An automated solution to generate profile for memory forensic and virtual machine introspection
- The current version is an initial prototype with basic functionalities.
- Need to come up with a better name
-
Linux-amd64 (Tested on Ubuntu 16.04)
-
SWI-prolog:
$ sudo apt-get install swi-prolog -
PySwip:
$ pip install pyswip
$ git clone https://github.com/enlighten5/ProfileGenerator.git and ready to go
This tool is tested on several Debian and Ubuntu systems, with Linux kernel from 2.6 to 5.4.
One test image (lede-4.4.50.bin) can be found here:
$ wget https://cluster.hpcc.ucr.edu/~zqi020/image/lede-4.4.50.bin
$ cd prolog_engine
$ python prolog_query.py /PATH/TO/TEST/IMAGE
-
The output is saved in
profile.txt, runpython aggregrate.pyto parse the profile. -
To create a Volatility profile, simple replace the generated fields in a existing profile. This can be done automatically in the future.
- Auto-locate kernel page table.
- Resilient against KASLR
- Auto-generate profiles directly from raw memory dumps
This project is under the GPLv3 license. See LICENSE for details
- Some of the functions are from Volatility: https://github.com/volatilityfoundation/volatility.git
- SWI-prolog: https://www.swi-prolog.org/
- PySwip: https://github.com/yuce/pyswip.git
- Hat tip to anyone whose code was used.