Profile
Volatility uses an operating system (OS) based profile to obtain memory information. Volatility 3 will automatically recognize the OS based on symbol table of the OS. For Volatility 2, the profile must be specified on the command line.
Volatility3
To get more symbol table of OS, insert them in volatility3/volatility/symbols via link above :
Volatility2
Get profile name
Windows
Mac
Linux
Available / Downloadable profile
To see available profile :
If the profile is not available in the list of profiles provided by volatility :
Download the profile via volatility profiles provided
Insert the zip file in volatility2/volatility/plugins/overlays/mac or linux
Create Linux profile
In the case of a Linux profile not directly downloadable, it is possible to create it.
What contains What does a Linux volatility profile contain?
It is a zip containing two things, a module.dwarf file and a System.map file.
File System.map
:
In Linux, the System.map file is a symbol table used by the kernel. A symbol table is a look-up between symbol names and their addresses in memory. A symbol name may be the name of a variable or the name of a function. The System.map is required when the address of a symbol name, or the symbol name of an address, is needed. It is especially useful for debugging kernel panics and kernel oopses. The kernel does the address-to-name translation itself when CONFIG_KALLSYMS is enabled so that tools like ksymoops are not required. https://en.wikipedia.org/wiki/System.map
File module.dwarf
:
DWARF is a widely used, standardized debugging data format. DWARF was originally designed along with Executable and Linkable Format (ELF), although it is independent of object file formats. The name is a medieval fantasy complement to "ELF" that had no official meaning, although the backronym "Debugging With Arbitrary Record Formats" has since been proposed. https://en.wikipedia.org/wiki/DWARF
Profile creation using Docker
Replace the automatic kernel detection with a static value, which is your target linux kernel, in this case it will be profile for ubuntu linux 5.4.0-59-generic
Run a docker container that matches the target operating system
Create the dwarf file with the volatility tool
Create a zip archive containing the dwarf file and the System map
You now have an Ubuntu1604.zip archive containing the correct profile.
Extract the zip file to the host
Copy the zip file to volatility profile folder
Use profile
Indicates the profile on the command line
Last updated