Chapter 20 Linux Operating System
The Linux support in Volatility was first officially included with the 2.2 release (October 2012). Unless otherwise specified, Volatility’s Linux plugins support kernel versions 2.6.11 through 3.14. The ability to support deep analysis across such a wide range of kernels is dependent on a thorough understanding of the design decisions made by the Linux kernel developers and the technologies they use throughout the operating system. In this chapter, you learn about the Executable and Linking Format (ELF) file and how to locate specific sections in memory for analysis. You’ll also examine the global offset table (GOT), which adversaries can use to alter system behaviors. Finally, we describe an interesting aspect of Linux virtual address translation and a groundbreaking new technology that involves compressing swapped pages.
ELF Files
ELF is the main executable file format used on Linux systems. User applications, shared libraries, kernel modules, and the kernel itself are all stored in the ELF format. To fully understand how you can perform memory forensics and malware analysis of Linux systems, you must first become familiar with the ELF format. To explore the ELF format, we will discuss its data structures and on-disk layout with the help of the readelf
command. readelf
is distributed with binutils
and should be installed by default on all Linux distributions. Complete documentation of the ELF format can be found at http://www.skyfree.org/linux/references/ELF_Format.pdf ...
Get The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.