Code Monkey home page Code Monkey logo

volatility-docker's Introduction

volatility-docker


DeepSource

✨ Project Description

The objective of this project is to create a suite of Volatility 3 plugins for memory forensics of Docker containers.

To achieve this, we developed improved versions of some of Volatility’s core plugins, intending to make them aware of Linux namespaces. Most of these plugins were never ported from Volatility 2, so they were remade to some extent.

After improving said core plugins, we used the additional namespace-related information they provide and developed the main plugin for this submission - the Docker plugin.

A full (but readable) explanation of plugin details can be found in the contest submission document

🎯 Plugin options

The Docker plugin has a few options:

  • detector - When choosing this option the plugin will give the investigator a quick indication about the presence of Docker / Docker containers running on the machine.

  • ps - When choosing this option the plugin will display a table, similar to docker ps command output, that shows the following details about running containers on the machine: container creation time, running command, container-id, is privileged, container process PID.

  • inspect-caps - When choosing this option a list of running containers will be displayed and the plugin will enumerate the containers’ capabilities.

  • inspect-mounts - When choosing this option a list of non-default mounts will be displayed with information about the associated container, mount paths, and mount options.

  • inspect-networks - When choosing this option a list of Docker networks will be displayed by their IP segments and the containers that are related to them.

✔️ Prerequisites:

  • Python 3
  • Volatility 3

Install on Linux (Debian) using these commands:

apt install python3

# clone from repo
git clone https://github.com/volatilityfoundation/volatility3.git

# or install as a module
pip3 install volatility3

⚙ Installation

All plugins are located in the plugins folder. Copy them to your Volatility 3 directory under volatility3/volatility3/framework/plugins/linux.

Some other framework extensions are required. They are located under volatility3 changes, and are organized in the same directory structure as their location within Volatility 3. Simply copy them to the same location (overwrite existing files if needed).

✍️ Contributors

volatility-docker's People

Contributors

amir9339 avatar deepsource-autofix[bot] avatar deepsourcebot avatar oshaked1 avatar zarkyo avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

shafi1908 smylermc zarkyo

volatility-docker's Issues

linux.mount Absolute Path return false Null values in true cases

For instance, when running:
python3 volatility3/vol.py -f memory_samples/dumpfile3.lime -r pretty linux.mount --pid 2288
The mount related to the path "/run/docker.sock" should be related to "/run/docker.sock" file on the host and now, the return value for this mount is "-"

Unsatisfied requirement plugins.Docker.kernel

Hi, I met a issue when use docker plugin. There is no kernel config. How to solve it? Thank you all~
my profile is file:///home/cool/memory-detect/volatility3/volatility3/framework/symbols/linux/Ubuntu-5.4.0-100-generic-Profile.json

python vol.py -vvv -f ../memory-dumps/dao/4.dmp linux.docker.Docker
Volatility 3 Framework 2.0.3
.......
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Docker.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Docker.kernel
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Docker.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Docker.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Docker.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Docker.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Docker.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Docker.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Docker.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Docker.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Docker.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Docker.kernel
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Docker
INFO     volatility3.framework.automagic: Running automagic: SymbolBannerCache
INFO     volatility3.framework.automagic: Running automagic: LinuxBannerCache
INFO     volatility3.framework.automagic.symbol_cache: Building linux caches...
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Docker.kernel
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
DEBUG    volatility3.framework.interfaces.layers: Scan Failure: MultiRegexp cannot be used with an empty set of search strings
DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Docker.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: Elf64Layer
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['Elf64Layer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Docker.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Docker.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Docker.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Docker.kernel

Unsatisfied requirement plugins.Docker.kernel: Linux kernel
Unable to validate the plugin requirements: ['plugins.Docker.kernel']

TypeError for column Container ID

When running the --ps or --ps-extended plugins on my dump with two running containers, I get the following error:

> python vol.py -f my_dump.raw linux.docker.Docker --ps-extended
Volatility 3 Framework 2.0.0
Progress:  100.00               Stacking attempts finished
Creation time (UTC)     Command Container ID    Is privileged   PID     Effective UID
Traceback (most recent call last):
  File "C:\Users\user\Documents\GitHub\volatility3\vol.py", line 10, in <module>
  File "C:\Users\user\Documents\GitHub\volatility3\volatility3\cli\__init__.py", line 625, in main
    CommandLine().run()
  File "C:\Users\user\Documents\GitHub\volatility3\volatility3\cli\__init__.py", line 333, in run
    renderers[args.renderer]().render(constructed.run())
  File "C:\Users\user\Documents\GitHub\volatility3\volatility3\cli\text_renderer.py", line 178, in render
    grid.populate(visitor, outfd)
  File "C:\Users\user\Documents\GitHub\volatility3\volatility3\framework\renderers\__init__.py", line 215, in populate
  File "C:\Users\user\Documents\GitHub\volatility3\volatility3\framework\renderers\__init__.py", line 275, in _append
    return self._insert(parent, None, values)
  File "C:\Users\user\Documents\GitHub\volatility3\volatility3\framework\renderers\__init__.py", line 290, in _insert
    tree_item = TreeNode(newpath, self, parent, values)
  File "C:\Users\user\Documents\GitHub\volatility3\volatility3\framework\renderers\__init__.py", line 59, in __init__
    self._validate_values(values)
  File "C:\Users\user\Documents\GitHub\volatility3\volatility3\framework\renderers\__init__.py", line 81, in _validate_    raise TypeError(
TypeError: Values item with index 2 is the wrong type for column Container ID (got <class 'NoneType'> but expected <class 'str'>)

I was able to "fix" it by changing def get_container_id(self, container_pid) to return an empty string instead of None if no container id is found. Is there a better solution?

Potentially version-dependent logic for determining if a container is privileged

When checking if a container is privileged in the docker ps plugin, the capabilities value is compared to 0x3fffffffff. This value represents all available capabilities on modern kernels that were tested, but it may be different on older (and even future) kernels.
I suggest performing a version-independent check, where instead of comparing to a static value, the container's capabilities are compared to the capabilities of the init task (PID 1), which must be privileged.

Plugins break volatility

Hi,

I wanted to try this awesome plugin, but get issues.

1 - My volatility3 (Framework 2.3.0) install is working fine on my Ubuntu memory dump
2 - I copy over the plugins volatility3/volatility3/framework/plugins/linux as asked in the documentation.
3 - The volatility3 instance breaks and I can no longer use it at all. The error is:

user@ubuntu:~/volatility3$ python3 vol.py 
Volatility 3 Framework 2.3.0
Traceback (most recent call last):
  File "vol.py", line 10, in <module>
    volatility3.cli.main()
  File "/home/machiavel/volatility3/volatility3/cli/__init__.py", line 636, in main
    CommandLine().run()
  File "/home/machiavel/volatility3/volatility3/cli/__init__.py", line 232, in run
    failures = framework.import_files(volatility3.plugins,
  File "/home/machiavel/volatility3/volatility3/framework/__init__.py", line 125, in import_files
    failures += import_file(base_module.__name__ + '.' + submodule,
  File "/home/machiavel/volatility3/volatility3/framework/__init__.py", line 152, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
  File "<frozen importlib._bootstrap>", line 991, in _find_and_load
  File "<frozen importlib._bootstrap>", line 975, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 848, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/home/machiavel/volatility3/volatility3/framework/plugins/linux/ifconfig.py", line 14, in <module>
    class Ifconfig(interfaces.plugins.PluginInterface):
  File "/home/machiavel/volatility3/volatility3/framework/plugins/linux/ifconfig.py", line 31, in Ifconfig
    vmlinux_module_name: str) -> Iterable[Tuple[int, symbols.linux.extensions.net_device]]:
AttributeError: module 'volatility3.framework.symbols.linux.extensions' has no attribute 'net_device'

4 - To fix the issue and retrieve a working volatility, i used git clean -xdf
5 - I tried again, without replacing the existing plugins (just copying new ones), with the same issue.

Any idea on what's going on?
Thanks a lot

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.