multiple distributions.

Let’s put ourselves into the shoes of an attacker, where we’ve already gained access to the system by exploiting an existing vulnerability or by using a social engineering attack to lure the victim into visiting our web page. Social engineering is the easiest way to get the keys to the castle, but an attacker can just as well exploit a vulnerability in an arbitrary application like OpenOffice, Pidgin, Chrome, Firefox, etc. At this point, we’re already in the system, and the details of how we’ve gained access to the system are not important. Let’s also suppose that we’ve been able to escalate privileges by exploiting a well known vulnerability in the Linux kernel to gain administrative privileges. After we’ve done so, nothing is stopping us from changing the system however we want: we can install a backdoor into the system and the victim wouldn’t even know it. If we don’t want to change the files on the filesystem or leave anything else for the forensics examiner, we have to be very stealth when exploiting the system.

Dumping Memory

There are various tools that we can use to dump memory under the Linux operating system, some of which are presented below. At the very basic level, we can divide the tools between those that dump a memory of just one process or the whole system.

  • Tools for Dumping Memory of a Single Process: the Process Dumper [1] program can be used to dump memory of single processes. It dumps memory of a running process where all data and code sections are dumped. The memory dump is outputted to stdout, so we need to use the program together with other tools like netcat, tar, etc.

    # http://www.trapkit.de/research/forensic/pd/pd_v1.1_lnx.bz2
    # bunzip2 pd_v1.1_lnx.bz2
    # ./pd_v1.1_lnx

  • Tools for Dumping Memory of a Whole System: LiME (Linux Memory Extractor) [2]: can be used to dump memory of a whole Linux system. To install LiME, we have to execute the following commands:

    # svn checkout http://lime-forensics.googlecode.com/svn/trunk/ lime
    # cd lime/src/
    # make

    When LiME is being compiled, a kernel .ko module is created, which needs to be inserted into the kernel by using insmod command. The memory dump can be saved to the filesystem or sent over the network. When inserting a module into the kernel, we can pass a number of parameters to insmod command, which are presented below:

  • path: a filename on local filesystem where the memory dump will be written or a tcp:<port>.
  • format: LiME can output the memory dump in various formats, like raw, padded and lime. A raw format concatenates all system RAM into an image. A padded format pads non-system RAM with zeros and starts from physical address 0×0. A lime format appends an special header to each memory range to describe the address space information – also the Volatility program supports parsing this format, which is also the reason we’ll use it in this article.
  • dio: when this parameter is set to 1 (the default), the Direct IO will be used, while the value of 0 disables it.

Now that we’ve described all three parameters that can be passed to lime.ko kernel module, we can issue the command as root to obtain the system’s memory. The command presented below will acquire whole system’s memory and save it into the /tmp/memdump.lime file by using lime format. Note that the process can take a while if you have large amount of physical memory available in the system; also note that there should be enough disk space to save the entire contents of physical memory to disk.

# insmod lime.ko "path=/tmp/memdump.lime format=lime"

In Qemu we can dump memory of a running virtual machine by using the pmemsave command as follows. Note that the windows7.dump memory dump will be stored to the current directory if relative path is used. If we want to save the memory dump to an arbitrary location, we can enclose the whole path of the memory image in double quotation marks.

(qemu) pmemsave 0 0x3FFFFFFF windows7.dump

Note that as long as the memory dumping is in progress, the virtual machine will be paused and we won’t be able to interact with it. In the command above, the start address is 0×0 to start dumping memory at the beginning and its size is 0x3FFFFFFF, which will dump 1GB of memory. If we go to system settings, we can see that the system has only 1GB of memory available, so we shouldn’t dump 4GB if it only has 1GB of memory.

Creating a Profile in Source Distributions

Once the memory has been dumped, we have to analyze it in order to obtain useful information. Prior to doing that with Volatility, we have to create a profile, which contains kernel data structures and debug symbols that Volatility uses to locate critical information inside the memory dump [3]. It’s imperative that the profile is created on the same machine as we would like to analyze, since kernel data structure and debug symbols are specific to Linux distribution and kernel used. If we’re running a binary Linux distribution, it’s likely that some user has already created a profile and shared it with the rest of the world – in such cases we can use his profile to do our analysis. But if we’re running a source Linux distribution, we need to create the profile for ourselves. Each Linux profile depends upon three important factors:

  • Linux distribution
  • Kernel version
  • CPU architecture

To build a profile, we must first download volatility source code from here and install it normally with make / make install. After successful installation, we need to enter the tools/linux/ directory in the Volatility source directory and issue a make command to create the required kernel’s data structures. By doing that, the Makefile will instruct the make command to compile module.c against the currently used Linux kernel, which we want to analyze. By doing that, a special file module.dwarf will be created.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

The next step is getting the kernel symbols of the current kernel, which can be found in /boot/ directory for most binary Linux distributions. In source code distributions, the System.map can be found in the /usr/src/linux/ directory.

When creating a profile, we have to archive the module.dwarf as well as System.map into a .zip file and move the .zip file under plugins/overlays/linux/ directory.

# cd volatility-2.3.1/volatility/plugins/overlays/linux/
# cp ../../../../tools/linux/module.dwarf .
# cp /usr/src/linux/System.map .
# zip Gentoo.zip System.map module.dwarf

To see whether the profile has been successfully created, we need to execute the vol.py command with the –info parameter and check if the Gentoo profile is presented in the output. In the output below, we can see that we’ve successfully added the Gentoo profile to Volatility.

# ./vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.3.1
LinuxGentoox64  - A Profile for Linux Gentoo x64
linux_banner            - Prints the Linux banner information
linux_yarascan          - A shell in the Linux memory image

After that we can run Volatility normally with the following command, which will print all the supported commands that we can use when analyzing the memory dump of the Linux system.

# ./vol.py -f memdump.lime --profile=LinuxGentoox64 -h
        Supported Plugin Commands:

                linux_arp       Print the ARP table
                linux_banner    Prints the Linux banner information
                linux_bash      Recover bash history from bash process memory
                linux_check_afinfo      Verifies the operation function pointers of network protocols
                linux_check_creds       Checks if any processes are sharing credential structures
                linux_check_fop Check file operation structures for rootkit modifications
                linux_check_idt Checks if the IDT has been altered
                linux_check_modules     Compares module list to sysfs info, if available
                linux_check_syscall     Checks if the system call table has been altered
                linux_check_tty Checks tty devices for hooks
                linux_cpuinfo   Prints info about each active processor
                linux_dentry_cache      Gather files from the dentry cache
                linux_dmesg     Gather dmesg buffer
                linux_dump_map  Writes selected memory mappings to disk
                linux_find_file Recovers tmpfs filesystems from memory
                linux_ifconfig  Gathers active interfaces
                linux_iomem     Provides output similar to /proc/iomem
                linux_keyboard_notifier Parses the keyboard notifier call chain
                linux_lsmod     Gather loaded kernel modules
                linux_lsof      Lists open files
                linux_memmap    Dumps the memory map for linux tasks
                linux_moddump   Extract loaded kernel modules
                linux_mount     Gather mounted fs/devices
                linux_mount_cache       Gather mounted fs/devices from kmem_cache
                linux_netstat   Lists open sockets
                linux_pidhashtable      Enumerates processes through the PID hash table
                linux_pkt_queues        Writes per-process packet queues out to disk
                linux_proc_maps Gathers process maps for linux
                linux_psaux     Gathers processes along with full command line and start time
                linux_pslist    Gather active tasks by walking the task_struct->task list
                linux_pslist_cache      Gather tasks from the kmem_cache
                linux_pstree    Shows the parent/child relationship between processes
                linux_psxview   Find hidden processes with various process listings
                linux_route_cache       Recovers the routing cache from memory
                linux_sk_buff_cache     Recovers packets from the sk_buff kmem_cache
                linux_slabinfo  Mimics /proc/slabinfo on a running machine
                linux_tmpfs     Recovers tmpfs filesystems from memory
                linux_vma_cache Gather VMAs from the vm_area_struct cache
                linux_volshell  Shell in the memory image
                linux_yarascan  A shell in the Linux memory image
                mbrparser       Scans for and parses potential Master Boot Records (MBRs)
                patcher         Patches memory based on page scans

Since I was running a newer version of the Gentoo kernel than was officially supported, I wasn’t able to analyze the memory of Gentoo Linux. The supported Linux kernel versions are 2.6.11 – 3.5.x. If you have a kernel which falls in the range above, then Volatility is most probable to work just fine.

Analyzing Memory

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

In this part of the article, we’ll analyze the memory dump of a Qemu Windows 7 system. To dump all available profiles we can use with the acquired image, we can use the –info parameter, which will display all available profiles as well as a lot of other information.

# ./vol.py --info
Volatility Foundation Volatility Framework 2.3.1

Profiles
--------
LinuxGentoox64  - A Profile for Linux Gentoo x64
VistaSP0x64     - A Profile for Windows Vista SP0 x64
VistaSP0x86     - A Profile for Windows Vista SP0 x86
VistaSP1x64     - A Profile for Windows Vista SP1 x64
VistaSP1x86     - A Profile for Windows Vista SP1 x86
VistaSP2x64     - A Profile for Windows Vista SP2 x64
VistaSP2x86     - A Profile for Windows Vista SP2 x86
Win2003SP0x86   - A Profile for Windows 2003 SP0 x86
Win2003SP1x64   - A Profile for Windows 2003 SP1 x64
Win2003SP1x86   - A Profile for Windows 2003 SP1 x86
Win2003SP2x64   - A Profile for Windows 2003 SP2 x64
Win2003SP2x86   - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64   - A Profile for Windows 2008 SP1 x64
Win2008SP1x86   - A Profile for Windows 2008 SP1 x86
Win2008SP2x64   - A Profile for Windows 2008 SP2 x64
Win2008SP2x86   - A Profile for Windows 2008 SP2 x86
Win7SP0x64      - A Profile for Windows 7 SP0 x64
Win7SP0x86      - A Profile for Windows 7 SP0 x86
Win7SP1x64      - A Profile for Windows 7 SP1 x64
Win7SP1x86      - A Profile for Windows 7 SP1 x86
WinXPSP1x64     - A Profile for Windows XP SP1 x64
WinXPSP2x64     - A Profile for Windows XP SP2 x64
WinXPSP2x86     - A Profile for Windows XP SP2 x86
WinXPSP3x86     - A Profile for Windows XP SP3 x86

Since we’re running Windows 7 SP1, we should use the Win7SP1x86 as the profile. To print all supported commands we can use with the memory dump, we can pass the -h as a parameter after we’ve already specified the memory image dump and profile.

 ./vol.py -f windows7.dump –profile=Win7SP1x86

        Supported Plugin Commands:

                apihooks        Detect API hooks in process and kernel memory
                atoms           Print session and window station atom tables
                atomscan        Pool scanner for _RTL_ATOM_TABLE
                bioskbd         Reads the keyboard buffer from Real Mode memory
                callbacks       Print system-wide notification routines
                clipboard       Extract the contents of the windows clipboard
                cmdscan         Extract command history by scanning for _COMMAND_HISTORY
                consoles        Extract command history by scanning for _CONSOLE_INFORMATION
                crashinfo       Dump crash-dump information
                deskscan        Poolscaner for tagDESKTOP (desktops)
                devicetree      Show device tree
                dlldump         Dump DLLs from a process address space
                dlllist         Print list of loaded dlls for each process
                driverirp       Driver IRP hook detection
                driverscan      Scan for driver objects _DRIVER_OBJECT
                dumpcerts       Dump RSA private and public SSL keys
                dumpfiles       Extract memory mapped and cached files
                envars          Display process environment variables
                eventhooks      Print details on windows event hooks
                filescan        Scan Physical memory for _FILE_OBJECT pool allocations
                gahti           Dump the USER handle type information
                gditimers       Print installed GDI timers and callbacks
                gdt             Display Global Descriptor Table
                getservicesids  Get the names of services in the Registry and return Calculated SID
                getsids         Print the SIDs owning each process
                handles         Print list of open handles for each process
                hashdump        Dumps passwords hashes (LM/NTLM) from memory
                hibinfo         Dump hibernation file information
                hivedump        Prints out a hive
                hivelist        Print list of registry hives.
                hivescan        Scan Physical memory for _CMHIVE objects (registry hives)
                hpakextract     Extract physical memory from an HPAK file
                hpakinfo        Info on an HPAK file
                idt             Display Interrupt Descriptor Table
                iehistory       Reconstruct Internet Explorer cache / history
                imagecopy       Copies a physical address space out as a raw DD image
                imageinfo       Identify information for the image
                impscan         Scan for calls to imported functions
                kdbgscan        Search for and dump potential KDBG values
                kpcrscan        Search for and dump potential KPCR values
                ldrmodules      Detect unlinked DLLs
                lsadump         Dump (decrypted) LSA secrets from the registry
                machoinfo       Dump Mach-O file format information
                malfind         Find hidden and injected code
                mbrparser       Scans for and parses potential Master Boot Records (MBRs)
                memdump         Dump the addressable memory for a process
                memmap          Print the memory map
                messagehooks    List desktop and thread window message hooks
                mftparser       Scans for and parses potential MFT entries
                moddump         Dump a kernel driver to an executable file sample
                modscan         Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
                modules         Print list of loaded modules
                mutantscan      Scan for mutant objects _KMUTANT
                netscan         Scan a Vista, 2008 or Windows 7 image for connections and sockets
                patcher         Patches memory based on page scans
                printkey        Print a registry key, and its subkeys and values
                privs           Display process privileges
                procexedump     Dump a process to an executable file sample
                procmemdump     Dump a process to an executable memory sample
                pslist          Print all running processes by following the EPROCESS lists
                psscan          Scan Physical memory for _EPROCESS pool allocations
                pstree          Print process list as a tree
                psxview         Find hidden processes with various process listings
                raw2dmp         Converts a physical memory sample to a windbg crash dump
                screenshot      Save a pseudo-screenshot based on GDI windows
                sessions        List details on _MM_SESSION_SPACE (user logon sessions)
                shellbags       Prints ShellBags info
                shimcache       Parses the Application Compatibility Shim Cache registry key
                ssdt            Display SSDT entries
                strings         Match physical offsets to virtual addresses (may take a while, VERY verbose)
                svcscan         Scan for Windows services
                symlinkscan     Scan for symbolic link objects
                thrdscan        Scan physical memory for _ETHREAD objects
                threads         Investigate _ETHREAD and _KTHREADs
                timeliner       Creates a timeline from various artifacts in memory
                timers          Print kernel timers and associated module DPCs
                unloadedmodules Print list of unloaded modules
                userassist      Print userassist registry keys and information
                userhandles     Dump the USER handle tables
                vaddump         Dumps out the vad sections to a file
                vadinfo         Dump the VAD info
                vadtree         Walk the VAD tree and display in tree format
                vadwalk         Walk the VAD tree
                vboxinfo        Dump virtualbox information
                vmwareinfo      Dump VMware VMSS/VMSN information
                volshell        Shell in the memory image
                windows         Print Desktop Windows (verbose details)
                wintree         Print Z-Order Desktop Windows Tree
                wndscan         Pool scanner for tagWINDOWSTATION (window stations)
                yarascan        Scan process or kernel memory with Yara signatures

Note that there are a lot of commands we can use to analyze the system memory. First we can list active processes by using the pslist command:

# ./vol.py -f windows7.dump --profile=Win7SP1x86 pslist

After that we can use any number of commands to gather the information that we need.

Conclusion

In this article we’ve presented how we can dump memory of a Linux system and create our own profile that can be used together with Volatility to analyze memory. We’ve also dumped memory of a Qemu virtual machine and printed its processes. At such point, we can start looking for interesting information like passwords and certificates that security-unaware applications may have left in memory for an attacker to obtain.

References:

[1] Process Dumper,

http://www.trapkit.de/research/forensic/pd/index.html.

[2] LiME,

http://code.google.com/p/lime-forensics/.

[3] LinuxMemoryForensics,

https://code.google.com/p/volatility/wiki/LinuxMemoryForensics.

[4] The Volatility Framework,

https://code.google.com/p/volatility/.