Home

Awesome

volatility-uclinux

This project aims to create a profile and some other modification on Volatility so that it can conduct some memory forensics on the memory that obtained from a uClinux system.

Instructions

Download the patches (this project)

$ git clone https://github.com/samduy/volatility-uclinux.git

Download the Volatility

$ git clone https://github.com/volatilityfoundation/volatility.git
$ cd volatility
$ git checkout f3c9dfee -b uclinux

(The modifications are based on the above commit:f3c9dfee. However, it's expected to run even with the latest commit.)

Apply the patches

$ git apply --stat path/to/volatility-uclinux/volatility-patches/20180214/all_in_one_20180214.patch
$ git apply --check path/to/volatility-uclinux/volatility-patches/20180214/all_in_one_20180214.patch
$ git am --signoff path/to/volatility-uclinux/volatility-patches/20180214/all_in_one_20180214.patch

(The reason for this is that git am allows you to sign off an applied patch. This may be useful for later reference.)

Load the uClinux profile to Volatility

$ cd /path/to/volatility
$ cp /path/to/volatility-uclinux/profiles/uClinux_VersatilePB.zip plugins/overlays/linux/

Testing if the profile is loaded properly

$ cd path/to/volatility
$ python vol.py --info | grep uClinux
Volatility Foundation Volatility Framework 2.6
LinuxuClinux_VersatilePBARM - A Profile for Linux uClinux_VersatilePB ARM

Now Volatility should be ready to run with uClinux memory dumps. Let's check it out!

Testing

Unzip the sample memory

$ cp path/to/volatility-uclinux/sample_memories/mem2.dump.bz2 /tmp/
$ cd /tmp/
$ bzip2 -d mem2.dump.bz2

Run some commands on the sample memory

$ cd path/to/volatility
$ python vol.py --profile=LinuxuClinux_VersatilePBARM -f /tmp/mem2.dump linux_pslist

For more information on the commands that work with uClinux, please refer to:

Some useful information