Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Freebsd 8.4 support #678

Open
wants to merge 4 commits into
base: freebsd_support
Choose a base branch
from
Open

Freebsd 8.4 support #678

wants to merge 4 commits into from

Conversation

patriknisen
Copy link

Adds support for FreeBSD 8.4.0 and probably some other older FreeBSD versions. In addition, implements an initial version of a command for listing TCP connections.

@patriknisen
Adds support for FreeBSD 8.4.0
7b29350 
This change adds support for at least FreeBSD 8.4.0, but other old
versions might work as well.

Included changes:

- support for pmap structure without pm_cr3 member (before 9.3)
- support for filedesc structure with fd_ofiles member of type
  `struct file **` (before 9.2)
- support for cdev structure with si_name member of type `char *`
  (before 9.1)
@patriknisen
Adds freebsd_tcpconns command
24031f6 
Adds an inital version of freebsd_tcpconns command, which allows to list
active TCP connections.

This plugin is based on the following publication:

Bond, Elyse, "Creating Volatility Support for FreeBSD" (2015).
University of New Orleans Theses and Dissertations. 2033.
@patriknisen
Fixes bugs in freebsd_lsof command for modern versions
3896787 
Also includes a check for missing tcbinfo symbol in tcpconns command.
@iMHLv2
Copy link
Contributor

iMHLv2 commented Jan 29, 2020

@patriknisen Thanks for your patches. We were hoping to confirm the functionality before merging, but we don't have a profile or 8.4 memory dump handy. Would you be able to share the profile you've been testing with?

@patriknisen
FreeBSD version info for struct inclusion
33c15ae 
Define which FreeBSD versions introduced 2 structures that are not
available in 8.4.
@mturkia
Copy link
Contributor

mturkia commented Jan 30, 2020

FreeBSD-8.4 profile, memory snapshot from vanilla FreeBSD 8.4 is attached.
FreeBSD 8.4 volatility-Snapshot1.vmem.gz

We also improved the module.c so that it can be directly used in older FreeBSD.

@iMHLv2
Copy link
Contributor

iMHLv2 commented Jan 30, 2020

Thank you! Nice work on the blog too, I'm just going to paste it here so we have a set of resources for people to reference in one place.

https://www.nixu.com/blog/memory-forensics-against-citrix-adc

@nikoc03
Copy link

nikoc03 commented Feb 18, 2020

Hey guys! great work, could you make some instruction manual also so that we will use it properly, for now i have created the profile and im trying to load the raw memory but i get multiple "No base address space"

@mturkia
Copy link
Contributor

mturkia commented Feb 19, 2020

Hey guys! great work, could you make some instruction manual also so that we will use it properly, for now i have created the profile and im trying to load the raw memory but i get multiple "No base address space"

We have created the memory dumps by taking a snapshot of the virtual machine running FreeBSD/Netscaler. Are you having trouble acquiring the memory image or analyzing it?

After getting the memory image it is just giving the correct parameters for volatility, i.e.:

python vol.py -f ~/vmware/FreeBSD/FreeBSD-Snapshot1.vmem --profile FreeBSD-8_4-amd64 freebsd_tcpconns

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@patriknisen @iMHLv2 @mturkia @nikoc03