The goal of this volatility plugin is to extract a screenshot of all open X windows from a memory dump.
Overview
The plugin first dumps the X server memory mappings. These mappings are then given in input to a C program (loader), along with the output of Adam’s plugin. This C program mmaps (with the MAP_FIXED flag) the memory mappings of Xorg into its own address space. In this way we recereate the address space of Xorg, ensuring that no reference between code and data is broken. The loader then calls a function (compGetImage) contained in the Xorg code and saves the result to file. We identified this “magic” function by looking at how X serves a request for screenshot during normal usage. Fortunately, this function can always be found accurately since struct _Screen contains a pointer to it.
Another good feature of this approach is that it is able to retreive the screenshot even if the screen was locked at the time of dumping, and even of windows hidden behind other windows!


Usage
After cloning this repository, compile the loader:

gcc -Wall -o loader loader.c

To use the plugins:

vol.py --plugins=$PWD/plugins/ --profile=XXX -f ./vbox.dmp linux_screenshot_xwindows --out-dir /tmp/xwds/

To convert the results from xwd to png:

find /tmp/xwds/ -type f -name "*.xwd" -exec convert  .png ;

Tested version of Xorg
We successuly retrived the screenshot from the following setups:

  1. Ubuntu 14.04 LTS – X.Org X Server 1.15.1 (Release Date: 2014-04-13)
  2. Ubuntu 16-04 LTS – X.Org X Server 1.18.4 (Release Date: 2016-07-19)
  3. Debian 9 Testing – X.Org X Server 1.19.6 (Release Date: 2017-12-20)
  4. Kubuntu 18.04 LTS – X.Org X Server 1.19.6 (Release Date: 2017-12-20)

Notes
A few random but important notes:

  1. In order to limit the process to only “drawable” images we select in the volatility plugin only the images with reasonable size.
  2. This tools works only if Xorg uses software rendering. This is not usually the case on physical machines but it was used by default on the VirtualBox machines we tested.
  3. Don’t forget that you are seamlessly running code extracted from a memory dump. It is probably not difficult for an attacker to tamper the dump and gain code execution on your box. So take the necessary precautions.

Authors
This project has been completed during a Semester Project in Fall 2017 at Eurecom, and realised by two Eurecom students: Hamdi Ammar and Ahmed Mkadem. It was supervised by Fabio Pagani and Davide Balzarotti