lime-forensics-1.1-r17+dfsg/0000755000000000000000000000000012246243431014317 5ustar rootrootlime-forensics-1.1-r17+dfsg/doc/0000755000000000000000000000000012246244173015070 5ustar rootrootlime-forensics-1.1-r17+dfsg/src/0000755000000000000000000000000012122077367015114 5ustar rootrootlime-forensics-1.1-r17+dfsg/src/disk.c0000644000000000000000000000410512122076054016202 0ustar rootroot/* * LiME - Linux Memory Extractor * Copyright (c) 2011-2013 Joe Sylve - 504ENSICS Labs * * * Author: * Joe Sylve - joe.sylve@gmail.com, @jtsylve * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or (at * your option) any later version. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "lime.h" int write_vaddr_disk(void *, size_t); int setup_disk(void); void cleanup_disk(void); static void disable_dio(void); static struct file * f = NULL; extern char * path; extern int dio; static void disable_dio() { DBG("Direct IO may not be supported on this file system. Retrying."); dio = 0; cleanup_disk(); setup_disk(); } int setup_disk() { mm_segment_t fs; int err; fs = get_fs(); set_fs(KERNEL_DS); if (dio) f = filp_open(path, O_WRONLY | O_CREAT | O_LARGEFILE | O_SYNC | O_DIRECT, 0444); if(!dio || (f == ERR_PTR(-EINVAL))) { DBG("Direct IO Disabled"); f = filp_open(path, O_WRONLY | O_CREAT | O_LARGEFILE, 0444); dio = 0; } if (!f || IS_ERR(f)) { DBG("Error opening file %ld", PTR_ERR(f)); set_fs(fs); err = (f) ? PTR_ERR(f) : -EIO; f = NULL; return err; } set_fs(fs); return 0; } void cleanup_disk() { mm_segment_t fs; fs = get_fs(); set_fs(KERNEL_DS); if(f) filp_close(f, NULL); set_fs(fs); } int write_vaddr_disk(void * v, size_t is) { mm_segment_t fs; long s; fs = get_fs(); set_fs(KERNEL_DS); s = vfs_write(f, v, is, &f->f_pos); set_fs(fs); if (s != is && dio) { disable_dio(); return write_vaddr_disk(v, is); } return s; } lime-forensics-1.1-r17+dfsg/src/Makefile.sample0000644000000000000000000000327312122076217020032 0ustar rootroot# LiME - Linux Memory Extractor # Copyright (c) 2011-2013 Joe Sylve - 504ENSICS Labs # # # Author: # Joe Sylve - joe.sylve@gmail.com, @jtsylve # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # This is a sample Makefile for cross-compiling the LiME LKM obj-m := lime.o lime-objs := tcp.o disk.o main.o KDIR_GOLD := /usr/local/kernels/goldfish/ KVER := $(shell uname -r) PWD := $(shell pwd) CCPATH := /usr/local/bin/google/android-ndk-r6b/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin default: # cross-compile for Android emulator $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR_GOLD) M=$(PWD) modules $(CCPATH)/arm-linux-androideabi-strip --strip-unneeded lime.ko mv lime.ko lime-goldfish.ko # compile for local system $(MAKE) -C /lib/modules/$(KVER)/build M=$(PWD) modules strip --strip-unneeded lime.ko mv lime.ko lime-$(KVER).ko $(MAKE) tidy tidy: rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d rm -rf \.tmp_versions clean: $(MAKE) tidy rm -f *.ko lime-forensics-1.1-r17+dfsg/src/tcp.c0000644000000000000000000000613012122076112016031 0ustar rootroot/* * LiME - Linux Memory Extractor * Copyright (c) 2011-2013 Joe Sylve - 504ENSICS Labs * * * Author: * Joe Sylve - joe.sylve@gmail.com, @jtsylve * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or (at * your option) any later version. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include #include #include #include #include #include #include "lime.h" int write_vaddr_tcp(void *, size_t); int setup_tcp(void); void cleanup_tcp(void); extern int port; static struct socket *control; static struct socket *accept; int setup_tcp() { struct sockaddr_in saddr; int r; mm_segment_t fs; int buffsize = PAGE_SIZE; #if LINUX_VERSION_CODE > KERNEL_VERSION(2,6,5) r = sock_create_kern(AF_INET, SOCK_STREAM, IPPROTO_TCP, &control); #else r = sock_create(AF_INET, SOCK_STREAM, IPPROTO_TCP, &control); #endif if (r < 0) { DBG("Error creating control socket"); return r; } memset(&saddr, 0, sizeof(saddr)); saddr.sin_family = AF_INET; saddr.sin_port = htons(port); saddr.sin_addr.s_addr = INADDR_ANY; fs = get_fs(); set_fs(KERNEL_DS); sock_setsockopt(control, SOL_SOCKET, SO_SNDBUF, (void *) &buffsize, sizeof (int)); set_fs(fs); if (r < 0) { DBG("Error setting buffsize %d", r); return r; } r = control->ops->bind(control,(struct sockaddr*) &saddr,sizeof(saddr)); if (r < 0) { DBG("Error binding control socket"); return r; } r = control->ops->listen(control,1); if (r) { DBG("Error listening on socket"); return r; } #if LINUX_VERSION_CODE > KERNEL_VERSION(2,6,5) r = sock_create_kern(PF_INET, SOCK_STREAM, IPPROTO_TCP, &accept); #else r = sock_create(PF_INET, SOCK_STREAM, IPPROTO_TCP, &accept); #endif if (r < 0) { DBG("Error creating accept socket"); return r; } r = accept->ops->accept(control,accept,0); if (r < 0) { DBG("Error accepting socket"); return r; } return 0; } void cleanup_tcp() { if (accept && accept->ops) { accept->ops->shutdown(accept, 0); accept->ops->release(accept); } if (control && control->ops) { control->ops->shutdown(control, 0); control->ops->release(control); } } int write_vaddr_tcp(void * v, size_t is) { mm_segment_t fs; long s; struct iovec iov; struct msghdr msg = { .msg_iov = &iov, .msg_iovlen = 1 }; fs = get_fs(); set_fs(KERNEL_DS); iov.iov_base = v; iov.iov_len = is; s = sock_sendmsg(accept, &msg, is); set_fs(fs); return s; } lime-forensics-1.1-r17+dfsg/src/lime.h0000644000000000000000000000350512122076033016203 0ustar rootroot/* * LiME - Linux Memory Extractor * Copyright (c) 2011-2013 Joe Sylve - 504ENSICS Labs * * * Author: * Joe Sylve - joe.sylve@gmail.com, @jtsylve * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or (at * your option) any later version. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef __LIME_H_ #define __LIME_H_ #include #include #include #include #include #include #include #include #include #include #define LIME_RAMSTR "System RAM" #define LIME_MAX_FILENAME_SIZE 256 #define LIME_MAGIC 0x4C694D45 //LiME #define LIME_MODE_RAW 0 #define LIME_MODE_LIME 1 #define LIME_MODE_PADDED 2 #define LIME_METHOD_UNKNOWN 0 #define LIME_METHOD_TCP 1 #define LIME_METHOD_DISK 2 #undef LIME_DEBUG //#define LIME_DEBUG #ifdef LIME_DEBUG #define DBG(fmt, args...) do { printk("[LiME] "fmt"\n", ## args); } while (0) #else #define DBG(fmt, args...) do {} while(0) #endif //structures typedef struct { unsigned int magic; unsigned int version; unsigned long long s_addr; unsigned long long e_addr; unsigned char reserved[8]; } __attribute__ ((__packed__)) lime_mem_range_header; #endif //__LIME_H_ lime-forensics-1.1-r17+dfsg/src/main.c0000644000000000000000000001164412122076100016172 0ustar rootroot/* * LiME - Linux Memory Extractor * Copyright (c) 2011-2013 Joe Sylve - 504ENSICS Labs * * * Author: * Joe Sylve - joe.sylve@gmail.com, @jtsylve * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or (at * your option) any later version. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "lime.h" // This file static int write_lime_header(struct resource *); static int write_padding(size_t); static int write_range(struct resource *); static int write_vaddr(void *, size_t); static int setup(void); static void cleanup(void); static int init(void); // External extern int write_vaddr_tcp(void *, size_t); extern int setup_tcp(void); extern void cleanup_tcp(void); extern int write_vaddr_disk(void *, size_t); extern int setup_disk(void); extern void cleanup_disk(void); static char * format = 0; static int mode = 0; static int method = 0; static char zero_page[PAGE_SIZE]; char * path = 0; int dio = 1; int port = 0; extern struct resource iomem_resource; module_param(path, charp, S_IRUGO); module_param(dio, bool, S_IRUGO); module_param(format, charp, S_IRUGO); int init_module (void) { if(!path) { DBG("No path parameter specified"); return -EINVAL; } if(!format) { DBG("No format parameter specified"); return -EINVAL; } DBG("Parameters"); DBG(" PATH: %s", path); DBG(" DIO: %u", dio); DBG(" FORMAT: %s", format); memset(zero_page, 0, sizeof(zero_page)); if (!strcmp(format, "raw")) mode = LIME_MODE_RAW; else if (!strcmp(format, "lime")) mode = LIME_MODE_LIME; else if (!strcmp(format, "padded")) mode = LIME_MODE_PADDED; else { DBG("Invalid format parameter specified."); return -EINVAL; } method = (sscanf(path, "tcp:%d", &port) == 1) ? LIME_METHOD_TCP : LIME_METHOD_DISK; return init(); } static int init() { struct resource *p; int err = 0; #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,18) resource_size_t p_last = -1; #else __PTRDIFF_TYPE__ p_last = -1; #endif DBG("Initilizing Dump..."); if((err = setup())) { DBG("Setup Error"); cleanup(); return err; } for (p = iomem_resource.child; p ; p = p->sibling) { if (strncmp(p->name, LIME_RAMSTR, sizeof(LIME_RAMSTR))) continue; if (mode == LIME_MODE_LIME && (err = write_lime_header(p))) { DBG("Error writing header 0x%lx - 0x%lx", (long) p->start, (long) p->end); break; } else if (mode == LIME_MODE_PADDED && (err = write_padding((size_t) ((p->start - 1) - p_last)))) { DBG("Error writing padding 0x%lx - 0x%lx", (long) p_last, (long) p->start - 1); break; } if ((err = write_range(p))) { DBG("Error writing range 0x%lx - 0x%lx", (long) p->start, (long) p->end); break; } p_last = p->end; } cleanup(); return err; } static int write_lime_header(struct resource * res) { long s; lime_mem_range_header header; memset(&header, 0, sizeof(lime_mem_range_header)); header.magic = LIME_MAGIC; header.version = 1; header.s_addr = res->start; header.e_addr = res->end; s = write_vaddr(&header, sizeof(lime_mem_range_header)); if (s != sizeof(lime_mem_range_header)) { DBG("Error sending header %ld", s); return (int) s; } return 0; } static int write_padding(size_t s) { size_t i = 0; int r; while(s -= i) { i = min((size_t) PAGE_SIZE, s); r = write_vaddr(zero_page, i); if (r != i) { DBG("Error sending zero page: %d", r); return r; } } return 0; } static int write_range(struct resource * res) { #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,18) resource_size_t i, is; #else __PTRDIFF_TYPE__ i, is; #endif struct page * p; void * v; int s; for (i = res->start; i <= res->end; i += PAGE_SIZE) { p = pfn_to_page((i) >> PAGE_SHIFT); is = min((size_t) PAGE_SIZE, (size_t) (res->end - i + 1)); v = kmap(p); s = write_vaddr(v, is); kunmap(p); if (s != is) { DBG("Error sending page %d", s); return (int) s; } } return 0; } static int write_vaddr(void * v, size_t is) { return (method == LIME_METHOD_TCP) ? write_vaddr_tcp(v, is) : write_vaddr_disk(v, is); } static int setup(void) { return (method == LIME_METHOD_TCP) ? setup_tcp() : setup_disk(); } static void cleanup(void) { return (method == LIME_METHOD_TCP) ? cleanup_tcp() : cleanup_disk(); } void cleanup_module(void) { } //MODULE_AUTHOR ("Joe T. Sylve, joe@digitalforensicssolutions.com"); //MODULE_DESCRIPTION ("Perform physical memory dump on Linux and Android devices."); MODULE_LICENSE("GPL"); lime-forensics-1.1-r17+dfsg/src/Makefile0000644000000000000000000000234012122076172016544 0ustar rootroot# LiME - Linux Memory Extractor # Copyright (c) 2011-2013 Joe Sylve - 504ENSICS Labs # # # Author: # Joe Sylve - joe.sylve@gmail.com, @jtsylve # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA obj-m := lime.o lime-objs := tcp.o disk.o main.o KVER := $(shell uname -r) PWD := $(shell pwd) default: $(MAKE) -C /lib/modules/$(KVER)/build M=$(PWD) modules strip --strip-unneeded lime.ko mv lime.ko lime-$(KVER).ko $(MAKE) tidy tidy: rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d rm -rf \.tmp_versions clean: $(MAKE) tidy rm -f *.ko