Skip to content
This repository was archived by the owner on May 16, 2025. It is now read-only.

Freebsd 8.4 support #678

Open
wants to merge 4 commits into
base: freebsd_support
Choose a base branch
from
Open

Freebsd 8.4 support #678

wants to merge 4 commits into from

Conversation

@patriknisen
Copy link

@patriknisen patriknisen commented Jan 28, 2020

Adds support for FreeBSD 8.4.0 and probably some other older FreeBSD versions. In addition, implements an initial version of a command for listing TCP connections.

@patriknisen
Adds support for FreeBSD 8.4.0
7b29350 
This change adds support for at least FreeBSD 8.4.0, but other old
versions might work as well.

Included changes:

- support for pmap structure without pm_cr3 member (before 9.3)
- support for filedesc structure with fd_ofiles member of type
  `struct file **` (before 9.2)
- support for cdev structure with si_name member of type `char *`
  (before 9.1)
@patriknisen
Adds freebsd_tcpconns command
24031f6 
Adds an inital version of freebsd_tcpconns command, which allows to list
active TCP connections.

This plugin is based on the following publication:

Bond, Elyse, "Creating Volatility Support for FreeBSD" (2015).
University of New Orleans Theses and Dissertations. 2033.
@patriknisen
Fixes bugs in freebsd_lsof command for modern versions
3896787 
Also includes a check for missing tcbinfo symbol in tcpconns command.
@iMHLv2
Copy link
Contributor

iMHLv2 commented Jan 29, 2020

@patriknisen Thanks for your patches. We were hoping to confirm the functionality before merging, but we don't have a profile or 8.4 memory dump handy. Would you be able to share the profile you've been testing with?

@patriknisen
FreeBSD version info for struct inclusion
33c15ae 
Define which FreeBSD versions introduced 2 structures that are not
available in 8.4.
@mturkia
Copy link
Contributor

mturkia commented Jan 30, 2020

FreeBSD-8.4 profile, memory snapshot from vanilla FreeBSD 8.4 is attached.
FreeBSD 8.4 volatility-Snapshot1.vmem.gz

We also improved the module.c so that it can be directly used in older FreeBSD.

@iMHLv2
Copy link
Contributor

iMHLv2 commented Jan 30, 2020

Thank you! Nice work on the blog too, I'm just going to paste it here so we have a set of resources for people to reference in one place.

https://www.nixu.com/blog/memory-forensics-against-citrix-adc

@nikoc03
Copy link

nikoc03 commented Feb 18, 2020

Hey guys! great work, could you make some instruction manual also so that we will use it properly, for now i have created the profile and im trying to load the raw memory but i get multiple "No base address space"

@mturkia
Copy link
Contributor

mturkia commented Feb 19, 2020

Hey guys! great work, could you make some instruction manual also so that we will use it properly, for now i have created the profile and im trying to load the raw memory but i get multiple "No base address space"

We have created the memory dumps by taking a snapshot of the virtual machine running FreeBSD/Netscaler. Are you having trouble acquiring the memory image or analyzing it?

After getting the memory image it is just giving the correct parameters for volatility, i.e.:

python vol.py -f ~/vmware/FreeBSD/FreeBSD-Snapshot1.vmem --profile FreeBSD-8_4-amd64 freebsd_tcpconns

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@patriknisen @iMHLv2 @mturkia @nikoc03