I'm familiar with creating Linux memory profiles as stated here. However, this is assuming that I have access to the live system which often times is not the case.
I heard there is a way to build the profile with the compiled linux kernel but I cannot find any documentation on how to do that through googling. Is anyone familiar with building volatility profiles from the compiled kernel and if so willing to provide instructions on how to do so?
Thanks!
You do not need access to a live system to create a volatility memory profile. What you do need are kernel headers for the running kernel, DWARF debug symbols, or the kernel source code in the exact version of the target kernel and the corresponding .config.
If you have a copy of the kernel with DWARF debug symbols (i.e. CONFIG_DEBUG_INFO=y, was set when building the kernel), you can instead run dwarfdump on the kernel.
Assuming the kernel is built with the [IKCONFIG] option, you can use the [extract-ikconfig] script to extract the config from the kernel. If the IKCONFIG_PROC option is set, this may also be available on a live system under /proc/config.gz. Using this config, you can build the volatility module against your kernel source checkout.
If none of these options are viable, you are out of luck, and may need to reverse engineer the structure layouts.
