Instalar Volatility no Debian e Ubuntu

Hoje vamos mostrar como instalar o Volatility no Debian e Ubuntu. O volatility é um programa que tal como o rekall é utilizado para analisar um dump de memória e procurar informações importantes que estão em memória no momento da acquisição.

O rekall começou como sendo um fork do volatility, ambos seguiram com seu desenvolvimento com o objectivo de analisar dados em memória, no entanto o desenvolvimento de ambos tomou rumos um pouco diferentes e hoje cada um tem os seus prós e contras.

A instalação do volatility pode ser feita pelos repositórios oficiais do Debian e do Ubuntu, no entanto as vezes as versões disponíveis no repositório oficial pode estar um pouco desactualizada e por isso podemos querer usar a versão mais nova por causa de alguma como por exemplo correcções de bugs ou novas funções. Neste artigo vamos mostrar como é facil instalar o volatility no nosso sistema.

O volatility é um conjunto de programas e plugins escritos em python, no entanto ele (até ao momento de escrita deste artigo) somente suporta até a versão 2.6 ou superior do python, mas não a versão 3.0, a actualização para a versão 3.0 e superior ainda não foi feita. Tendo isto em conta devemos garantir que na nossa máquina temos a versão correcta do python instalada.

$ sudo apt-get install python2.7

Para começar vamos copiar a versão mais recente do volatility no repositório oficial do GitHub com o seguinte comando.

$ wget https://github.com/volatilityfoundation/volatility/archive/master.zip

De seguida vamos extrair o conteúdo do arquivo comprimido.

$ unzip master.zip

Isto vai criar um directório com o nome volatility-master, dentro deste directório vamos encontrar o script vol.py que é o volatility em si. A partir deste momento já podemos começar a usar o volatility fazendo referencia ao script. Caso tenha mais de uma versão do python instalada na sua máquina lembre-se de referenciar a versão 2.7 para evitar que uma versão incompactivel seja utlizada.
Para obter mais informações sobre o volatility podemos usar seguinte comando.

$ python2.7 vol.py --info


Volatility Foundation Volatility Framework 2.6


Plugins
-------
amcache - Print AmCache information
apihooks - Detect API hooks in process and kernel memory
atoms - Print session and window station atom tables
atomscan - Pool scanner for atom tables
auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools - Dump the big page pools using BigPagePoolScanner
bioskbd - Reads the keyboard buffer from Real Mode memory
cachedump - Dumps cached domain hashes from memory
callbacks - Print system-wide notification routines
clipboard - Extract the contents of the windows clipboard
cmdline - Display process command-line arguments
cmdscan - Extract command history by scanning for _COMMAND_HISTORY
connections - Print list of open connections [Windows XP and 2003 Only]
connscan - Pool scanner for tcp connections
consoles - Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo - Dump crash-dump information
deskscan - Poolscaner for tagDESKTOP (desktops)
devicetree - Show device tree
dlldump - Dump DLLs from a process address space
dlllist - Print list of loaded dlls for each process
driverirp - Driver IRP hook detection
drivermodule - Associate driver objects to kernel modules
driverscan - Pool scanner for driver objects
dumpcerts - Dump RSA private and public SSL keys
dumpfiles - Extract memory mapped and cached files
dumpregistry - Dumps registry files out to disk
editbox - Displays information about Edit controls. (Listbox experimental.)
envars - Display process environment variables
eventhooks - Print details on windows event hooks
evtlogs - Extract Windows Event Logs (XP/2003 only)
filescan - Pool scanner for file objects
gahti - Dump the USER handle type information
gditimers - Print installed GDI timers and callbacks
gdt - Display Global Descriptor Table
getservicesids - Get the names of services in the Registry and return Calculated SID
getsids - Print the SIDs owning each process
handles - Print list of open handles for each process
hashdump - Dumps passwords hashes (LM/NTLM) from memory
hibinfo - Dump hibernation file information
hivedump - Prints out a hive
hivelist - Print list of registry hives.
hivescan - Pool scanner for registry hives
hpakextract - Extract physical memory from an HPAK file
hpakinfo - Info on an HPAK file
idt - Display Interrupt Descriptor Table
iehistory - Reconstruct Internet Explorer cache / history
imagecopy - Copies a physical address space out as a raw DD image
imageinfo - Identify information for the image
impscan - Scan for calls to imported functions
joblinks - Print process job link information
kdbgscan - Search for and dump potential KDBG values
kpcrscan - Search for and dump potential KPCR values
ldrmodules - Detect unlinked DLLs
limeinfo - Dump Lime file format information
linux_apihooks - Checks for userland apihooks
linux_arp - Print the ARP table
linux_aslr_shift - Automatically detect the Linux ASLR shift
linux_banner - Prints the Linux banner information
linux_bash - Recover bash history from bash process memory
linux_bash_env - Recover a process' dynamic environment variables
linux_bash_hash - Recover bash hash table from bash process memory
linux_check_afinfo - Verifies the operation function pointers of network protocols
linux_check_creds - Checks if any processes are sharing credential structures
linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking
linux_check_fop - Check file operation structures for rootkit modifications
linux_check_idt - Checks if the IDT has been altered
linux_check_inline_kernel - Check for inline kernel hooks
linux_check_modules - Compares module list to sysfs info, if available
linux_check_syscall - Checks if the system call table has been altered
linux_check_syscall_arm - Checks if the system call table has been altered
linux_check_tty - Checks tty devices for hooks
linux_cpuinfo - Prints info about each active processor
linux_dentry_cache - Gather files from the dentry cache
linux_dmesg - Gather dmesg buffer
linux_dump_map - Writes selected memory mappings to disk
linux_dynamic_env - Recover a process' dynamic environment variables
linux_elfs - Find ELF binaries in process mappings
linux_enumerate_files - Lists files referenced by the filesystem cache
linux_find_file - Lists and recovers files from memory
linux_getcwd - Lists current working directory of each process
linux_hidden_modules - Carves memory to find hidden kernel modules
linux_ifconfig - Gathers active interfaces
linux_info_regs - It's like 'info registers' in GDB. It prints out all the
linux_iomem - Provides output similar to /proc/iomem
linux_kernel_opened_files - Lists files that are opened from within the kernel
linux_keyboard_notifiers - Parses the keyboard notifier call chain
linux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl
linux_library_list - Lists libraries loaded into a process
linux_librarydump - Dumps shared libraries in process memory to disk
linux_list_raw - List applications with promiscuous sockets
linux_lsmod - Gather loaded kernel modules
linux_lsof - Lists file descriptors and their path
linux_malfind - Looks for suspicious process mappings
linux_memmap - Dumps the memory map for linux tasks
linux_moddump - Extract loaded kernel modules
linux_mount - Gather mounted fs/devices
linux_mount_cache - Gather mounted fs/devices from kmem_cache
linux_netfilter - Lists Netfilter hooks
linux_netscan - Carves for network connection structures
linux_netstat - Lists open sockets
linux_pidhashtable - Enumerates processes through the PID hash table
linux_pkt_queues - Writes per-process packet queues out to disk
linux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED images
linux_proc_maps - Gathers process memory maps
linux_proc_maps_rb - Gathers process maps for linux through the mappings red-black tree
linux_procdump - Dumps a process's executable image to disk
linux_process_hollow - Checks for signs of process hollowing
linux_psaux - Gathers processes along with full command line and start time
linux_psenv - Gathers processes along with their static environment variables
linux_pslist - Gather active tasks by walking the task_struct->task list
linux_pslist_cache - Gather tasks from the kmem_cache
linux_psscan - Scan physical memory for processes
linux_pstree - Shows the parent/child relationship between processes
linux_psxview - Find hidden processes with various process listings
linux_recover_filesystem - Recovers the entire cached file system from memory
linux_route_cache - Recovers the routing cache from memory
linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
linux_slabinfo - Mimics /proc/slabinfo on a running machine
linux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
linux_threads - Prints threads of processes
linux_tmpfs - Recovers tmpfs filesystems from memory
linux_truecrypt_passphrase - Recovers cached Truecrypt passphrases
linux_vma_cache - Gather VMAs from the vm_area_struct cache
linux_volshell - Shell in the memory image
linux_yarascan - A shell in the Linux memory image
lsadump - Dump (decrypted) LSA secrets from the registry
mac_adium - Lists Adium messages
mac_apihooks - Checks for API hooks in processes
mac_apihooks_kernel - Checks to see if system call and kernel functions are hooked
mac_arp - Prints the arp table
mac_bash - Recover bash history from bash process memory
mac_bash_env - Recover bash's environment variables
mac_bash_hash - Recover bash hash table from bash process memory
mac_calendar - Gets calendar events from Calendar.app
mac_check_fop - Validate File Operation Pointers
mac_check_mig_table - Lists entires in the kernel's MIG table
mac_check_syscall_shadow - Looks for shadow system call tables
mac_check_syscalls - Checks to see if system call table entries are hooked
mac_check_sysctl - Checks for unknown sysctl handlers
mac_check_trap_table - Checks to see if mach trap table entries are hooked
mac_compressed_swap - Prints Mac OS X VM compressor stats and dumps all compressed pages
mac_contacts - Gets contact names from Contacts.app
mac_dead_procs - Prints terminated/de-allocated processes
mac_dead_sockets - Prints terminated/de-allocated network sockets
mac_dead_vnodes - Lists freed vnode structures
mac_devfs - Lists files in the file cache
mac_dmesg - Prints the kernel debug buffer
mac_dump_file - Dumps a specified file
mac_dump_maps - Dumps memory ranges of process(es), optionally including pages in compressed swap
mac_dyld_maps - Gets memory maps of processes from dyld data structures
mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images
mac_get_profile - Automatically detect Mac profiles
mac_ifconfig - Lists network interface information for all devices
mac_interest_handlers - Lists IOKit Interest Handlers
mac_ip_filters - Reports any hooked IP filters
mac_kernel_classes - Lists loaded c++ classes in the kernel
mac_kevents - Show parent/child relationship of processes
mac_keychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files
mac_ldrmodules - Compares the output of proc maps with the list of libraries from libdl
mac_librarydump - Dumps the executable of a process
mac_list_files - Lists files in the file cache
mac_list_kauth_listeners - Lists Kauth Scope listeners
mac_list_kauth_scopes - Lists Kauth Scopes and their status
mac_list_raw - List applications with promiscuous sockets
mac_list_sessions - Enumerates sessions
mac_list_zones - Prints active zones
mac_lsmod - Lists loaded kernel modules
mac_lsmod_iokit - Lists loaded kernel modules through IOkit
mac_lsmod_kext_map - Lists loaded kernel modules
mac_lsof - Lists per-process opened files
mac_machine_info - Prints machine information about the sample
mac_malfind - Looks for suspicious process mappings
mac_memdump - Dump addressable memory pages to a file
mac_moddump - Writes the specified kernel extension to disk
mac_mount - Prints mounted device information
mac_netstat - Lists active per-process network connections
mac_network_conns - Lists network connections from kernel network structures
mac_notesapp - Finds contents of Notes messages
mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
mac_orphan_threads - Lists threads that don't map back to known modules/processes
mac_pgrp_hash_table - Walks the process group hash table
mac_pid_hash_table - Walks the pid hash table
mac_print_boot_cmdline - Prints kernel boot arguments
mac_proc_maps - Gets memory maps of processes
mac_procdump - Dumps the executable of a process
mac_psaux - Prints processes with arguments in user land (**argv)
mac_psenv - Prints processes with environment in user land (**envp)
mac_pslist - List Running Processes
mac_pstree - Show parent/child relationship of processes
mac_psxview - Find hidden processes with various process listings
mac_recover_filesystem - Recover the cached filesystem
mac_route - Prints the routing table
mac_socket_filters - Reports socket filters
mac_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
mac_tasks - List Active Tasks
mac_threads - List Process Threads
mac_threads_simple - Lists threads along with their start time and priority
mac_timers - Reports timers set by kernel drivers
mac_trustedbsd - Lists malicious trustedbsd policies
mac_version - Prints the Mac version
mac_vfsevents - Lists processes filtering file system events
mac_volshell - Shell in the memory image
mac_yarascan - Scan memory for yara signatures
machoinfo - Dump Mach-O file format information
malfind - Find hidden and injected code
mbrparser - Scans for and parses potential Master Boot Records (MBRs)
memdump - Dump the addressable memory for a process
memmap - Print the memory map
messagehooks - List desktop and thread window message hooks
mftparser - Scans for and parses potential MFT entries
moddump - Dump a kernel driver to an executable file sample
modscan - Pool scanner for kernel modules
modules - Print list of loaded modules
multiscan - Scan for various objects at once
mutantscan - Pool scanner for mutex objects
netscan - Scan a Vista (or later) image for connections and sockets
notepad - List currently displayed notepad text
objtypescan - Scan for Windows object type objects
patcher - Patches memory based on page scans
poolpeek - Configurable pool scanner plugin
pooltracker - Show a summary of pool tag usage
printkey - Print a registry key, and its subkeys and values
privs - Display process privileges
procdump - Dump a process to an executable file sample
pslist - Print all running processes by following the EPROCESS lists
psscan - Pool scanner for process objects
pstree - Print process list as a tree
psxview - Find hidden processes with various process listings
qemuinfo - Dump Qemu information
raw2dmp - Converts a physical memory sample to a windbg crash dump
screenshot - Save a pseudo-screenshot based on GDI windows
servicediff - List Windows services (ala Plugx)
sessions - List details on _MM_SESSION_SPACE (user logon sessions)
shellbags - Prints ShellBags info
shimcache - Parses the Application Compatibility Shim Cache registry key
shutdowntime - Print ShutdownTime of machine from registry
sockets - Print list of open sockets
sockscan - Pool scanner for tcp socket objects
ssdt - Display SSDT entries
strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan - Scan for Windows services
symlinkscan - Pool scanner for symlink objects
thrdscan - Pool scanner for thread objects
threads - Investigate _ETHREAD and _KTHREADs
timeliner - Creates a timeline from various artifacts in memory
timers - Print kernel timers and associated module DPCs
truecryptmaster - Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase - TrueCrypt Cached Passphrase Finder
truecryptsummary - TrueCrypt Summary
unloadedmodules - Print list of unloaded modules
userassist - Print userassist registry keys and information
userhandles - Dump the USER handle tables
vaddump - Dumps out the vad sections to a file
vadinfo - Dump the VAD info
vadtree - Walk the VAD tree and display in tree format
vadwalk - Walk the VAD tree
vboxinfo - Dump virtualbox information
verinfo - Prints out the version information from PE images
vmwareinfo - Dump VMware VMSS/VMSN information
volshell - Shell in the memory image
win10cookie - Find the ObHeaderCookie value for Windows 10
windows - Print Desktop Windows (verbose details)
wintree - Print Z-Order Desktop Windows Tree
wndscan - Pool scanner for window stations
yarascan - Scan process or kernel memory with Yara signatures


Profiles
--------
Linuxubuntu-4_10_0-42-genericx64 - A Profile for Linux ubuntu-4.10.0-42-generic x64
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win10x64 - A Profile for Windows 10 x64
Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x64_15063 - A Profile for Windows 10 x64 (10.0.15063.0 / 2017-04-04)
Win10x86 - A Profile for Windows 10 x86
Win10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)
Win10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)
Win10x86_15063 - A Profile for Windows 10 x86 (10.0.15063.0 / 2017-04-04)
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win2012R2x64 - A Profile for Windows Server 2012 R2 x64
Win2012R2x64_18340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)
Win2012x64 - A Profile for Windows Server 2012 x64
Win2016x64_14393 - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16)
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86 - A Profile for Windows 7 SP1 x86
Win7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win81U1x64 - A Profile for Windows 8.1 Update 1 x64
Win81U1x86 - A Profile for Windows 8.1 Update 1 x86
Win8SP0x64 - A Profile for Windows 8 x64
Win8SP0x86 - A Profile for Windows 8 x86
Win8SP1x64 - A Profile for Windows 8.1 x64
Win8SP1x64_18340 - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13)
Win8SP1x86 - A Profile for Windows 8.1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86


Address Spaces
--------------
AMD64PagedMemory - Standard AMD 64-bit address space.
ArmAddressSpace - Address space for ARM processors
FileAddressSpace - This is a direct file AS.
HPAKAddressSpace - This AS supports the HPAK format
IA32PagedMemory - Standard IA-32 paging address space.
IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible
LimeAddressSpace - Address space for Lime
LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space.
MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
OSXPmemELF - This AS supports VirtualBox ELF64 coredump format
QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format
SkipDuplicatesAMD64PagedMemory - Windows 8/10-specific AMD 64-bit address space.
VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files
VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata
VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format
WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space.
WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format
WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.


Scanner Checks
--------------
CheckPoolSize - Check pool block size
CheckPoolType - Check the pool type
KPCRScannerCheck - Checks the self referential pointers to find KPCRs
MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at the offset
MultiStringFinderCheck - Checks for multiple strings per page
PoolTagCheck - This scanner checks for the occurance of a pool tag

Para obtermos mais informações sobre um dump de memória podemos usar o plugin imageinfo para identificar que perfil podemos utilizar ou ainda identificar que sistema operativo foi capturado o dump de memória.

$ python vol.py imageinfo -f WIN8-20171104-182725.raw 
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win8SP0x64, Win81U1x64, Win2012R2x64_18340, Win2012R2x64, Win2012x64, Win8SP1x64_18340, Win8SP1x64
                     AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/rickinho/MemoryAnalisys/WIN8-20171104-182725.raw)
                      PAE type : No PAE
                           DTB : 0x1a7000L
                          KDBG : 0xf800764a0a30L
          Number of Processors : 1
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff800764fb000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2017-11-04 18:27:38 UTC+0000
     Image local date and time : 2017-11-04 16:27:38 -0200

Como podemos ver, agora podemos começar a utilizar o volatility para começar dados em memória como programas e conexões de rede, isto vai nos permitir conseguir mais informações sobre uma possível máquina que esteja infectada por um malware.

Por hoje ficamos por aqui, até ao próximo artigo…

Compartilhe... :)

Deixe uma resposta

O seu endereço de email não será publicado. Campos obrigatórios marcados com *