Creating Volatility Profile for CentOS67

Posted: April 27, 2018 in Uncategorized

Problem statement

I needed CentOS6.7 profile, none were to be had on the Linux Profiles GitHub location,

Theory in Practice

Idea is to create a Virtual Machine that uses the same operating system as the memory image I am trying to analyze. In this case it is a CentOS 6.7 64-bit. A bit of googleFu found a repository of CentOS iso images for versions 2 through 7. Wow! Including the live dvd iso for the version I was hunting down. Score one in the hunt.

I downloaded the version I needed, CentOS67 live dvd iso as a bootable live distro.

Next step was to create the virtual machine using VMware Fusion. Simple to create a new VM using the live iso I had downloaded.  The VM booted up into the Live DVD and had an option to install on hard drive, I chose that since I needed to install modules and tools. The VM finished it’s install, and booted back into the new local disk version of the CentOS67 VM.

So far so good, now to customize the VM with tools and volatility.

Install Subversion Volatility and OS modules

Requirements, volatility profile building needs libdwarf-tools, kernel dev tools, linux headers, and gcc. Subversion is needed in order to checkout the volatility repository from github.com.

Run the following commands as root or under sudo ( I ran all mine as root, “su -“)

First up install Subversion for fedora, I got instructions from that site

Create repo file for subversion in /etc/yum.repos.d/ with the below lines

[WandiscoSVN]
name=Wandisco SVN Repo
baseurl=http://opensource.wandisco.com/centos/6/svn-1.8/RPMS/x86_64/
enabled=1
gpgcheck=0
  • yum install subversion

Now add the EPEL repository to your VM, and download the rpm for your system.

Install the rpm using RPM manager on the VM.

  • rpm -ivh epel-release-6-8.noarch.rpm

Check epel is seen by your yum repolist

  • yum repolist | grep epel

Install the libdwarf-tools using the epel repository

  • yum –enablerepo=epel install libdwarf-tools

Install the rest of the tools, elfutils-libelf-devel, kernel-deve;, linux-headers, and gcc

  • yum install elfutils-libelf-devel
  • yum install kernel-devel
  • yum install linux-headers
  • yum install gcc

Correct the build directory under /lib/modules/#VERSION to link to the /usr/src/kernels /#VERSIONS. The location is specific to your installation.  First find your locations.

  • ls /usr/lib/modules/
    • /lib/modules/2.6.32-573.el6.x86_64 << my location
  • ls /usr/src/kernels/
    • /usr/src/kernels/2.6.32-696.23.1.el6.x86_64/  << my location
  • Remove the incorrect build location from /lib/modules
    • rm /lib/modules/2.6.32-573.el6.x86_64/build
  • Link the kernel source location to the modules build location
    • ln -s /usr/src/kernels/2.6.32-696.23.1.el6.x86_64/ /lib/modules/2.6.32-573.el6.x86_64/build

Now install Volatility

Change directory to where you want the Volatility application installed. I used /usr/local/bin as it’s home. Use either Git or Subversion to create your volatility install. If neither of these methods work then download the zip and install manually.

  • cd /usr/local/bin

Make volatility command executable

  • Make the vol.py command executable
    • chmod +x /usr/local/bin/volatility/trunk/vol.py
  • Link the vol.py command to /usr/local/bin location
    • ln -s /usr/local/bin/volatility/trunk/vol.py /usr/local/bin/vol26
  • Check the system can find your linked executable with which
    • which vol26

Create Profile using Volatility

  • cd to \usr\local\bin\volatility\trunk\tools\linux (or path to where you installed volatility)
  • Run make in this directory
    • make
  • If  it worked you will now have the module.dwarf file newly created (smile)
    • ls -al module.dwarf
  • Create a zip file of your new profile with the name of the OS you built (mine is CentOS67), the module.dwarf file you created under volatility, and the System.map file which is unique to your installation. System.map.#VER is under the /boot directory.
    • zip CentOS67.zip module.dwarf /boot/System.map-2.6.32-573.el6.x86_64
  • copy that zip file to a volatility profiles directory you wish to use. It does not have to be under the volatility main directory from the git clone. (I made one called vol-profiles under /usr/local.
    • cp CentOS67.zip /usr/local/vol-profiles

Test out your new profile under volatility on your VM

  • Check the profile is recognized by volatility using the command you setup as a link up above, giving it your profiles path that you copied the new profile into, and pipe it out through grep for the the name of the OS profile.
    • vol26 –plugins=/usr/local/vol-profiles –info | grep -i cent

you should get this as a result (you will have a different name depending on the OS profile which you build), this is the one I built, and volatility on the VM recognized it. YIPPEE!

  • LinuxCentOS67x64  – A Profile for Linux CentOS67 x64

Test with memory image

Now, moment of truth (smile) copy your new profile to your analysis host into a profiles directory. My analysis host happens to be on Windows, but you can use a Linux or Mac host as well. Just drop the zipped up profile into a directory and aim volatility at it.  I also have CygWin tools for Windows installed on my analysis host which gives me unix commands like cp, grep, strings, etc.

  • cp CentOS67.zip c:\tools\volatility\profiles on analysis host
  • run info check on analysis host
    • c:\tools\volatility\vol26.exe –plugins=c:\tools\volatility\profiles –info | grep -i cent
      •  YAY! got the result that LinuxCentOS67x86_64 was there!!!!

This is for all the marbles!

  • Test the new profile against the memory image from the CentOS67 host with the linux_pslist command
    • c:\tools\volatility\vol26 –plugins=c:\tools\volatility\profile –profile=LinuxCentOS67x86_64x64 f ..\..\Images\LiMEcapture.lime linux_pslist

EUREKA!!!!!!! IT WORKS!!!!!!!!!

Time for victory dance and coffee (or beer if you are so inclined

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s