https://github.com/vobst/bpfvol3

Linux BPF plugins for Volatility3
https://github.com/vobst/bpfvol3

bpf ebpf forensics forensics-tools memory-forensics plugin volatility volatility3

Last synced: 5 months ago
JSON representation

Linux BPF plugins for Volatility3

• Host: GitHub
• URL: https://github.com/vobst/bpfvol3
• Owner: vobst
• License: mit
• Created: 2023-03-09T07:26:38.000Z (about 3 years ago)
• Default Branch: main
• Last Pushed: 2024-01-19T18:34:21.000Z (about 2 years ago)
• Last Synced: 2025-04-03T09:03:50.570Z (11 months ago)
• Topics: bpf, ebpf, forensics, forensics-tools, memory-forensics, plugin, volatility, volatility3
• Language: Python
• Homepage:
• Size: 17.3 MB
• Stars: 10
• Watchers: 1
• Forks: 1
• Open Issues: 8
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md

Awesome Lists containing this project

README

          
# BPFVol3



## Description

BPFVol3 is a set of [Volatility3](https://github.com/volatilityfoundation/volatility3) plugins for analyzing the [Linux BPF](https://docs.kernel.org/bpf/index.html) subsystem.

Disclaimer: This project is in an __alpha__ state. In particular, it has not been tested in real-world scenarios or reviewed by forensic experts. Do __not__ use it in real-world investigations.

## Requirements

- [Docker](https://docs.docker.com/engine/install/)

## Installation

### Using the plugin with Docker (recommended)

1. Clone this repository

```

git clone https://github.com/vobst/BPFVol3

cd BPFVol3

```

2. Build the analysis container

```

./vol.sh --build

```

2. Alternatively: pull the latest image from the Github Container Registry

```

./vol.sh --pull

```

### Using the plugin with an existing Volatility3 installation

When using this method, it is recommended to stick to the __same__ release of Volatility3 as the Docker container, see `VOL_VER` in `vol.sh`  for the currently supported release.

Note: Set `VOLHOME` to the root of your Volatility3 installation

1. Clone this repository

```

git clone https://github.com/vobst/BPFVol3

cd BPFVol3

```

2. Copy the files under `source/plugins` to a place where Volatility can find them, e.g., `${VOLHOME}/volatility3/plugins/linux`, or make use of the `--plugin-dirs` command line option when running `vol.py`

3. Create the directory `${VOLHOME}/volatility3/utility/` and copy the contents of `src/utility` into it

4. `git apply` the patch in `src/patches`

## Getting Started

We assume that you have some memory image that you want to analyze. If not, check out the `docs/examples` folder.

Note: Commands prefixed with `$` or `#` are executed on the host or in the analysis container, respectively.

1. Place the image in `io/dumps`. You can now read the banner using

```

$ ./vol.sh --run

# ./vol.py -f /io/dumps/ banners.Banners

```

2. Obtain the ISF file for the kernel in the dump and place it in `io/symbols`

2. Alternatively: Download the debug package for the kernel in the dump, copy the debug kernel and its `System.map` into the `io/kernels` folder. You can now generate the ISF file yourself

```

$ ./scripts/prepare_kernel.sh   --symbols

```

3. Start the container and run some plugin

```

$ ./scripts/vol.sh --run

# ./vol.py -f /io/dumps/ linux.bpf_graph

```

## Documentation

- User manuals for the different plugins can be found in the `docs/` folder

- Case studies (including memory dumps and symbol files) can be found in the `docs/examples` folder

- There is a post about this project on [my blog](https://blog.eb9f.de/2023/12/21/bpf_memory_forensics_with_volatility_3.html)

- Below you can get an overview of the project

```

.

├── Dockerfile

├── docs

│   ├── bpf_graph.md

│   ├── bpf_listlinks.md

│   ├── bpf_listmaps.md

│   ├── bpf_listprocs.md

│   ├── bpf_listprogs.md

│   ├── bpf_lsm.md

│   ├── bpf_netdev.md

│   ├── examples

│   │   └── krie

│   │       └── krie.md

│   └── media

│       ├── alpha_logo.jpeg

│       ├── krie-3410c66d-26be0e1ef560.elf.png

│       └── krie-3410c66d-26be0e1ef560_filtered.png

├── io

│   ├── cache

│   ├── dumps

│   ├── kernels

│   ├── output

│   └── symbols

├── LICENSE.md

├── pyproject.toml

├── README.md

├── scripts

│   ├── bashrc

│   ├── container_init

│   ├── fix_symbols.sh

│   ├── gen_symbols.sh

│   └── pack_dump.sh

├── src

│   ├── patches

│   │   ├── v2.4.2.patch

│   │   └── v2.5.0.patch

│   ├── plugins

│   │   ├── bpf_graph.py

│   │   ├── bpf_listlinks.py

│   │   ├── bpf_listmaps.py

│   │   ├── bpf_listprocs.py

│   │   ├── bpf_listprogs.py

│   │   ├── bpf_lsm.py

│   │   ├── bpf_netdev.py

│   │   └── ifconfig.py

│   └── utility

│       ├── btf.py

│       ├── datastructures.py

│       ├── enums.py

│       ├── helpers.py

│       ├── link.py

│       ├── map.py

│       └── prog.py

└── vol.sh

```

## Contributing

Bugs report, feature requests and contributions are all highly welcome :)

Please use the standard GitHub issue/pull request workflow.