volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

[2024] AArch64 support

Open Abyss-W4tcher opened this issue 5 months ago • 5 comments

Hi :wave:,

This PR provides AArch64 integration to the Volatility3 framework, as well as a design rework in the current linux stacker.

Implementation follows ARM official documentation, and includes essential APIs for higher level code (plugins etc.).

You can follow the roadmap here :

  • https://github.com/volatilityfoundation/volatility3/issues/161

My ressources :

  • https://gist.github.com/Abyss-W4tcher/f1833623c975193446315d48c106750e
  • https://gist.github.com/Abyss-W4tcher/8442b6b6b85f725158fe7e9b99e507be

Testing :

  • RaspberryPi (virtual) : Linux version 6.1.21
  • Android AVD (virtual) : Linux version 3.18.94
  • RaspberryPi (physical) : Linux version 6.1.0-rpi8-rpi-v8
  • Google Pixel 6A (physical) : Linux version 5.10.157-android13-4-00003-g830b023b88f3-dirty
  • Jetson lime (physical) : Linux version 4.9.201-tegra
  • NXP LX2160 (physical) : Linux version 6.1.36

Thanks to everyone who took the time to test this PR on their devices !

Unstable plugins :

  • linux.bash :
    • sections have no size on Android related samples.
    • 12/04/24 update : Android does not ship with bash by default, as it's not GNU/Linux running on the system . Either we need a dedicated plugin (.ash_history ?), or a check to tell users why the plugin isn't working.
  • linux.lsof :
    • dentry members can be NULL, and this behaviour isn't handled (more informations in the dedicated Slack thread)

Please note that this is still experimental, testing is still going on. If you want to try this PR out, here are the steps :

  • Merge/checkout the PR into your local Volatility3 copy (git checkout aarch64-support)
  • Make a memory capture of your AArch64 device (see attached ressources)
  • Create the ISF against the vmlinux file with dwarf2json
  • Set the following on top of the plugins you plan to use :
requirements.ModuleRequirement(
      name="kernel",
      description="Linux kernel",
      architectures=["Intel32", "Intel64", "AArch64"],
)

If you have any real-life samples to provide, or if you encounter any error, feel free to comment below !

Abyss-W4tcher avatar Jan 20 '24 23:01 Abyss-W4tcher

Hi @ikelos, thanks for your quick replies !

I will check every of your comment right now, as I have some spare time. Regarding your general concern regarding mapping, it is more or less the exact Intel implementation from https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/layers/intel.py#L271. It worked well out of the box for this layer :).

Abyss-W4tcher avatar Jan 21 '24 23:01 Abyss-W4tcher

Hehehe, yeah, I figured it might be. That's not too sweet the intel layer isn't overly complicated but it's fine for now. If you find any ways of simplifying it we can back port then to intel too... 5;D

ikelos avatar Jan 21 '24 23:01 ikelos

Here is what a typical layer instantiation debug looks like :

Kernel layer instantiated by LinuxStacker and a higher stacker :

DEBUG    volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical -ffffffbfc7e00000 virtual 172a600000
DEBUG    volatility3.framework.layers.arm: Base layer : Elf64Layer
DEBUG    volatility3.framework.layers.arm: Virtual address space : kernel
DEBUG    volatility3.framework.layers.arm: Virtual addresses space range : ('0xffffffc000000000', '0xffffffffffffffff')
DEBUG    volatility3.framework.layers.arm: Page size : 4
DEBUG    volatility3.framework.layers.arm: T1SZ : 25
DEBUG    volatility3.framework.layers.arm: Page map offset : 0x41963000
DEBUG    volatility3.framework.layers.arm: Translation mappings : [(38, 30), (29, 21), (20, 12)]
DEBUG    volatility3.framework.automagic.linux: Kernel DTB was found at: 0x41963000
DEBUG    volatility3.framework.automagic.linux: AArch64 image found
DEBUG    volatility3.framework.layers.arm: Base layer : memory_layer
DEBUG    volatility3.framework.layers.arm: Virtual address space : kernel
DEBUG    volatility3.framework.layers.arm: Virtual addresses space range : ('0xffffffc000000000', '0xffffffffffffffff')
DEBUG    volatility3.framework.layers.arm: Page size : 4
DEBUG    volatility3.framework.layers.arm: T1SZ : 25
DEBUG    volatility3.framework.layers.arm: Page map offset : 0x41963000
DEBUG    volatility3.framework.layers.arm: Translation mappings : [(38, 30), (29, 21), (20, 12)]

Processes layers instantiated by malfind :

DEBUG    volatility3.framework.layers.arm: Base layer : memory_layer
DEBUG    volatility3.framework.layers.arm: Virtual address space : user
DEBUG    volatility3.framework.layers.arm: Virtual addresses space range : ('0x0', '0x3fffffffff')
DEBUG    volatility3.framework.layers.arm: Page size : 4
DEBUG    volatility3.framework.layers.arm: T0SZ : 25
DEBUG    volatility3.framework.layers.arm: Page map offset : 0x47266000
DEBUG    volatility3.framework.layers.arm: Translation mappings : [(38, 30), (29, 21), (20, 12)]

DEBUG    volatility3.framework.layers.arm: Base layer : memory_layer
DEBUG    volatility3.framework.layers.arm: Virtual address space : user
DEBUG    volatility3.framework.layers.arm: Virtual addresses space range : ('0x0', '0x3fffffffff')
DEBUG    volatility3.framework.layers.arm: Page size : 4
DEBUG    volatility3.framework.layers.arm: T0SZ : 25
DEBUG    volatility3.framework.layers.arm: Page map offset : 0x47928000
DEBUG    volatility3.framework.layers.arm: Translation mappings : [(38, 30), (29, 21), (20, 12)]

Check out memory samples here [7 days] :

  • Raspberry, kernel 6.1.21-v8 : https://we.tl/t-m2aOCpsSU5
  • Android API 27, kernel 3.18.94 : https://we.tl/t-bzFwbARKzZ

Abyss-W4tcher avatar Jan 22 '24 12:01 Abyss-W4tcher

@Abyss-W4tcher I am trying your branch 👀 Target:

uname -a
Linux instance-20221125-1059 5.15.0-1040-oracle #46-Ubuntu SMP Fri Jul 14 21:47:21 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:        22.04
Codename:       jammy

Dump:

sudo insmod /var/lib/dkms/lime-forensics/1.9.1-3/5.15.0-1040-oracle/aarch64/module/lime.ko "path=/tmp/arm_ram.lime format=lime"

Symbol creation:

sudo apt install linux-image-5.15.0-1040-oracle-dbgsym
dwarf2json linux --elf  /usr/lib/debug/boot/vmlinux-5.15.0-1040-oracle >  ubuntu_arm_5.15.0-1040.json

Updated the pslist plugin adding AArch64 and run it:

python vol.py -vvvvvvvvvvvvvvv  -f arm_ram.lime linux.pslist

OUTPUT:

Level 6  volatility3.framework: Importing from the following paths: C:\ioc\volarm\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\ioc\volarm\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\ioc\volarm\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: C:\ioc\volarm\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\ioc\volarm\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\ioc\volarm\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\ioc\volarm\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\ioc\volarm\volatility3\volatility3\framework\layers
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 25763184799
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'LimeLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 5.15.0-1040-oracle (buildd@bos01-arm64-037) (gcc (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #46-Ubuntu SMP Fri Jul 14 21:47:21 UTC 2023 (Ubuntu 5.15.0-1040.46-oracle 5.15.111)\n\x00'
DEBUG    volatility3.framework.automagic.symbol_finder: Using symbol library: file:///C:/ioc/volarm/volatility3/volatility3/symbols/ubuntu_arm_5.15.0-1040.json
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
INFO     volatility3.framework.automagic: Running automagic: KernelModule

OFFSET (V)      PID     TID     PPID    COMM    File output
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_pkg_stats
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_rcv_lists_stats
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats_rsn
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dn_dev
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!macsec_ops
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mctp_dev
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dsa_8021q_context

Any suggestion? 👅

garanews avatar Feb 16 '24 14:02 garanews

Hi @garanews, could we discuss about it in Slack DMs, to avoid filling the PR with comments ?

I'll post a summary here if we get this fixed :)

edit : The branch wasn't correctly merged. Be sure to do git checkout aarch64-support in your local copy. 😄Analysis was successful after the merge.

Abyss-W4tcher avatar Feb 16 '24 16:02 Abyss-W4tcher