I'm using volatility for linux VM memory analysis, may i know the command to display all the profile selection for redhat linux?
also in linux vmem file analysis, can we use connscan, malfind, apihook, vaddump plugin?
if not, any other plugin we can use for linux malware in VM environment? thanks
Hi
Did you read the cheatset ?
https://
Use command "volatility –info"
The commands available to you by default in 2.6 are
linux_apihooks - Checks for userland apihooks
linux_arp - Print the ARP table
linux_aslr_shift - Automatically detect the Linux ASLR shift
linux_banner - Prints the Linux banner information
linux_bash - Recover bash history from bash process memory
linux_bash_env - Recover a process' dynamic environment variables
linux_bash_hash - Recover bash hash table from bash process memory
linux_check_afinfo - Verifies the operation function pointers of network protocols
linux_check_creds - Checks if any processes are sharing credential structures
linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking
linux_check_fop - Check file operation structures for rootkit modifications
linux_check_idt - Checks if the IDT has been altered
linux_check_inline_kernel - Check for inline kernel hooks
linux_check_modules - Compares module list to sysfs info, if available
linux_check_syscall - Checks if the system call table has been altered
linux_check_syscall_arm - Checks if the system call table has been altered
linux_check_tty - Checks tty devices for hooks
linux_cpuinfo - Prints info about each active processor
linux_dentry_cache - Gather files from the dentry cache
linux_dmesg - Gather dmesg buffer
linux_dump_map - Writes selected memory mappings to disk
linux_dynamic_env - Recover a process' dynamic environment variables
linux_elfs - Find ELF binaries in process mappings
linux_enumerate_files - Lists files referenced by the filesystem cache
linux_find_file - Lists and recovers files from memory
linux_getcwd - Lists current working directory of each process
linux_hidden_modules - Carves memory to find hidden kernel modules
linux_ifconfig - Gathers active interfaces
linux_info_regs - It's like 'info registers' in GDB. It prints out all the
linux_iomem - Provides output similar to /proc/iomem
linux_kernel_opened_files - Lists files that are opened from within the kernel
linux_keyboard_notifiers - Parses the keyboard notifier call chain
linux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl
linux_library_list - Lists libraries loaded into a process
linux_librarydump - Dumps shared libraries in process memory to disk
linux_list_raw - List applications with promiscuous sockets
linux_lsmod - Gather loaded kernel modules
linux_lsof - Lists file descriptors and their path
linux_malfind - Looks for suspicious process mappings
linux_memmap - Dumps the memory map for linux tasks
linux_moddump - Extract loaded kernel modules
linux_mount - Gather mounted fs/devices
linux_mount_cache - Gather mounted fs/devices from kmem_cache
linux_netfilter - Lists Netfilter hooks
linux_netscan - Carves for network connection structures
linux_netstat - Lists open sockets
linux_pidhashtable - Enumerates processes through the PID hash table
linux_pkt_queues - Writes per-process packet queues out to disk
linux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED images
linux_proc_maps - Gathers process memory maps
linux_proc_maps_rb - Gathers process maps for linux through the mappings red-black tree
linux_procdump - Dumps a process's executable image to disk
linux_process_hollow - Checks for signs of process hollowing
linux_psaux - Gathers processes along with full command line and start time
linux_psenv - Gathers processes along with their static environment variables
linux_pslist - Gather active tasks by walking the task_struct->task list
linux_pslist_cache - Gather tasks from the kmem_cache
linux_psscan - Scan physical memory for processes
linux_pstree - Shows the parent/child relationship between processes
linux_psxview - Find hidden processes with various process listings
linux_recover_filesystem - Recovers the entire cached file system from memory
linux_route_cache - Recovers the routing cache from memory
linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
linux_slabinfo - Mimics /proc/slabinfo on a running machine
linux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
linux_threads - Prints threads of processes
linux_tmpfs - Recovers tmpfs filesystems from memory
linux_truecrypt_passphrase - Recovers cached Truecrypt passphrases
linux_vma_cache - Gather VMAs from the vm_area_struct cache
linux_volshell - Shell in the memory image
linux_yarascan - A shell in the Linux memory image
You may need to
I download the volatility 2.5 standalone for linux, after unzip, it has file volatility_2.5_linux_x64
I give the Execute(x) right to this file, when i type ./volatility_2.5_linux_x64, it said "can't execute the binary
I download the volatility 2.5 standalone for linux, after unzip, it has file volatility_2.5_linux_x64
I give the Execute(x) right to this file, when i type ./volatility_2.5_linux_x64, it said "can't execute the binary
Why did you have to set the file up to be executable? As far as I can see from the .zip file it already is executable. Did you extract it in the wrong way? Did something else go wrong during extraction?
As far as the error message goes … what is the exact message? I'm guessing that it's
bash ./volatility_2.5_linux_x64 cannot execute binary file Exec format error
but I could easily be wrong. But assuming it is, …
The _x64 binary is intended to be run on a x64 operating system. If you try to run it on a 32-bit x86 operating system, that's the kind of error message you get.
Solution use the _x86 binary instead.
If that is your problem, you may need to work a bit on learning linux. If you stumble over this, you may easily stumble over something less obvious that will affect your analysis and your interpretation of evidence.
If this is a learning situation, fine, no harm done. If it's a live case, however, …
Why don't you just download and build the latest from github? https://
Also, Volatility does not come with Linux or macOS profiles by default. You either have to create your own or download them separately from here https://
Follow the instructions on the page and then when you type '–info' it should show the profiles.
Thanks, do we have free website where we can download linux malware sample (ELF file)