Extract a running ELF from a memory dump
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
Our teacher gave us as homework a memory dump from a VBox (Ubuntu 16.04.9) and said that the message we need to get is printed by an ELF currently running in the VM.
This is my what I get after running pslist
on the image.
Offset Name Pid PPid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
0xffff88007c998000 systemd 1 0 0 0 0x000000003552e000 -
0xffff88007c998e00 kthreadd 2 0 0 0 ------------------ -
0xffff88007c999c00 ksoftirqd/0 3 2 0 0 ------------------ -
0xffff88007c99aa00 kworker/0:0 4 2 0 0 ------------------ -
0xffff88007c99b800 kworker/0:0H 5 2 0 0 ------------------ -
0xffff88007c99c600 kworker/u4:0 6 2 0 0 ------------------ -
0xffff88007c99d400 rcu_sched 7 2 0 0 ------------------ -
0xffff88007c99e200 rcu_bh 8 2 0 0 ------------------ -
0xffff88007c99f000 migration/0 9 2 0 0 ------------------ -
0xffff88007c9f0000 watchdog/0 10 2 0 0 ------------------ -
0xffff88007c9f1c00 watchdog/1 11 2 0 0 ------------------ -
0xffff88007c9f2a00 migration/1 12 2 0 0 ------------------ -
0xffff88007c9f3800 ksoftirqd/1 13 2 0 0 ------------------ -
0xffff88007c9f4600 kworker/1:0 14 2 0 0 ------------------ -
0xffff88007c9f5400 kworker/1:0H 15 2 0 0 ------------------ -
0xffff88007c9f6200 kdevtmpfs 16 2 0 0 ------------------ -
0xffff88007c9f7000 netns 17 2 0 0 ------------------ -
0xffff88007ca90000 perf 18 2 0 0 ------------------ -
0xffff88007ca90e00 khungtaskd 19 2 0 0 ------------------ -
0xffff88007ca91c00 writeback 20 2 0 0 ------------------ -
0xffff88007ca92a00 ksmd 21 2 0 0 ------------------ -
0xffff88007ca93800 khugepaged 22 2 0 0 ------------------ -
0xffff88007ca94600 crypto 23 2 0 0 ------------------ -
0xffff88007ca95400 kintegrityd 24 2 0 0 ------------------ -
0xffff88007ca96200 bioset 25 2 0 0 ------------------ -
0xffff88007ca97000 kblockd 26 2 0 0 ------------------ -
0xffff88007cb80000 ata_sff 27 2 0 0 ------------------ -
0xffff88007cb80e00 md 28 2 0 0 ------------------ -
0xffff88007cb81c00 devfreq_wq 29 2 0 0 ------------------ -
0xffff88007cb82a00 kworker/u4:1 30 2 0 0 ------------------ -
0xffff88007cb83800 kworker/0:1 31 2 0 0 ------------------ -
0xffff88007cb84600 kworker/1:1 32 2 0 0 ------------------ -
0xffff88007cb86200 kswapd0 34 2 0 0 ------------------ -
0xffff88007cb87000 vmstat 35 2 0 0 ------------------ -
0xffff880075ec0000 fsnotify_mark 36 2 0 0 ------------------ -
0xffff880075ec0e00 ecryptfs-kthrea 37 2 0 0 ------------------ -
0xffff880075f27000 kthrotld 53 2 0 0 ------------------ -
0xffff88007cb85400 acpi_thermal_pm 54 2 0 0 ------------------ -
0xffff880075fc8000 bioset 55 2 0 0 ------------------ -
0xffff880075fc8e00 bioset 56 2 0 0 ------------------ -
0xffff880075fc9c00 bioset 57 2 0 0 ------------------ -
0xffff880075fcaa00 bioset 58 2 0 0 ------------------ -
0xffff880075fcb800 bioset 59 2 0 0 ------------------ -
0xffff880075fcc600 bioset 60 2 0 0 ------------------ -
0xffff880075fcd400 bioset 61 2 0 0 ------------------ -
0xffff880075fce200 bioset 62 2 0 0 ------------------ -
0xffff880075fcf000 scsi_eh_0 63 2 0 0 ------------------ -
0xffff880075f26200 scsi_tmf_0 64 2 0 0 ------------------ -
0xffff880075f24600 scsi_eh_1 65 2 0 0 ------------------ -
0xffff880075f22a00 scsi_tmf_1 66 2 0 0 ------------------ -
0xffff880075f20e00 kworker/u4:2 67 2 0 0 ------------------ -
0xffff880075f25400 kworker/u4:3 68 2 0 0 ------------------ -
0xffff880075ec6200 ipv6_addrconf 72 2 0 0 ------------------ -
0xffff880035595400 deferwq 85 2 0 0 ------------------ -
0xffff880035596200 charger_manager 86 2 0 0 ------------------ -
0xffff880035593800 bioset 87 2 0 0 ------------------ -
0xffff880034c49c00 kworker/0:2 126 2 0 0 ------------------ -
0xffff8800355e5400 kpsmoused 139 2 0 0 ------------------ -
0xffff880034ee8e00 kworker/0:3 156 2 0 0 ------------------ -
0xffff880075ec2a00 kworker/1:1H 166 2 0 0 ------------------ -
0xffff880034eef000 scsi_eh_2 167 2 0 0 ------------------ -
0xffff880034eee200 scsi_tmf_2 168 2 0 0 ------------------ -
0xffff880034eed400 bioset 169 2 0 0 ------------------ -
0xffff880075f23800 raid5wq 241 2 0 0 ------------------ -
0xffff880035590000 bioset 272 2 0 0 ------------------ -
0xffff880035594600 kworker/0:1H 295 2 0 0 ------------------ -
0xffff880035597000 jbd2/sda1-8 297 2 0 0 ------------------ -
0xffff880035590e00 ext4-rsv-conver 298 2 0 0 ------------------ -
0xffff880034c4aa00 systemd-journal 354 1 0 0 0x0000000079614000 -
0xffff880035592a00 iscsi_eh 356 2 0 0 ------------------ -
0xffff880079103800 kworker/1:2 370 2 0 0 ------------------ -
0xffff880034eeaa00 kauditd 372 2 0 0 ------------------ -
0xffff88007a478e00 ib_addr 382 2 0 0 ------------------ -
0xffff88007a479c00 ib_mcast 385 2 0 0 ------------------ -
0xffff88007a47aa00 ib_nl_sa_wq 386 2 0 0 ------------------ -
0xffff88007a47b800 ib_cm 387 2 0 0 ------------------ -
0xffff88007a47c600 iw_cm_wq 389 2 0 0 ------------------ -
0xffff88007a47d400 rdma_cm 391 2 0 0 ------------------ -
0xffff880075ec4600 lvmetad 394 1 0 0 0x000000007c36c000 -
0xffff88007a478000 kworker/1:3 399 2 0 0 ------------------ -
0xffff880079100000 systemd-udevd 408 1 0 0 0x000000007c2c8000 -
0xffff880079100e00 iprt-VBoxWQueue 493 2 0 0 ------------------ -
0xffff880034ebf000 ttm_swap 649 2 0 0 ------------------ -
0xffff88007a076200 atd 730 1 0 0 0x000000007c3f8000 -
0xffff88007a070000 lxcfs 738 1 0 0 0x0000000079fe0000 -
0xffff88007b68b800 accounts-daemon 739 1 0 0 0x0000000079fe2000 -
0xffff880034eb8e00 rsyslogd 745 1 104 108 0x0000000079530000 -
0xffff880034c4e200 cron 754 1 0 0 0x000000007a08c000 -
0xffff88007942c600 systemd-logind 758 1 0 0 0x000000007a6d6000 -
0xffff880079429c00 acpid 777 1 0 0 0x000000007917c000 -
0xffff880079428000 snapd 783 1 0 0 0x0000000079768000 -
0xffff880079428e00 dbus-daemon 785 1 107 111 0x0000000079470000 -
0xffff88007b17b800 dhclient 846 1 0 0 0x000000007a430000 -
0xffff88007942aa00 polkitd 898 1 0 0 0x0000000079b92000 -
0xffff880034ebd400 mdadm 907 1 0 0 0x000000007c3fc000 -
0xffff88007b17f000 VBoxService 941 1 0 0 0x000000007862e000 -
0xffff880034ebc600 named 1018 1 110 115 0x0000000079aa4000 -
0xffff88007a32c600 sshd 1023 1 0 0 0x0000000034dbc000 -
0xffff88007b179c00 iscsid 1036 1 0 0 0x000000007afdc000 -
0xffff88007b178e00 iscsid 1037 1 0 0 0x0000000079bd0000 -
0xffff88007b68f000 irqbalance 1079 1 0 0 0x000000007a462000 -
0xffff88007b688000 login 1084 1 0 1000 0x0000000079dc0000 -
0xffff88007a074600 systemd 1157 1 1000 1000 0x0000000034c16000 -
0xffff88007a073800 (sd-pam) 1160 1157 1000 1000 0x0000000079a92000 -
0xffff88007a075400 bash 1166 1084 1000 1000 0x0000000035720000 -
0xffff8800355e3800 ht0p 1192 1166 1000 1000 0x000000007b982000 -
0xffff8800355e6200 htop 1193 1166 1000 1000 0x000000007b9a2000 -
I have tried running procdump
on a lot of processes there and then running strings
on them but nothing seemed like the 'message'. I really have no idea what to do next, do I need to extract somehow the ELF that's running from memory? Also do you have any idea what process it might be or what else should I do?
linux kali-linux elf forensics dump
 |Â
show 9 more comments
up vote
2
down vote
favorite
Our teacher gave us as homework a memory dump from a VBox (Ubuntu 16.04.9) and said that the message we need to get is printed by an ELF currently running in the VM.
This is my what I get after running pslist
on the image.
Offset Name Pid PPid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
0xffff88007c998000 systemd 1 0 0 0 0x000000003552e000 -
0xffff88007c998e00 kthreadd 2 0 0 0 ------------------ -
0xffff88007c999c00 ksoftirqd/0 3 2 0 0 ------------------ -
0xffff88007c99aa00 kworker/0:0 4 2 0 0 ------------------ -
0xffff88007c99b800 kworker/0:0H 5 2 0 0 ------------------ -
0xffff88007c99c600 kworker/u4:0 6 2 0 0 ------------------ -
0xffff88007c99d400 rcu_sched 7 2 0 0 ------------------ -
0xffff88007c99e200 rcu_bh 8 2 0 0 ------------------ -
0xffff88007c99f000 migration/0 9 2 0 0 ------------------ -
0xffff88007c9f0000 watchdog/0 10 2 0 0 ------------------ -
0xffff88007c9f1c00 watchdog/1 11 2 0 0 ------------------ -
0xffff88007c9f2a00 migration/1 12 2 0 0 ------------------ -
0xffff88007c9f3800 ksoftirqd/1 13 2 0 0 ------------------ -
0xffff88007c9f4600 kworker/1:0 14 2 0 0 ------------------ -
0xffff88007c9f5400 kworker/1:0H 15 2 0 0 ------------------ -
0xffff88007c9f6200 kdevtmpfs 16 2 0 0 ------------------ -
0xffff88007c9f7000 netns 17 2 0 0 ------------------ -
0xffff88007ca90000 perf 18 2 0 0 ------------------ -
0xffff88007ca90e00 khungtaskd 19 2 0 0 ------------------ -
0xffff88007ca91c00 writeback 20 2 0 0 ------------------ -
0xffff88007ca92a00 ksmd 21 2 0 0 ------------------ -
0xffff88007ca93800 khugepaged 22 2 0 0 ------------------ -
0xffff88007ca94600 crypto 23 2 0 0 ------------------ -
0xffff88007ca95400 kintegrityd 24 2 0 0 ------------------ -
0xffff88007ca96200 bioset 25 2 0 0 ------------------ -
0xffff88007ca97000 kblockd 26 2 0 0 ------------------ -
0xffff88007cb80000 ata_sff 27 2 0 0 ------------------ -
0xffff88007cb80e00 md 28 2 0 0 ------------------ -
0xffff88007cb81c00 devfreq_wq 29 2 0 0 ------------------ -
0xffff88007cb82a00 kworker/u4:1 30 2 0 0 ------------------ -
0xffff88007cb83800 kworker/0:1 31 2 0 0 ------------------ -
0xffff88007cb84600 kworker/1:1 32 2 0 0 ------------------ -
0xffff88007cb86200 kswapd0 34 2 0 0 ------------------ -
0xffff88007cb87000 vmstat 35 2 0 0 ------------------ -
0xffff880075ec0000 fsnotify_mark 36 2 0 0 ------------------ -
0xffff880075ec0e00 ecryptfs-kthrea 37 2 0 0 ------------------ -
0xffff880075f27000 kthrotld 53 2 0 0 ------------------ -
0xffff88007cb85400 acpi_thermal_pm 54 2 0 0 ------------------ -
0xffff880075fc8000 bioset 55 2 0 0 ------------------ -
0xffff880075fc8e00 bioset 56 2 0 0 ------------------ -
0xffff880075fc9c00 bioset 57 2 0 0 ------------------ -
0xffff880075fcaa00 bioset 58 2 0 0 ------------------ -
0xffff880075fcb800 bioset 59 2 0 0 ------------------ -
0xffff880075fcc600 bioset 60 2 0 0 ------------------ -
0xffff880075fcd400 bioset 61 2 0 0 ------------------ -
0xffff880075fce200 bioset 62 2 0 0 ------------------ -
0xffff880075fcf000 scsi_eh_0 63 2 0 0 ------------------ -
0xffff880075f26200 scsi_tmf_0 64 2 0 0 ------------------ -
0xffff880075f24600 scsi_eh_1 65 2 0 0 ------------------ -
0xffff880075f22a00 scsi_tmf_1 66 2 0 0 ------------------ -
0xffff880075f20e00 kworker/u4:2 67 2 0 0 ------------------ -
0xffff880075f25400 kworker/u4:3 68 2 0 0 ------------------ -
0xffff880075ec6200 ipv6_addrconf 72 2 0 0 ------------------ -
0xffff880035595400 deferwq 85 2 0 0 ------------------ -
0xffff880035596200 charger_manager 86 2 0 0 ------------------ -
0xffff880035593800 bioset 87 2 0 0 ------------------ -
0xffff880034c49c00 kworker/0:2 126 2 0 0 ------------------ -
0xffff8800355e5400 kpsmoused 139 2 0 0 ------------------ -
0xffff880034ee8e00 kworker/0:3 156 2 0 0 ------------------ -
0xffff880075ec2a00 kworker/1:1H 166 2 0 0 ------------------ -
0xffff880034eef000 scsi_eh_2 167 2 0 0 ------------------ -
0xffff880034eee200 scsi_tmf_2 168 2 0 0 ------------------ -
0xffff880034eed400 bioset 169 2 0 0 ------------------ -
0xffff880075f23800 raid5wq 241 2 0 0 ------------------ -
0xffff880035590000 bioset 272 2 0 0 ------------------ -
0xffff880035594600 kworker/0:1H 295 2 0 0 ------------------ -
0xffff880035597000 jbd2/sda1-8 297 2 0 0 ------------------ -
0xffff880035590e00 ext4-rsv-conver 298 2 0 0 ------------------ -
0xffff880034c4aa00 systemd-journal 354 1 0 0 0x0000000079614000 -
0xffff880035592a00 iscsi_eh 356 2 0 0 ------------------ -
0xffff880079103800 kworker/1:2 370 2 0 0 ------------------ -
0xffff880034eeaa00 kauditd 372 2 0 0 ------------------ -
0xffff88007a478e00 ib_addr 382 2 0 0 ------------------ -
0xffff88007a479c00 ib_mcast 385 2 0 0 ------------------ -
0xffff88007a47aa00 ib_nl_sa_wq 386 2 0 0 ------------------ -
0xffff88007a47b800 ib_cm 387 2 0 0 ------------------ -
0xffff88007a47c600 iw_cm_wq 389 2 0 0 ------------------ -
0xffff88007a47d400 rdma_cm 391 2 0 0 ------------------ -
0xffff880075ec4600 lvmetad 394 1 0 0 0x000000007c36c000 -
0xffff88007a478000 kworker/1:3 399 2 0 0 ------------------ -
0xffff880079100000 systemd-udevd 408 1 0 0 0x000000007c2c8000 -
0xffff880079100e00 iprt-VBoxWQueue 493 2 0 0 ------------------ -
0xffff880034ebf000 ttm_swap 649 2 0 0 ------------------ -
0xffff88007a076200 atd 730 1 0 0 0x000000007c3f8000 -
0xffff88007a070000 lxcfs 738 1 0 0 0x0000000079fe0000 -
0xffff88007b68b800 accounts-daemon 739 1 0 0 0x0000000079fe2000 -
0xffff880034eb8e00 rsyslogd 745 1 104 108 0x0000000079530000 -
0xffff880034c4e200 cron 754 1 0 0 0x000000007a08c000 -
0xffff88007942c600 systemd-logind 758 1 0 0 0x000000007a6d6000 -
0xffff880079429c00 acpid 777 1 0 0 0x000000007917c000 -
0xffff880079428000 snapd 783 1 0 0 0x0000000079768000 -
0xffff880079428e00 dbus-daemon 785 1 107 111 0x0000000079470000 -
0xffff88007b17b800 dhclient 846 1 0 0 0x000000007a430000 -
0xffff88007942aa00 polkitd 898 1 0 0 0x0000000079b92000 -
0xffff880034ebd400 mdadm 907 1 0 0 0x000000007c3fc000 -
0xffff88007b17f000 VBoxService 941 1 0 0 0x000000007862e000 -
0xffff880034ebc600 named 1018 1 110 115 0x0000000079aa4000 -
0xffff88007a32c600 sshd 1023 1 0 0 0x0000000034dbc000 -
0xffff88007b179c00 iscsid 1036 1 0 0 0x000000007afdc000 -
0xffff88007b178e00 iscsid 1037 1 0 0 0x0000000079bd0000 -
0xffff88007b68f000 irqbalance 1079 1 0 0 0x000000007a462000 -
0xffff88007b688000 login 1084 1 0 1000 0x0000000079dc0000 -
0xffff88007a074600 systemd 1157 1 1000 1000 0x0000000034c16000 -
0xffff88007a073800 (sd-pam) 1160 1157 1000 1000 0x0000000079a92000 -
0xffff88007a075400 bash 1166 1084 1000 1000 0x0000000035720000 -
0xffff8800355e3800 ht0p 1192 1166 1000 1000 0x000000007b982000 -
0xffff8800355e6200 htop 1193 1166 1000 1000 0x000000007b9a2000 -
I have tried running procdump
on a lot of processes there and then running strings
on them but nothing seemed like the 'message'. I really have no idea what to do next, do I need to extract somehow the ELF that's running from memory? Also do you have any idea what process it might be or what else should I do?
linux kali-linux elf forensics dump
Hint: are you not seeing any process with a funny name? It sticks out like a sore thumb...
â Rui F Ribeiro
Apr 18 at 21:50
@RuiFRibeiro I am a begginer when it comes to process names. is it(sd-pam)
?
â Teodor Vecerdi
Apr 18 at 21:51
Have a look at the last two ones. Still not seeing anything funny?
â Rui F Ribeiro
Apr 18 at 21:53
@RuiFRibeiro I dumped both processes and didn't see anything funny looking when using thestrings
command.ht0p
was the first one that I saw actually
â Teodor Vecerdi
Apr 18 at 21:54
The teacher said it was printed by an elf, not that was easy to find with strings. I bet that either the binary is compressed or the string is hidden with simple tricks like stored it in an encrypted format or building it char-by-char. I would be my money on ht0p too.
â Rui F Ribeiro
Apr 18 at 21:57
 |Â
show 9 more comments
up vote
2
down vote
favorite
up vote
2
down vote
favorite
Our teacher gave us as homework a memory dump from a VBox (Ubuntu 16.04.9) and said that the message we need to get is printed by an ELF currently running in the VM.
This is my what I get after running pslist
on the image.
Offset Name Pid PPid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
0xffff88007c998000 systemd 1 0 0 0 0x000000003552e000 -
0xffff88007c998e00 kthreadd 2 0 0 0 ------------------ -
0xffff88007c999c00 ksoftirqd/0 3 2 0 0 ------------------ -
0xffff88007c99aa00 kworker/0:0 4 2 0 0 ------------------ -
0xffff88007c99b800 kworker/0:0H 5 2 0 0 ------------------ -
0xffff88007c99c600 kworker/u4:0 6 2 0 0 ------------------ -
0xffff88007c99d400 rcu_sched 7 2 0 0 ------------------ -
0xffff88007c99e200 rcu_bh 8 2 0 0 ------------------ -
0xffff88007c99f000 migration/0 9 2 0 0 ------------------ -
0xffff88007c9f0000 watchdog/0 10 2 0 0 ------------------ -
0xffff88007c9f1c00 watchdog/1 11 2 0 0 ------------------ -
0xffff88007c9f2a00 migration/1 12 2 0 0 ------------------ -
0xffff88007c9f3800 ksoftirqd/1 13 2 0 0 ------------------ -
0xffff88007c9f4600 kworker/1:0 14 2 0 0 ------------------ -
0xffff88007c9f5400 kworker/1:0H 15 2 0 0 ------------------ -
0xffff88007c9f6200 kdevtmpfs 16 2 0 0 ------------------ -
0xffff88007c9f7000 netns 17 2 0 0 ------------------ -
0xffff88007ca90000 perf 18 2 0 0 ------------------ -
0xffff88007ca90e00 khungtaskd 19 2 0 0 ------------------ -
0xffff88007ca91c00 writeback 20 2 0 0 ------------------ -
0xffff88007ca92a00 ksmd 21 2 0 0 ------------------ -
0xffff88007ca93800 khugepaged 22 2 0 0 ------------------ -
0xffff88007ca94600 crypto 23 2 0 0 ------------------ -
0xffff88007ca95400 kintegrityd 24 2 0 0 ------------------ -
0xffff88007ca96200 bioset 25 2 0 0 ------------------ -
0xffff88007ca97000 kblockd 26 2 0 0 ------------------ -
0xffff88007cb80000 ata_sff 27 2 0 0 ------------------ -
0xffff88007cb80e00 md 28 2 0 0 ------------------ -
0xffff88007cb81c00 devfreq_wq 29 2 0 0 ------------------ -
0xffff88007cb82a00 kworker/u4:1 30 2 0 0 ------------------ -
0xffff88007cb83800 kworker/0:1 31 2 0 0 ------------------ -
0xffff88007cb84600 kworker/1:1 32 2 0 0 ------------------ -
0xffff88007cb86200 kswapd0 34 2 0 0 ------------------ -
0xffff88007cb87000 vmstat 35 2 0 0 ------------------ -
0xffff880075ec0000 fsnotify_mark 36 2 0 0 ------------------ -
0xffff880075ec0e00 ecryptfs-kthrea 37 2 0 0 ------------------ -
0xffff880075f27000 kthrotld 53 2 0 0 ------------------ -
0xffff88007cb85400 acpi_thermal_pm 54 2 0 0 ------------------ -
0xffff880075fc8000 bioset 55 2 0 0 ------------------ -
0xffff880075fc8e00 bioset 56 2 0 0 ------------------ -
0xffff880075fc9c00 bioset 57 2 0 0 ------------------ -
0xffff880075fcaa00 bioset 58 2 0 0 ------------------ -
0xffff880075fcb800 bioset 59 2 0 0 ------------------ -
0xffff880075fcc600 bioset 60 2 0 0 ------------------ -
0xffff880075fcd400 bioset 61 2 0 0 ------------------ -
0xffff880075fce200 bioset 62 2 0 0 ------------------ -
0xffff880075fcf000 scsi_eh_0 63 2 0 0 ------------------ -
0xffff880075f26200 scsi_tmf_0 64 2 0 0 ------------------ -
0xffff880075f24600 scsi_eh_1 65 2 0 0 ------------------ -
0xffff880075f22a00 scsi_tmf_1 66 2 0 0 ------------------ -
0xffff880075f20e00 kworker/u4:2 67 2 0 0 ------------------ -
0xffff880075f25400 kworker/u4:3 68 2 0 0 ------------------ -
0xffff880075ec6200 ipv6_addrconf 72 2 0 0 ------------------ -
0xffff880035595400 deferwq 85 2 0 0 ------------------ -
0xffff880035596200 charger_manager 86 2 0 0 ------------------ -
0xffff880035593800 bioset 87 2 0 0 ------------------ -
0xffff880034c49c00 kworker/0:2 126 2 0 0 ------------------ -
0xffff8800355e5400 kpsmoused 139 2 0 0 ------------------ -
0xffff880034ee8e00 kworker/0:3 156 2 0 0 ------------------ -
0xffff880075ec2a00 kworker/1:1H 166 2 0 0 ------------------ -
0xffff880034eef000 scsi_eh_2 167 2 0 0 ------------------ -
0xffff880034eee200 scsi_tmf_2 168 2 0 0 ------------------ -
0xffff880034eed400 bioset 169 2 0 0 ------------------ -
0xffff880075f23800 raid5wq 241 2 0 0 ------------------ -
0xffff880035590000 bioset 272 2 0 0 ------------------ -
0xffff880035594600 kworker/0:1H 295 2 0 0 ------------------ -
0xffff880035597000 jbd2/sda1-8 297 2 0 0 ------------------ -
0xffff880035590e00 ext4-rsv-conver 298 2 0 0 ------------------ -
0xffff880034c4aa00 systemd-journal 354 1 0 0 0x0000000079614000 -
0xffff880035592a00 iscsi_eh 356 2 0 0 ------------------ -
0xffff880079103800 kworker/1:2 370 2 0 0 ------------------ -
0xffff880034eeaa00 kauditd 372 2 0 0 ------------------ -
0xffff88007a478e00 ib_addr 382 2 0 0 ------------------ -
0xffff88007a479c00 ib_mcast 385 2 0 0 ------------------ -
0xffff88007a47aa00 ib_nl_sa_wq 386 2 0 0 ------------------ -
0xffff88007a47b800 ib_cm 387 2 0 0 ------------------ -
0xffff88007a47c600 iw_cm_wq 389 2 0 0 ------------------ -
0xffff88007a47d400 rdma_cm 391 2 0 0 ------------------ -
0xffff880075ec4600 lvmetad 394 1 0 0 0x000000007c36c000 -
0xffff88007a478000 kworker/1:3 399 2 0 0 ------------------ -
0xffff880079100000 systemd-udevd 408 1 0 0 0x000000007c2c8000 -
0xffff880079100e00 iprt-VBoxWQueue 493 2 0 0 ------------------ -
0xffff880034ebf000 ttm_swap 649 2 0 0 ------------------ -
0xffff88007a076200 atd 730 1 0 0 0x000000007c3f8000 -
0xffff88007a070000 lxcfs 738 1 0 0 0x0000000079fe0000 -
0xffff88007b68b800 accounts-daemon 739 1 0 0 0x0000000079fe2000 -
0xffff880034eb8e00 rsyslogd 745 1 104 108 0x0000000079530000 -
0xffff880034c4e200 cron 754 1 0 0 0x000000007a08c000 -
0xffff88007942c600 systemd-logind 758 1 0 0 0x000000007a6d6000 -
0xffff880079429c00 acpid 777 1 0 0 0x000000007917c000 -
0xffff880079428000 snapd 783 1 0 0 0x0000000079768000 -
0xffff880079428e00 dbus-daemon 785 1 107 111 0x0000000079470000 -
0xffff88007b17b800 dhclient 846 1 0 0 0x000000007a430000 -
0xffff88007942aa00 polkitd 898 1 0 0 0x0000000079b92000 -
0xffff880034ebd400 mdadm 907 1 0 0 0x000000007c3fc000 -
0xffff88007b17f000 VBoxService 941 1 0 0 0x000000007862e000 -
0xffff880034ebc600 named 1018 1 110 115 0x0000000079aa4000 -
0xffff88007a32c600 sshd 1023 1 0 0 0x0000000034dbc000 -
0xffff88007b179c00 iscsid 1036 1 0 0 0x000000007afdc000 -
0xffff88007b178e00 iscsid 1037 1 0 0 0x0000000079bd0000 -
0xffff88007b68f000 irqbalance 1079 1 0 0 0x000000007a462000 -
0xffff88007b688000 login 1084 1 0 1000 0x0000000079dc0000 -
0xffff88007a074600 systemd 1157 1 1000 1000 0x0000000034c16000 -
0xffff88007a073800 (sd-pam) 1160 1157 1000 1000 0x0000000079a92000 -
0xffff88007a075400 bash 1166 1084 1000 1000 0x0000000035720000 -
0xffff8800355e3800 ht0p 1192 1166 1000 1000 0x000000007b982000 -
0xffff8800355e6200 htop 1193 1166 1000 1000 0x000000007b9a2000 -
I have tried running procdump
on a lot of processes there and then running strings
on them but nothing seemed like the 'message'. I really have no idea what to do next, do I need to extract somehow the ELF that's running from memory? Also do you have any idea what process it might be or what else should I do?
linux kali-linux elf forensics dump
Our teacher gave us as homework a memory dump from a VBox (Ubuntu 16.04.9) and said that the message we need to get is printed by an ELF currently running in the VM.
This is my what I get after running pslist
on the image.
Offset Name Pid PPid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
0xffff88007c998000 systemd 1 0 0 0 0x000000003552e000 -
0xffff88007c998e00 kthreadd 2 0 0 0 ------------------ -
0xffff88007c999c00 ksoftirqd/0 3 2 0 0 ------------------ -
0xffff88007c99aa00 kworker/0:0 4 2 0 0 ------------------ -
0xffff88007c99b800 kworker/0:0H 5 2 0 0 ------------------ -
0xffff88007c99c600 kworker/u4:0 6 2 0 0 ------------------ -
0xffff88007c99d400 rcu_sched 7 2 0 0 ------------------ -
0xffff88007c99e200 rcu_bh 8 2 0 0 ------------------ -
0xffff88007c99f000 migration/0 9 2 0 0 ------------------ -
0xffff88007c9f0000 watchdog/0 10 2 0 0 ------------------ -
0xffff88007c9f1c00 watchdog/1 11 2 0 0 ------------------ -
0xffff88007c9f2a00 migration/1 12 2 0 0 ------------------ -
0xffff88007c9f3800 ksoftirqd/1 13 2 0 0 ------------------ -
0xffff88007c9f4600 kworker/1:0 14 2 0 0 ------------------ -
0xffff88007c9f5400 kworker/1:0H 15 2 0 0 ------------------ -
0xffff88007c9f6200 kdevtmpfs 16 2 0 0 ------------------ -
0xffff88007c9f7000 netns 17 2 0 0 ------------------ -
0xffff88007ca90000 perf 18 2 0 0 ------------------ -
0xffff88007ca90e00 khungtaskd 19 2 0 0 ------------------ -
0xffff88007ca91c00 writeback 20 2 0 0 ------------------ -
0xffff88007ca92a00 ksmd 21 2 0 0 ------------------ -
0xffff88007ca93800 khugepaged 22 2 0 0 ------------------ -
0xffff88007ca94600 crypto 23 2 0 0 ------------------ -
0xffff88007ca95400 kintegrityd 24 2 0 0 ------------------ -
0xffff88007ca96200 bioset 25 2 0 0 ------------------ -
0xffff88007ca97000 kblockd 26 2 0 0 ------------------ -
0xffff88007cb80000 ata_sff 27 2 0 0 ------------------ -
0xffff88007cb80e00 md 28 2 0 0 ------------------ -
0xffff88007cb81c00 devfreq_wq 29 2 0 0 ------------------ -
0xffff88007cb82a00 kworker/u4:1 30 2 0 0 ------------------ -
0xffff88007cb83800 kworker/0:1 31 2 0 0 ------------------ -
0xffff88007cb84600 kworker/1:1 32 2 0 0 ------------------ -
0xffff88007cb86200 kswapd0 34 2 0 0 ------------------ -
0xffff88007cb87000 vmstat 35 2 0 0 ------------------ -
0xffff880075ec0000 fsnotify_mark 36 2 0 0 ------------------ -
0xffff880075ec0e00 ecryptfs-kthrea 37 2 0 0 ------------------ -
0xffff880075f27000 kthrotld 53 2 0 0 ------------------ -
0xffff88007cb85400 acpi_thermal_pm 54 2 0 0 ------------------ -
0xffff880075fc8000 bioset 55 2 0 0 ------------------ -
0xffff880075fc8e00 bioset 56 2 0 0 ------------------ -
0xffff880075fc9c00 bioset 57 2 0 0 ------------------ -
0xffff880075fcaa00 bioset 58 2 0 0 ------------------ -
0xffff880075fcb800 bioset 59 2 0 0 ------------------ -
0xffff880075fcc600 bioset 60 2 0 0 ------------------ -
0xffff880075fcd400 bioset 61 2 0 0 ------------------ -
0xffff880075fce200 bioset 62 2 0 0 ------------------ -
0xffff880075fcf000 scsi_eh_0 63 2 0 0 ------------------ -
0xffff880075f26200 scsi_tmf_0 64 2 0 0 ------------------ -
0xffff880075f24600 scsi_eh_1 65 2 0 0 ------------------ -
0xffff880075f22a00 scsi_tmf_1 66 2 0 0 ------------------ -
0xffff880075f20e00 kworker/u4:2 67 2 0 0 ------------------ -
0xffff880075f25400 kworker/u4:3 68 2 0 0 ------------------ -
0xffff880075ec6200 ipv6_addrconf 72 2 0 0 ------------------ -
0xffff880035595400 deferwq 85 2 0 0 ------------------ -
0xffff880035596200 charger_manager 86 2 0 0 ------------------ -
0xffff880035593800 bioset 87 2 0 0 ------------------ -
0xffff880034c49c00 kworker/0:2 126 2 0 0 ------------------ -
0xffff8800355e5400 kpsmoused 139 2 0 0 ------------------ -
0xffff880034ee8e00 kworker/0:3 156 2 0 0 ------------------ -
0xffff880075ec2a00 kworker/1:1H 166 2 0 0 ------------------ -
0xffff880034eef000 scsi_eh_2 167 2 0 0 ------------------ -
0xffff880034eee200 scsi_tmf_2 168 2 0 0 ------------------ -
0xffff880034eed400 bioset 169 2 0 0 ------------------ -
0xffff880075f23800 raid5wq 241 2 0 0 ------------------ -
0xffff880035590000 bioset 272 2 0 0 ------------------ -
0xffff880035594600 kworker/0:1H 295 2 0 0 ------------------ -
0xffff880035597000 jbd2/sda1-8 297 2 0 0 ------------------ -
0xffff880035590e00 ext4-rsv-conver 298 2 0 0 ------------------ -
0xffff880034c4aa00 systemd-journal 354 1 0 0 0x0000000079614000 -
0xffff880035592a00 iscsi_eh 356 2 0 0 ------------------ -
0xffff880079103800 kworker/1:2 370 2 0 0 ------------------ -
0xffff880034eeaa00 kauditd 372 2 0 0 ------------------ -
0xffff88007a478e00 ib_addr 382 2 0 0 ------------------ -
0xffff88007a479c00 ib_mcast 385 2 0 0 ------------------ -
0xffff88007a47aa00 ib_nl_sa_wq 386 2 0 0 ------------------ -
0xffff88007a47b800 ib_cm 387 2 0 0 ------------------ -
0xffff88007a47c600 iw_cm_wq 389 2 0 0 ------------------ -
0xffff88007a47d400 rdma_cm 391 2 0 0 ------------------ -
0xffff880075ec4600 lvmetad 394 1 0 0 0x000000007c36c000 -
0xffff88007a478000 kworker/1:3 399 2 0 0 ------------------ -
0xffff880079100000 systemd-udevd 408 1 0 0 0x000000007c2c8000 -
0xffff880079100e00 iprt-VBoxWQueue 493 2 0 0 ------------------ -
0xffff880034ebf000 ttm_swap 649 2 0 0 ------------------ -
0xffff88007a076200 atd 730 1 0 0 0x000000007c3f8000 -
0xffff88007a070000 lxcfs 738 1 0 0 0x0000000079fe0000 -
0xffff88007b68b800 accounts-daemon 739 1 0 0 0x0000000079fe2000 -
0xffff880034eb8e00 rsyslogd 745 1 104 108 0x0000000079530000 -
0xffff880034c4e200 cron 754 1 0 0 0x000000007a08c000 -
0xffff88007942c600 systemd-logind 758 1 0 0 0x000000007a6d6000 -
0xffff880079429c00 acpid 777 1 0 0 0x000000007917c000 -
0xffff880079428000 snapd 783 1 0 0 0x0000000079768000 -
0xffff880079428e00 dbus-daemon 785 1 107 111 0x0000000079470000 -
0xffff88007b17b800 dhclient 846 1 0 0 0x000000007a430000 -
0xffff88007942aa00 polkitd 898 1 0 0 0x0000000079b92000 -
0xffff880034ebd400 mdadm 907 1 0 0 0x000000007c3fc000 -
0xffff88007b17f000 VBoxService 941 1 0 0 0x000000007862e000 -
0xffff880034ebc600 named 1018 1 110 115 0x0000000079aa4000 -
0xffff88007a32c600 sshd 1023 1 0 0 0x0000000034dbc000 -
0xffff88007b179c00 iscsid 1036 1 0 0 0x000000007afdc000 -
0xffff88007b178e00 iscsid 1037 1 0 0 0x0000000079bd0000 -
0xffff88007b68f000 irqbalance 1079 1 0 0 0x000000007a462000 -
0xffff88007b688000 login 1084 1 0 1000 0x0000000079dc0000 -
0xffff88007a074600 systemd 1157 1 1000 1000 0x0000000034c16000 -
0xffff88007a073800 (sd-pam) 1160 1157 1000 1000 0x0000000079a92000 -
0xffff88007a075400 bash 1166 1084 1000 1000 0x0000000035720000 -
0xffff8800355e3800 ht0p 1192 1166 1000 1000 0x000000007b982000 -
0xffff8800355e6200 htop 1193 1166 1000 1000 0x000000007b9a2000 -
I have tried running procdump
on a lot of processes there and then running strings
on them but nothing seemed like the 'message'. I really have no idea what to do next, do I need to extract somehow the ELF that's running from memory? Also do you have any idea what process it might be or what else should I do?
linux kali-linux elf forensics dump
edited Apr 18 at 23:05
asked Apr 18 at 21:26
Teodor Vecerdi
111
111
Hint: are you not seeing any process with a funny name? It sticks out like a sore thumb...
â Rui F Ribeiro
Apr 18 at 21:50
@RuiFRibeiro I am a begginer when it comes to process names. is it(sd-pam)
?
â Teodor Vecerdi
Apr 18 at 21:51
Have a look at the last two ones. Still not seeing anything funny?
â Rui F Ribeiro
Apr 18 at 21:53
@RuiFRibeiro I dumped both processes and didn't see anything funny looking when using thestrings
command.ht0p
was the first one that I saw actually
â Teodor Vecerdi
Apr 18 at 21:54
The teacher said it was printed by an elf, not that was easy to find with strings. I bet that either the binary is compressed or the string is hidden with simple tricks like stored it in an encrypted format or building it char-by-char. I would be my money on ht0p too.
â Rui F Ribeiro
Apr 18 at 21:57
 |Â
show 9 more comments
Hint: are you not seeing any process with a funny name? It sticks out like a sore thumb...
â Rui F Ribeiro
Apr 18 at 21:50
@RuiFRibeiro I am a begginer when it comes to process names. is it(sd-pam)
?
â Teodor Vecerdi
Apr 18 at 21:51
Have a look at the last two ones. Still not seeing anything funny?
â Rui F Ribeiro
Apr 18 at 21:53
@RuiFRibeiro I dumped both processes and didn't see anything funny looking when using thestrings
command.ht0p
was the first one that I saw actually
â Teodor Vecerdi
Apr 18 at 21:54
The teacher said it was printed by an elf, not that was easy to find with strings. I bet that either the binary is compressed or the string is hidden with simple tricks like stored it in an encrypted format or building it char-by-char. I would be my money on ht0p too.
â Rui F Ribeiro
Apr 18 at 21:57
Hint: are you not seeing any process with a funny name? It sticks out like a sore thumb...
â Rui F Ribeiro
Apr 18 at 21:50
Hint: are you not seeing any process with a funny name? It sticks out like a sore thumb...
â Rui F Ribeiro
Apr 18 at 21:50
@RuiFRibeiro I am a begginer when it comes to process names. is it
(sd-pam)
?â Teodor Vecerdi
Apr 18 at 21:51
@RuiFRibeiro I am a begginer when it comes to process names. is it
(sd-pam)
?â Teodor Vecerdi
Apr 18 at 21:51
Have a look at the last two ones. Still not seeing anything funny?
â Rui F Ribeiro
Apr 18 at 21:53
Have a look at the last two ones. Still not seeing anything funny?
â Rui F Ribeiro
Apr 18 at 21:53
@RuiFRibeiro I dumped both processes and didn't see anything funny looking when using the
strings
command. ht0p
was the first one that I saw actuallyâ Teodor Vecerdi
Apr 18 at 21:54
@RuiFRibeiro I dumped both processes and didn't see anything funny looking when using the
strings
command. ht0p
was the first one that I saw actuallyâ Teodor Vecerdi
Apr 18 at 21:54
The teacher said it was printed by an elf, not that was easy to find with strings. I bet that either the binary is compressed or the string is hidden with simple tricks like stored it in an encrypted format or building it char-by-char. I would be my money on ht0p too.
â Rui F Ribeiro
Apr 18 at 21:57
The teacher said it was printed by an elf, not that was easy to find with strings. I bet that either the binary is compressed or the string is hidden with simple tricks like stored it in an encrypted format or building it char-by-char. I would be my money on ht0p too.
â Rui F Ribeiro
Apr 18 at 21:57
 |Â
show 9 more comments
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f438604%2fextract-a-running-elf-from-a-memory-dump%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Hint: are you not seeing any process with a funny name? It sticks out like a sore thumb...
â Rui F Ribeiro
Apr 18 at 21:50
@RuiFRibeiro I am a begginer when it comes to process names. is it
(sd-pam)
?â Teodor Vecerdi
Apr 18 at 21:51
Have a look at the last two ones. Still not seeing anything funny?
â Rui F Ribeiro
Apr 18 at 21:53
@RuiFRibeiro I dumped both processes and didn't see anything funny looking when using the
strings
command.ht0p
was the first one that I saw actuallyâ Teodor Vecerdi
Apr 18 at 21:54
The teacher said it was printed by an elf, not that was easy to find with strings. I bet that either the binary is compressed or the string is hidden with simple tricks like stored it in an encrypted format or building it char-by-char. I would be my money on ht0p too.
â Rui F Ribeiro
Apr 18 at 21:57