Volatility profile for uclinux
This project aims to create a profile and some other modification on Volatility so that it can conduct some memory forensics on the memory that obtained from a uClinux system.
$ git clone https://github.com/samduy/volatility-uclinux.git
volatility-patches/<date> directory.profiles folder.sample_memories directory.
$ git clone https://github.com/volatilityfoundation/volatility.git$ cd volatility$ git checkout f3c9dfee -b uclinux
(The modifications are based on the above commit:f3c9dfee. However, it’s expected to run even with the latest commit.)
First, take a look at what changes are in the patch:
$ git apply --stat path/to/volatility-uclinux/volatility-patches/20180214/all_in_one_20180214.patch
To see if there is any conflicts or errors:
$ git apply --check path/to/volatility-uclinux/volatility-patches/20180214/all_in_one_20180214.patch
To actually apply the patch:
$ git am --signoff path/to/volatility-uclinux/volatility-patches/20180214/all_in_one_20180214.patch
(The reason for this is that git am allows you to sign off an applied patch. This may be useful for later reference.)
$ cd /path/to/volatility$ cp /path/to/volatility-uclinux/profiles/uClinux_VersatilePB.zip plugins/overlays/linux/
$ cd path/to/volatility$ python vol.py --info | grep uClinuxVolatility Foundation Volatility Framework 2.6LinuxuClinux_VersatilePBARM - A Profile for Linux uClinux_VersatilePB ARM
Now Volatility should be ready to run with uClinux memory dumps. Let’s check it out!
$ cp path/to/volatility-uclinux/sample_memories/mem2.dump.bz2 /tmp/$ cd /tmp/$ bzip2 -d mem2.dump.bz2
$ cd path/to/volatility$ python vol.py --profile=LinuxuClinux_VersatilePBARM -f /tmp/mem2.dump linux_pslist
For more information on the commands that work with uClinux, please refer to: