mac_lsmod
This plugin lists the loaded kernel extensions, their base addresses and size, reference count, and version number.
Note: The last several entries in the output of this plugin will likely have no base address and size. These represent the 'dummy' drivers that Mac loads as the system startup and do not correspond to real kernel modules.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_lsmod
Volatile Systems Volatility Framework 2.3_alpha
Address Size Refs Version Name
------------------ ------------------ -------- ------------ ----
0xffffff7f91847000 0x3000 0 3.0.2 com.atc-nycorp.devmem.kext
0xffffff7f91841000 0x6000 0 10.1.24 com.vmware.kext.vmioplug.10.1.24
0xffffff7f91834000 0xd000 0 0104.03.86 com.vmware.kext.vmx86
0xffffff7f9182a000 0xa000 0 0104.03.86 com.vmware.kext.vmnet
0xffffff7f9181a000 0x10000 0 90.4.23 com.vmware.kext.vsockets
0xffffff7f91808000 0x12000 1 90.4.18 com.vmware.kext.vmci
0xffffff7f916d2000 0xe000 0 75.19 com.apple.driver.AppleBluetoothMultitouch
[snip]
mac_mount
This plugin shows the mounted file systems, which is particularly useful when external media is plugged on or network shares are mounted.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_mount
Volatile Systems Volatility Framework 2.3_alpha
Device Mount Point Type
------------------------------ ------------------------------------------------------------ ----
/ /dev/disk3 hfs
/dev devfs devfs
/net map -hosts autofs
/home map auto_home autofs
/Volumes/LaCie /dev/disk2s2 hfs
mac_list_sessions
This plugin enumerates sessions from the session hash table. You can use this information to link processes to user names.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_list_sessions
Volatile Systems Volatility Framework 2.3_alpha
Leader (Pid) Leader (Name) Login Name
------------ -------------------- -------------------------
0 kernel_task
257 apsd _softwareupdate
1 launchd _securityagent
-1 mike
11 UserEventAgent root
12 kextd root
14 notifyd root
15 securityd root
16 diskarbitrationd root
[snip]
mac_dmesg
This plugin recovers the kernel debug buffer, which can contain a wide range of system activity, such as device insertion, hardware configurations, wireless activity, and more.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_dmesg
Volatile Systems Volatility Framework 2.3_alpha
deny mach-lookup com.apple.coresymbolicationd
MacAuthEvent en1 Auth result for: 00:26:bb:77:d2:a7 MAC AUTH succeeded
wlEvent: en1 en1 Link UP virtIf = 0
AirPort: RSN handshake complete on en1
wl0: Roamed or switched channel, reason #8, bssid 00:26:bb:77:d2:a7
en1: BSSID changed to 00:26:bb:77:d2:a7
en1::IO80211Interface::postMessage bssid changed
MacAuthEvent en1 Auth result for: 00:26:bb:77:d2:a7 MAC AUTH succeeded
wlEvent: en1 en1 Link UP virtIf = 0
AirPort: RSN handshake complete on en1
[snip]
mac_list_zones
This plugin enumerates Mac zones, which are very similar to Linux kmem_cache backed structures. You can use it to determine how many of a particular type of structure (i.e. a process object) are active and freed. For example, below you can see that 133 proc structures are active on the system. Other plugins can inherit from mac_list_zones and actually collect the addresses of each active object type, leading to a wealthy source of information regarding where to find allocated objects in memory dumps.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_list_zones
Volatile Systems Volatility Framework 2.3_alpha
Name Active Count Free Count Element Size
------------------------------ ------------ ---------- ------------
zones 182 0 592
vm.objects 153401 8832498 224
vm.object.hash.entries 135206 882875 40
maps 149 34033 232
VM.map.entries 26463 24372727 80
Reserved.VM.map.entries 35 13164 80
VM.map.copies 0 220097 80
pmap 139 7962 256
pagetable.anchors 139 7962 4096
proc 133 4042 1120
mac_dead_procs
This plugin prints terminated/dead processes that it gathers by leveraging the zone enumeration API. In most cases, the UID, GID, PGID, Bits, and DTB columns will show invalid data since we could be looking at partially overwritten data structures. Also please note in some rare cases, active processes are also found in this list. We are currently investigating conditions that lead to active processes showing up in the freed process object list. We believe the cause is related to the same issue that affects mac_pslist (see the mac_pslist discussion in MoVP II - 4.1 - Leveraging Process Cross-View Analysis for Mac Rootkit Detection).
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_dead_procs
Volatile Systems Volatility Framework 2.3_alpha
Offset Name Pid Uid Gid PGID Bits DTB Start Time
------------------ -------------------- -------- -------- -------- -------- ------------ ------------------ ----------
0xffffff8036349760 diskmanagementd 4158 - - -55...11 ------------------ 2013-03-29 12:14:31 UTC+0000
0xffffff8036349760 diskmanagementd 4158 - - -55...11 ------------------ 2013-03-29 12:14:31 UTC+0000
0xffffff8032c60d20 lssave 4161 - - -55...11 ------------------ 2013-03-29 12:14:43 UTC+0000
0xffffff803dfe08e0 com.apple.audio. 4146 - - -55...11 ------------------ 2013-03-29 12:12:59 UTC+0000
0xffffff803dfe0d40 com.apple.audio. 4145 - - -55...11 ------------------ 2013-03-29 12:12:59 UTC+0000
0xffffff8032c62300 com.apple.qtkits 4147 - - -55...11 ------------------ 2013-03-29 12:12:59 UTC+0000
[snip] Conclusion
In this post we have highlighted several plugins that can be useful in a number of investigative scenarios. Tomorrow we will look at a wide range of plugins as we analyze and detect the rubilyn kernel rootkit in memory.
No comments:
Post a Comment