Il 2023-08-18 19:42 Mike Larkin ha scritto: > On Fri, Aug 18, 2023 at 01:31:41PM +0000, whistlez wrote: >> Il 2023-08-18 09:22 Omar Polo ha scritto: >> > On 2023/08/18 02:06:11 +0000, whistlez <whistlez...@riseup.net> wrote: >> >> Il 2023-08-18 02:20 Scott Cheloha ha scritto:
>> >> 1. Volatility allows the detection of hidden kernel modules in a Linux >> environment, including typical LKM rootkits. >> >> 2. There are multiple methods for RAM dumping, some of which cannot be >> circumvented and do not require specific software or interfaces. For >> example: >> a. Through a 'cold boot attack,' it's possible to dump RAM from an >> uncompromised operating system. (Reference: >> https://en.wikipedia.org/wiki/Cold_boot_attack) >> b. Through a DMA attack, leveraging FireWire or other hardware >> interfaces, it's possible to dump RAM. I believe that, in this case, as >> in the previous one, the kernel would be completely unaware. An example >> of this kind of attack and dump is "inception" >> (https://github.com/carmaa/inception). >> c. In a virtualized environment such as VMM, VirtualBox, VMware, >> etc. (we know OpenBSD can be virtualized), you can acquire RAM without >> the operating system knowing. > > Great, sounds like you've stumbled across 3 solutions for your problem. > Looks like no diff is needed after all. > I honestly don't understand this hatred. I call it that because I refuse to accept that you didn't understand the question. Volatility has no plugin to interpret a ram dump on openbsd and so having only the dump is totally useless. If you really don't understand I'll paste the volatility help to show you that there are no plugins for openbsd but only for linux, windows and mac. $ vol --help Volatility 3 Framework 1.0.0-beta.1 usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config] [--clear-cache] [--single-location SINGLE_LOCATION] [--single-swap-locations SINGLE_SWAP_LOCATIONS] plugin ... An open-source memory forensics framework optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG Load the configuration from a json file --parallelism [{processes,threads,off}] Enables parallelism (defaults to processes if no argument given) -e EXTEND, --extend EXTEND Extend the configuration with a new (or changed) setting -p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS Semi-colon separated list of paths to find plugins -s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS Semi-colon separated list of paths to find symbols -v, --verbosity Increase output verbosity -l LOG, --log LOG Log output to a file as well as the console -o OUTPUT_DIR, --output-dir OUTPUT_DIR Directory in which to output any generated files -q, --quiet Remove progress feedback -r RENDERER, --renderer RENDERER Determines how to render the output (quick, csv, pretty, json, jsonl) -f FILE, --file FILE Shorthand for --single-location=file:// if single-location is not defined --write-config Write configuration JSON file out to config.json --clear-cache Clears out all short-term cached items --single-location SINGLE_LOCATION Specifies a base location on which to stack --single-swap-locations SINGLE_SWAP_LOCATIONS Specifies a list of swap layer URIs for use with single-location Plugins: plugin configwriter.ConfigWriter Runs the automagics and both prints and outputs configuration in the output directory. frameworkinfo.FrameworkInfo Plugin to list the various modular components of Volatility layerwriter.LayerWriter Runs the automagics and writes out the primary layer produced by the stacker. linux.bash.Bash Recovers bash command history from memory. linux.check_afinfo.Check_afinfo Verifies the operation function pointers of network protocols. linux.check_syscall.Check_syscall Check system call table for hooks. linux.elfs.Elfs Lists all memory mapped ELF files for all processes. linux.lsmod.Lsmod Lists loaded kernel modules. linux.lsof.Lsof Lists all memory maps for all processes. linux.malfind.Malfind Lists process memory ranges that potentially contain injected code. linux.proc.Maps Lists all memory maps for all processes. linux.pslist.PsList Lists the processes present in a particular linux memory image. linux.pstree.PsTree Plugin for listing processes in a tree based on their parent process ID. mac.bash.Bash Recovers bash command history from memory. mac.check_syscall.Check_syscall Check system call table for hooks. mac.check_sysctl.Check_sysctl Check sysctl handlers for hooks. mac.check_trap_table.Check_trap_table Check mach trap table for hooks. mac.ifconfig.Ifconfig Lists loaded kernel modules mac.lsmod.Lsmod Lists loaded kernel modules. mac.lsof.lsof Lists all open file descriptors for all processes. mac.malfind.Malfind Lists process memory ranges that potentially contain injected code. mac.netstat.Netstat Lists all network connections for all processes. mac.proc_maps.Maps Lists process memory ranges that potentially contain injected code. mac.psaux.Psaux Recovers program command line arguments. mac.pslist.PsList Lists the processes present in a particular mac memory image. mac.pstree.PsTree Plugin for listing processes in a tree based on their parent process ID. mac.tasks.Tasks Lists the processes present in a particular mac memory image. mac.timers.Timers Check for malicious kernel timers. mac.trustedbsd.trustedbsd Checks for malicious trustedbsd modules timeliner.Timeliner Runs all relevant plugins that provide time related information and orders the results by time. windows.callbacks.Callbacks Lists kernel callbacks and notification routines. windows.cmdline.CmdLine Lists process command line arguments. windows.dlldump.DllDump Dumps process memory ranges as DLLs. windows.dlllist.DllList Lists the loaded modules in a particular windows memory image. windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image. windows.driverscan.DriverScan Scans for drivers present in a particular windows memory image. windows.filescan.FileScan Scans for file objects present in a particular windows memory image. windows.handles.Handles Lists process open handles. windows.info.Info Show OS & kernel details of the memory sample being analyzed. windows.malfind.Malfind Lists process memory ranges that potentially contain injected code. windows.moddump.ModDump Dumps kernel modules. windows.modscan.ModScan Scans for modules present in a particular windows memory image. windows.modules.Modules Lists the loaded kernel modules. windows.mutantscan.MutantScan Scans for mutexes present in a particular windows memory image. windows.poolscanner.PoolScanner A generic pool scanner plugin. windows.procdump.ProcDump Dumps process executable images. windows.pslist.PsList Lists the processes present in a particular windows memory image. windows.psscan.PsScan Scans for processes present in a particular windows memory image. windows.pstree.PsTree Plugin for listing processes in a tree based on their parent process ID. windows.registry.certificates.Certificates Lists the certificates in the registry's Certificate Store. windows.registry.hivedump.HiveDump Dumps the hive files (or a specific hive) from an image. windows.registry.hivelist.HiveList Lists the registry hives present in a particular memory image. windows.registry.hivescan.HiveScan Scans for registry hives present in a particular windows memory image. windows.registry.printkey.PrintKey Lists the registry keys under a hive or specific key value. windows.registry.userassist.UserAssist Print userassist registry keys and information. windows.ssdt.SSDT Lists the system call table. windows.statistics.Statistics windows.strings.Strings Reads output from the strings command and indicates which process(es) each string belongs to. windows.svcscan.SvcScan Scans for windows services. windows.symlinkscan.SymlinkScan Scans for links present in a particular windows memory image. windows.vaddump.VadDump Dumps process memory ranges. windows.vadinfo.VadInfo Lists process memory ranges. windows.vadyarascan.VadYaraScan Scans all the Virtual Address Descriptor memory maps using yara. windows.verinfo.VerInfo Lists version information from PE files. windows.virtmap.VirtMap Lists virtual mapped sections. yarascan.YaraScan Scans kernel memory using yara rules (string or file).
