Memory dump docker container for memory forensics.
1,721 views
Skip to first unread message
Ori Gil
Jul 21, 2014, 8:48:34 AM7/21/14
to docke...@googlegroups.com
I'm trying to find a way to perform a memory dump on a docker container in order to perform memory forensics (to detect malware exploits for example). I would like to be able to perform the same methods I use on a virtual machine. The problem is that docker containers (and any kind of linux containers) use memory in a different way - containers share resources, use namespaces and cgroups...
I'd like to program a tool that performs this but am a bit lost as to where to begin.
How would one approach this problem?
Thanks in advance!
Leen Besselink
Jul 21, 2014, 9:18:59 AM7/21/14
to docke...@googlegroups.com
On Mon, Jul 21, 2014 at 05:48:34AM -0700, Ori Gil wrote:
>
>
> I'm trying to find a way to perform a memory dump on a docker container in
> order to perform memory forensics (to detect malware exploits for example).
> I would like to be able to perform the same methods I use on a virtual
> machine. The problem is that docker containers (and any kind of linux
> containers) use memory in a different way - containers share resources, use
> namespaces and cgroups...
>
> *I'd like to program a tool that performs this but am a bit lost as to
>
>
> I'm trying to find a way to perform a memory dump on a docker container in
> order to perform memory forensics (to detect malware exploits for example).
> I would like to be able to perform the same methods I use on a virtual
> machine. The problem is that docker containers (and any kind of linux
> containers) use memory in a different way - containers share resources, use
> namespaces and cgroups...
>
> where to begin.*
>
> How would one approach this problem?
>
> Thanks in advance!
>
Hi,
> How would one approach this problem?
>
> Thanks in advance!
>
I'm not (yet?) a Docker developer, but I can answer a few general questions and give some hints.
A container is just a bunch of processes in a seperate namespace.
So sounds to me like you want to get a list of processes of which you need to dump the memory content of.
And you want to snapshot that memory as a whole, at the same time.
So you might want to freeze all the processes in the container before you dump the memory.
If it is specifically for malware, you might want to know a bit more about the kernel structures that are in use for these processes.
Have you looked at http://criu.org/ yet ?
Hope this helps.
Have a good day,
Leen.
> --
> You received this message because you are subscribed to the Google Groups "docker-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to docker-dev+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Ori Gil
Jul 22, 2014, 10:42:13 AM7/22/14
to docke...@googlegroups.com, le...@consolejunkie.net
Hey,
Thanks for the quick reply.
As you said regarding the malware, I do know how to do these forensics, but on a memory dump from a linux virtual machine.
I was hoping to solve this using reduction:
Somehow get a memory dump of the container and concatenate it to the memory dumps of the other segments that the processes in the container use -> And feed this to volatility.
Time to test this...
Good day,
Ori
Reply all
Reply to author
Forward
0 new messages