I have gotten to take a small break from pentesting and return to some forensics. The question of the week, did someone drop malware on a system? This of course required a return to one of my favorite tools Volatility!
As part of this task, I wanted to pull memory from a production RHEL web server without rebooting and affecting normal operation of the system. In steps
LiME. I had heard of LiME before, but haven't had much of a chance to really use it. Linux Memory Extractor (LiME) is a Loadable Kernel Module (LKM) that allows you make a copy of the running memory of a linux system in a format that Volatility understands.
LiME is very simple to get running. Download the source code from the github link above. Copy the source to the system you want to pull memory from, in my case a RHEL 6.5 VM. Run "make" from the source directory. Now you have the kernel mode built and ready to use. It should be the ".ko" file in your source folder. In order to run LiME you need to load the module with a few parameters - the name of the file/where to dump memory and the format. You do this using "insmod".
insmod lime-2.6.32-431.el6.x86_64.ko "path=mem.lime format=lime"
This will dump all the current running memory to the file mem.lime in the "lime" format. You could also create a raw dump, however what is nice about the lime format is Volatility already understands how to handle it with no modifications. Another cool feature of LiME is it allows you to dump the memory to a network socket and therefore copy the memory directly off. In order to accomplish this first tell lime to send the memory to a port.
insmod lime-2.6.32-431.el6.x86_64.ko "path=tcp:8080 format=lime"
Then connect to that port from your receiving machine using netcat and save the output to a file.
nc limeMachineIP 8080> mem.lime
This will dump all the memory to the receiving box on port 8080 to the file mem.lime. Now all you need is to build a profile for Volatility and you can analyze your new memory image. I covered how todo this in an early post, so I won't go through it all again, however I will mention doing this on RHEL it took me a few tries to find the right "elf" package needed to compile "dwarfdump." Anyone needing it I had to install "elfutils-devel.x86_64" in order to get "dwarfdump" to compile. With my profile built I was able to use all the Volatiilty plugins smoothly by using the syntax below.
./volatility_2.4_x64 --plugins=profiles/ --profile=LinuxRHEL-6_5_x86_64x64 linux_pslist -f test.lime
Hope this was helpful, feel free to comment or contact me with any questions. I will do my best to respond.
No comments:
Post a Comment