网站推广的渠道,下载浙江平安建设信息系统网站,网站图标按钮用什么做,世界500强企业名单背景
VMware虚拟机系统hang死#xff0c;手动重启无法触发系统panic#xff0c;从而不能触发kdump产生vmcore文件进行原因分析#xff1b;此种情况下需要手动生成虚拟机内存快照#xff0c;进而利用Volatility工具分析系统hang死的具体原因。
配置
使用VMware创建虚拟机…背景
VMware虚拟机系统hang死手动重启无法触发系统panic从而不能触发kdump产生vmcore文件进行原因分析此种情况下需要手动生成虚拟机内存快照进而利用Volatility工具分析系统hang死的具体原因。
配置
使用VMware创建虚拟机内存快照同时重启虚拟机。下载对应python版本的Volatility 。python3 Volatility3 )安装依赖distorm3
pip install distorm3正常情况下完成以上步骤后就可以使用Volatility工具分析内存快照了。
使用
1、分析系统架构
使用imageinfo参数查看设备信息找到适配的配置文件。
python vol.py -f /root/vm_snapshot/Test.vmem imageinfo当然如果系统信息确定的情况下也可以直接使用内置的配置文件。
$ python vol.py --info
Volatility Foundation Volatility Framework 2.6.1Profiles
--------
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
... ...可以看到Volatility仅内置Windows系统的配置文件因此在Linux系统上imageinfo时会出现无法正常执行的情形。
$ python vol.py -f /root/vm_snapshot/Test.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...若出现这种情况则说明Volatility的配置文件无法分析该系统的内存快照需要手动构建你自己的 Linux 配置文件。
构建过程中可能会出现一下编译错误如gcc版本错误dwarf库未找到等等解决方案都可以在网上找到这里就不一一赘述了。
$ cd tools/linux/
$ pwd
/root/volatility/tools/linux
$ ls
kcore Makefile Makefile.enterprise module.c
$ make
make -C //lib/modules/4.9.0-19-linx-security-amd64/build CONFIG_DEBUG_INFOy M/root/volatility/tools/linux modules
make[1]: Entering directory /usr/src/linux-headers-4.9.0-19-linx-security-amd64CC [M] /root/volatility/tools/linux/module.oBuilding modules, stage 2.MODPOST 1 modulesCC /root/volatility/tools/linux/module.mod.oLD [M] /root/volatility/tools/linux/module.ko
make[1]: Leaving directory /usr/src/linux-headers-4.9.0-19-linx-security-amd64
dwarfdump -di module.ko module.dwarf
make -C //lib/modules/4.9.0-19-linx-security-amd64/build M/root/volatility/tools/linux clean
make[1]: Entering directory /usr/src/linux-headers-4.9.0-19-linx-security-amd64CLEAN /root/volatility/tools/linux/.tmp_versionsCLEAN /root/volatility/tools/linux/Module.symvers
make[1]: Leaving directory /usr/src/linux-headers-4.9.0-19-linx-security-amd64编译完成之后目录下会出现一个module.dwarf文件我们需要将该文件与系统符号表一起打包创建Volatility插件。
$ ls -l module.dwarf
-rw-r--r-- 1 root root 3191958 4月 16 11:23 module.dwarf
$ ls -l /boot/System.map-4.9.0-19-linx-security-amd64
-rw-r--r-- 1 root root 3220023 6月 25 2024 /boot/System.map-4.9.0-19-linx-security-amd64
$ zip volatility/plugins/overlays/linux/Linx_6.0.80.zip tools/linux/module.dwarf /boot/System.map-4.9.0-19-linx-security-amd64
updating: tools/linux/module.dwarf (deflated 91%)
updating: boot/System.map-4.9.0-19-linx-security-amd64 (deflated 79%)上述操作完成后可以使用--info查询插件是否正常安装。
$ python vol.py -f /root/vm_snapshot/Test.vmem --info|grep Linx
Volatility Foundation Volatility Framework 2.6.1
LinuxLinx_6_0_80x64 - A Profile for Linux Linx_6.0.80 x642、使用
使用-h参数查看配置文件支持的命令。
$ python vol.py -f /root/vm_snapshot/Test.vmem --profileLinuxLinx_6_0_80x64 -h
Volatility Foundation Volatility Framework 2.6.1
Usage: Volatility - A memory forensics analysis platform.Options:-h, --help list all available options and their default values.Default values may be set in the configuration file(/etc/volatilityrc)--conf-file/root/.volatilityrcUser based configuration file-d, --debug Debug volatility--pluginsPLUGINS Additional plugin directories to use (colon separated)--info Print information about all registered objects--cache-directory/root/.cache/volatilityDirectory where cache files are stored--cache Use caching--tzTZ Sets the (Olson) timezone for displaying timestampsusing pytz (if installed) or tzset-f FILENAME, --filenameFILENAMEFilename to use when opening an image--profileLinuxLinx_6_0_80x64Name of the profile to load (use --info to see a listof supported profiles)-l file:///root/vm_snapshot/Test.vmem, --locationfile:///root/vm_snapshot/Test.vmemA URN location from which to load an address space-w, --write Enable write support--dtbDTB DTB Address--shiftSHIFT Mac KASLR shift address--outputtext Output in this format (support is module specific, seethe Module Output Options below)--output-fileOUTPUT_FILEWrite output in this file-v, --verbose Verbose information--physical_shiftPHYSICAL_SHIFTLinux kernel physical shift address--virtual_shiftVIRTUAL_SHIFTLinux kernel virtual shift address-g KDBG, --kdbgKDBG Specify a KDBG virtual address (Note: for 64-bitWindows 8 and above this is the address ofKdCopyDataBlock)--force Force utilization of suspect profile--cookieCOOKIE Specify the address of nt!ObHeaderCookie (valid forWindows 10 only)-k KPCR, --kpcrKPCR Specify a specific KPCR addressSupported Plugin Commands:imagecopy Copies a physical address space out as a raw DD imagelimeinfo Dump Lime file format informationlinux_apihooks Checks for userland apihookslinux_arp Print the ARP tablelinux_aslr_shift Automatically detect the Linux ASLR shiftlinux_banner Prints the Linux banner informationlinux_bash Recover bash history from bash process memorylinux_bash_env Recover a process dynamic environment variableslinux_bash_hash Recover bash hash table from bash process memorylinux_check_afinfo Verifies the operation function pointers of network protocolslinux_check_creds Checks if any processes are sharing credential structureslinux_check_fop Check file operation structures for rootkit modificationslinux_check_idt Checks if the IDT has been alteredlinux_check_inline_kernel Check for inline kernel hookslinux_check_modules Compares module list to sysfs info, if availablelinux_check_syscall Checks if the system call table has been alteredlinux_check_tty Checks tty devices for hookslinux_cpuinfo Prints info about each active processorlinux_dentry_cache Gather files from the dentry cachelinux_dmesg Gather dmesg bufferlinux_dump_map Writes selected memory mappings to disklinux_dynamic_env Recover a process dynamic environment variableslinux_elfs Find ELF binaries in process mappingslinux_enumerate_files Lists files referenced by the filesystem cachelinux_find_file Lists and recovers files from memorylinux_getcwd Lists current working directory of each processlinux_hidden_modules Carves memory to find hidden kernel moduleslinux_ifconfig Gathers active interfaceslinux_info_regs Its like info registers in GDB. It prints out all thelinux_iomem Provides output similar to /proc/iomemlinux_kernel_opened_files Lists files that are opened from within the kernellinux_keyboard_notifiers Parses the keyboard notifier call chainlinux_ldrmodules Compares the output of proc maps with the list of libraries from libdllinux_library_list Lists libraries loaded into a processlinux_librarydump Dumps shared libraries in process memory to disklinux_list_raw List applications with promiscuous socketslinux_lsmod Gather loaded kernel moduleslinux_lsof Lists file descriptors and their pathlinux_malfind Looks for suspicious process mappingslinux_memmap Dumps the memory map for linux taskslinux_moddump Extract loaded kernel moduleslinux_mount Gather mounted fs/deviceslinux_mount_cache Gather mounted fs/devices from kmem_cachelinux_netfilter Lists Netfilter hookslinux_netscan Carves for network connection structureslinux_netstat Lists open socketslinux_pidhashtable Enumerates processes through the PID hash tablelinux_pkt_queues Writes per-process packet queues out to disklinux_plthook Scan ELF binaries PLT for hooks to non-NEEDED imageslinux_proc_maps Gathers process memory mapslinux_proc_maps_rb Gathers process maps for linux through the mappings red-black treelinux_procdump Dumps a processs executable image to disklinux_process_hollow Checks for signs of process hollowinglinux_psaux Gathers processes along with full command line and start timelinux_psenv Gathers processes along with their static environment variableslinux_pslist Gather active tasks by walking the task_struct-task listlinux_pslist_cache Gather tasks from the kmem_cachelinux_psscan Scan physical memory for processeslinux_pstree Shows the parent/child relationship between processeslinux_psxview Find hidden processes with various process listingslinux_recover_filesystem Recovers the entire cached file system from memorylinux_route_cache Recovers the routing cache from memorylinux_sk_buff_cache Recovers packets from the sk_buff kmem_cachelinux_slabinfo Mimics /proc/slabinfo on a running machinelinux_strings Match physical offsets to virtual addresses (may take a while, VERY verbose)linux_threads Prints threads of processeslinux_tmpfs Recovers tmpfs filesystems from memorylinux_truecrypt_passphrase Recovers cached Truecrypt passphraseslinux_vma_cache Gather VMAs from the vm_area_struct cachelinux_volshell Shell in the memory imagelinux_yarascan A shell in the Linux memory imagembrparser Scans for and parses potential Master Boot Records (MBRs)patcher Patches memory based on page scansraw2dmp Converts a physical memory sample to a windbg crash dumpvmwareinfo Dump VMware VMSS/VMSN informationVolatility3 使用
Volatility3在用法上与Volatility差异不大只是支持的参数列表发生了较大变化可以使用-h查看支持的插件列表。其中较大的差别在于Volatility3抛弃了构建起来较为复杂的 profile转而使用符号表。而由于Linux 版本很多很杂并没有提供非常全面的符号表想要使用的话必须使用 dwarf2json生成自己的符号文件。
$ ./dwarf2json linux
No files specified
Usage: dwarf2json linux [OPTIONS]--elf PATH ELF file PATH to extract symbol and type information--elf-symbols PATH ELF file PATH to extract only symbol information--elf-types PATH ELF file PATH to extract only type information--system-map PATH System.Map file PATH to extract symbol information--system-map参数指定/boot目录下的系统符号表文件--elf文件必须指定带调试符号的vmlinuz文件。将dwarf2json的输出结果保存到Volatility3根目录就可以正常使用了。
$ ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-4.4.0-137-generic output.json
# Volatility3分析进程
$ python3 vol.py -f /vm_snapshot/Test.vmem -s . linux.pslist.PsList
