loader), along with the output of Adam’s plugin. This C program
mmaps (with the
MAP_FIXEDflag) the memory mappings of Xorg into its own address space. In this way we recereate the address space of Xorg, ensuring that no reference between code and data is broken. The loader then calls a function (
compGetImage) contained in the Xorg code and saves the result to file. We identified this “magic” function by looking at how X serves a request for screenshot during normal usage. Fortunately, this function can always be found accurately since
struct _Screencontains a pointer to it.
gcc -Wall -o loader loader.c
To use the plugins:
vol.py --plugins=$PWD/plugins/ --profile=XXX -f ./vbox.dmp linux_screenshot_xwindows --out-dir /tmp/xwds/
To convert the results from
find /tmp/xwds/ -type f -name "*.xwd" -exec convert .png ;
Tested version of Xorg
We successuly retrived the screenshot from the following setups:
- Ubuntu 14.04 LTS – X.Org X Server 1.15.1 (Release Date: 2014-04-13)
- Ubuntu 16-04 LTS – X.Org X Server 1.18.4 (Release Date: 2016-07-19)
- Debian 9 Testing – X.Org X Server 1.19.6 (Release Date: 2017-12-20)
- Kubuntu 18.04 LTS – X.Org X Server 1.19.6 (Release Date: 2017-12-20)
A few random but important notes:
- In order to limit the process to only “drawable” images we select in the volatility plugin only the images with reasonable size.
- This tools works only if Xorg uses software rendering. This is not usually the case on physical machines but it was used by default on the VirtualBox machines we tested.
- Don’t forget that you are seamlessly running code extracted from a memory dump. It is probably not difficult for an attacker to tamper the dump and gain code execution on your box. So take the necessary precautions.
This project has been completed during a Semester Project in Fall 2017 at Eurecom, and realised by two Eurecom students: Hamdi Ammar and Ahmed Mkadem. It was supervised by Fabio Pagani and Davide Balzarotti