MISCELLANEOUS VOLATILITY COMMANDS
As we said at the beginning of this chapter, we have not covered every one of the Volatility commands for Linux systems. There are a couple of reasons for this. First, the available commands are not equally useful. Some might only be occasionally helpful. Second, I have found that later kernels are not well-supported by Volatility. Some of the commands will fail spectacularly, while others will produce an unsupported error message and exit gracefully. For completeness, I have listed additional Linux commands in Table 8.1.
Table 8.1 Additional Volatility commands not discussed in this chapter.
Command | Description | Notes |
---|---|---|
linux_banner | Prints Linux banner information | Similar to uname -a command |
linux_check_evt_arm | Check Exception Vector Table | ARM architecture only |
linux_check_syscall_arm | Check system call table | ARM architecture only |
---|---|---|
linux_cpuinfo | Print CPU info | Gives CPU model only |
linux_dentry_cache | Use dentry cache to make timeline | Likely fails with recent kernels |
linux_dmesg | Print dmesg buffer | Same as cat /var/log/dmesg |
linux_dump_map | Writes memory maps to disk | Good for malware analysis |
linux_elfs | Print ELF binaries from process maps | Lots of output (too much?) |
linux_hidden_modules | Carves memory for kernel modules | Found Xing Yi Quan rootkit |
linux_info_regs | Print CPU register info | Fails for 64-bit Linux |
linux_iomem | Similar to running cat /proc/iomem | Displays input/output memory |
linux_kernel_opened_files | Lists files opened by kernel | |
linux_ldrmodules | Compare proc maps to libdl | Lots of output |
linux_library_list | Lists library used by a process | Useful for malware analysis |
linux_library_dump | Dumps shared libraries to disk | Use -p to get libs for a process |
linux_lsmod | Print loaded modules | Similar to lsmod command |
linux_lsof | Lists open files | Similar to lsof command |
linux_malfind | Look for suspicious process maps | |
linux_memmap | Dump the memory map for a task | Useful for malware analysis |
linux_moddump | Dump kernel modules | Useful for malware analysis |
linux_mount_cache | Print mounted filesystems from kmem_cache | Likely fails for recent kernels |
linux_pidhashtable | Enumerates processes based on the PID hash table | |
linux_pkt_queues | Dump per-process packet queues | Likely fails for recent kernels |
linux_plthook | Scan ELF Proceedure Linkage Table | Useful for malware analysis |
linux_process_hollow | Check for process hollowing which is technique for hiding malware inside a legitimate process | Can discover malware. Requires base address to be specified. |
linux_pslist_cache | Lists processes using kmem_cache | Likely fails for recent kernels |
linux_recover_filesystem | Recovers the entire cached filesystem | Likely fails for recent kernels |
linux_route_cache | Recovers routing cache from memory (removed in kernel 3.6) | Likely fails for recent kernels |
linux_sk_buff_cache | Recovers packets from kmem_cache | Likely fails for recent kernels |
linux_slabinfo | Prints info from /proc/slabinfo | Likely fails for recent kernels |
linux_strings | Searches for list of strings stored in a file | Takes a long time to run |
linux_threads | Prints threads associated with processes | Useful for malware analysis |
linux_tmpfs | Recover tmpfs from memory | Likely fails for recent kernels |
linux_truecrypt_passphrase | Recover Truecrypt passphrases | |
linux_vma_cache | Recover Virtual Memory Areas | Likely fails for recent kernels |
linux_volshell | Python shell which allows Volatility scripts to be run interactively | Unless you know a decent amount of Python, you will likely never use this. |
linux_yarascan | Use YARA rules to locate malware | Useful for malware identification |
As you can see from Table 8.1, many of the Volatility commands for Linux don’t work with recent kernels. The remaining commands are predominantly used for malware analysis. You might see some of them in Chapter 10 where we delve a bit deeper into malware.