PROCESS MAPS AND DUMPS

In the previous section we saw how Volatility can be used to get lists of processes including detailed information on each process. In this section we will examine how to use Volatility to determine how processes are laid out (mapped) in memory. The first command we will discuss is linux_proc_maps. The results of running this command against the rootkit process on the PFE subject system are shown in Figure 8.10.

FIGURE 8.10

Getting a process map for the rootkit process.

The linux_proc_maps command displays memory segments used by a process. Notice that each segment has flags (permissions) associated with it. What you will not see on Linux (in theory at least) is a segment that is both writable and executable as this would open the door for an attacker to rewrite code in a process and then run malicious code. Notice that if a file is associated with a chunk of memory, its inode and file path are also displayed. In other words, the filesystem analysis performed in previous chapters is still applicable when analyzing memory.

The rootkit appears to be loaded at the standard place of 0x400000. It has a couple of additional segments, one of which is read only. There is also a heap associated with this program. A couple of shared libraries, which also have some extra memory segments (for storing their variables), are loaded higher up in memory. The program stack (which grows downward) is also in the higher memory locations. There is an alternative command to get this information, linux_proc_maps_rb. This command uses the balanced tree structures used to map memory as the source of its data. These trees are also known as red-black trees, which is the reason for the _rb suffix.

The fact that the C library is loaded suggests that this rootkit was written in C or C++. This can’t be proven without analyzing the code, however, as it is possible to load this library even if the rootkit was written in another language such as Assembly. How can the rootkit be examined? The Volatility linux_procdump command can be used to dump a processes memory to a file. We will discuss what to do with such a file later in this book when we discuss malware analysis.

The linux_procdump command accepts an optional process ID list and requires an output directory which is specified with the -D (or –directory=) option. Figure 8.11 shows the results from running linux_procdump on our rootkit process and printing out the first part of the resulting dump. We can see that this is an Executable Linkable File (ELF) that has been loaded into memory from the first four bytes in the dump.

FIGURE 8.11

Results of running the Volatility linux_procdump command on the rootkit from the PFE subject system. The first four bytes of the dump indicate this is an executable in ELF format.

results matching ""

    No results matching ""