1 概述
近期遇到個使用CentOS 5.5的系統,生產環境沒有GCC、GDB。要對這臺機器抓取關鍵內存回去用volatility分析。html
思路1:使用工具Dump某個進程的內存。使用cat /proc/[進程PID]maps抓出進程關鍵內存。linux
在github有類似的工程能夠參考:https://github.com/WangYinuo/MemDumpgit
但因爲進程太多,這個方案被否認了。github
思路2:使用受害系統一樣版本的CentOS系統編譯好LiME再去加載.ko模塊抓取內存。centos
因爲這個版本的yum源中止更新,因此只好使用安裝盤自帶的RPM包手動安裝GCC,編譯LiME,製做元數據用volatility分析。tcp
光盤地址:http://vault.centos.org/5.5/isos/x86_64/CentOS-5.5-x86_64-bin-DVD.torrent工具
1.1 安裝GCC
- 打開VMWare界面,選擇菜單VM--Settings,在對話框中選擇CDROM,設置參數爲Use ISO image,選擇CentOS鏡像安裝文件;
- 啓動虛擬機中的CentOS系統,用root登陸,在桌面上用鼠標右鍵新建一終端窗口;
- 在終端中輸入 cd /media/CentOS_5.5_Final/CentOS 回車
[root@localhost malware]# cd /media/CentOS_5.5_Final/CentOS [root@localhost CentOS]# rpm -ivh cpp-4.1.2-48.el5.x86_64.rpm [root@localhost CentOS]# rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm [root@localhost CentOS]# rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm [root@localhost CentOS]# rpm -ivh glibc-headers-2.5-49.x86_64.rpm [root@localhost CentOS]# rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm [root@localhost CentOS]# rpm -ivh kernel-devel-2.6.18-194.el5.x86_64.rpm [root@localhost CentOS]# rpm -ivh glibc-devel-2.5-49.x86_64.rpm [root@localhost CentOS]# rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm
1.2 編譯LiME
[root@localhost CentOS]# tar -zxvf LiME.tar.gz [root@localhost CentOS]# cd /home/yunwei/Desktop/malware/LiME/src/ [root@localhost src]# make make -C /lib/modules/2.6.18-194.el5/build M="/home/yunwei/Desktop/malware/LiME/src" modules make[1]: Entering directory `/usr/src/kernels/2.6.18-194.el5-x86_64' Building modules, stage 2. MODPOST LD [M] /home/yunwei/Desktop/malware/LiME/src/lime.ko make[1]: Leaving directory `/usr/src/kernels/2.6.18-194.el5-x86_64' strip --strip-unneeded lime.ko mv lime.ko lime-2.6.18-194.el5.ko [root@localhost src]# ll total 1176 -rw-r--r-- 1 root root 2557 Sep 28 2017 disk.c -rw-r--r-- 1 root root 168240 May 20 10:44 disk.o -rw-r--r-- 1 root root 41984 May 20 11:46 lime-2.6.18-194.el5.ko -rw-r--r-- 1 root root 1920 Sep 28 2017 lime.h -rw-r--r-- 1 root root 1151 May 20 10:44 lime.mod.c -rw-r--r-- 1 root root 81632 May 20 10:44 lime.mod.o -rw-r--r-- 1 root root 505173 May 20 10:44 lime.o -rw-r--r-- 1 root root 6614 Sep 28 2017 main.c -rw-r--r-- 1 root root 175408 May 20 10:44 main.o -rw-r--r-- 1 root root 1661 Sep 28 2017 Makefile -rw-r--r-- 1 root root 1722 Sep 28 2017 Makefile.sample -rw-r--r-- 1 root root 0 May 20 10:44 Module.markers -rw-r--r-- 1 root root 0 May 20 10:44 Module.symvers -rw-r--r-- 1 root root 3889 Sep 28 2017 tcp.c -rw-r--r-- 1 root root 166152 May 20 10:44 tcp.o
1.3 抓取內存
/home/yunwei/Desktop/malware/centos5.lime爲自定義路徑學習
## 進入內核模式抓取內存 [root@localhost src]# insmod lime-`uname -r`.ko path=/home/yunwei/Desktop/malware/centos5.lime format=lime ## 再次抓取內存前要先運行如下命令退出內核模式 [root@localhost src]# rmmod lime
1.4 製做元數據
1.4.1 dwarfdump使用
安裝調試文件導出工具dwarfdump:測試
-
- 下載與編譯libdwarf
## 解壓Libdwarf [root@localhost src]# git clone https://github.com/tomhughes/libdwarf.git [root@localhost src]# tar -zxvf libdwarf.tar.gz ## 光盤安裝依賴包 [root@localhost src]# cd /media/CentOS_5.5_Final/CentOS/ [root@localhost src]# rpm -ivh /media/CentOS_5.5_Final/CentOS/elfutils-libelf-0.137-3.el5.x86_64.rpm [root@localhost libdwarf]# rpm -ivh elfutils-libelf-devel-static-0.137-3.el5.x86_64.rpm elfutils-libelf-devel-0.137-3.el5.x86_64.rpm elfutils-libelf-0.137-3.el5.x86_64.rpm ## 編譯安裝 libdwarf [root@localhost CentOS]# cd /home/yunwei/Desktop/malware/libdwarf [root@localhost CentOS]# ./configure [root@localhost libdwarf]# make ### 若沒有報錯,則表示安裝正確。 [root@localhost libdwarf]# cd dwarfdump/ [root@localhost dwarfdump]# make install cp dwarfdump /usr/local/bin/dwarfdump cp ./dwarfdump.conf /usr/local/lib/dwarfdump.conf cp ./dwarfdump.1 /usr/local/share/man/man1/dwarfdump.1 [root@localhost dwarfdump]# dwarfdump -h ### 輸入dwarfdump -h若沒有報錯,則表示安裝正確。
-
- 生成內存鏡像
[root@localhost malware]# tar -zxvf volatility.tar.gz [root@localhost malware]# cd volatility/tools/linux/ ## 錯誤 [root@localhost linux]# make make -C //lib/modules/2.6.18-194.el5/build CONFIG_DEBUG_INFO=y M="/home/yunwei/Desktop/malware/volatility/tools/linux" modules make[1]: Entering directory `/usr/src/kernels/2.6.18-194.el5-x86_64' CC [M] /home/yunwei/Desktop/malware/volatility/tools/linux/module.o /home/yunwei/Desktop/malware/volatility/tools/linux/module.c:214: error: redefinition of ‘struct module_sect_attr’ /home/yunwei/Desktop/malware/volatility/tools/linux/module.c:221: error: redefinition of ‘struct module_sect_attrs’ /home/yunwei/Desktop/malware/volatility/tools/linux/module.c:375:5: warning: "STATS" is not defined /home/yunwei/Desktop/malware/volatility/tools/linux/module.c:391:5: warning: "DEBUG" is not defined make[2]: *** [/home/yunwei/Desktop/malware/volatility/tools/linux/module.o] Error 1 make[1]: *** [_module_/home/yunwei/Desktop/malware/volatility/tools/linux] Error 2 make[1]: Leaving directory `/usr/src/kernels/2.6.18-194.el5-x86_64' make: *** [dwarf] Error 2 ### 註釋掉 198,7 ~ 221,7,編譯問題就解決了 /* #if LINUX_VERSION_CODE == KERNEL_VERSION(2,6,18) .... struct module_sections module_sect_attrs; #endif */ ## 註釋代碼以後,編譯輸出狀態 [root@localhost linux]# make make -C //lib/modules/2.6.18-194.el5/build CONFIG_DEBUG_INFO=y M="/home/yunwei/Desktop/malware/volatility-2.6/tools/linux" modules make[1]: Entering directory `/usr/src/kernels/2.6.18-194.el5-x86_64' CC [M] /home/yunwei/Desktop/malware/volatility-2.6/tools/linux/module.o /home/yunwei/Desktop/malware/volatility-2.6/tools/linux/module.c:354:5: warning: "STATS" is not defined /home/yunwei/Desktop/malware/volatility-2.6/tools/linux/module.c:370:5: warning: "DEBUG" is not defined Building modules, stage 2. MODPOST CC /home/yunwei/Desktop/malware/volatility-2.6/tools/linux/module.mod.o LD [M] /home/yunwei/Desktop/malware/volatility-2.6/tools/linux/module.ko make[1]: Leaving directory `/usr/src/kernels/2.6.18-194.el5-x86_64' dwarfdump -di module.ko > module.dwarf make -C //lib/modules/2.6.18-194.el5/build M="/home/yunwei/Desktop/malware/volatility-2.6/tools/linux" clean make[1]: Entering directory `/usr/src/kernels/2.6.18-194.el5-x86_64' CLEAN /home/yunwei/Desktop/malware/volatility-2.6/tools/linux/.tmp_versions make[1]: Leaving directory `/usr/src/kernels/2.6.18-194.el5-x86_64'
1.5 volatility使用內存鏡像分析
將module.dwarf文件和/boot中對應目標系統內核版本的System.map文件打包成.zip文件,放入/volatility/volatility/plugins/overlays/linux/目錄中ui
## 打包元數據爲CentOS5.5_2.6.18-194.el5-x86_64.zip [root@localhost linux]# zip CentOS5.5_2.6.18-194.el5-x86_64.zip module.dwarf /boot/System.map-`uname -r` ## 將CentOS5.5_2.6.18-194.el5-x86_64.zip放到volatility-master\volatility\plugins\overlays\linux目錄下 ## 測試命令-列舉進程 D:\malware\volatility-master>vol.py -f "D:\malware\CentOS5.5_2.6.18-194.el5_test.lime" --profile=LinuxCentOS5_5_2_6_18-194_el5-x86_64x64 linux_pslist Volatility Foundation Volatility Framework 2.6 Offset Name Pid PPid Uid Gid DTB Start Time ------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ---------- 0xffff81003fe3a7a0 init 1 0 0 0 0x0000000013332000 2018-05-20 11:33:20 UTC+0000 0xffff81003fe3a040 migration/0 2 1 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000 0xffff81003fe3e7e0 ksoftirqd/0 3 1 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000 0xffff81003fe3e080 events/0 4 1 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000 0xffff810037fe7820 khelper 5 1 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000 0xffff810037fd90c0 kthread 14 1 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000 0xffff810037cdc040 kblockd/0 18 14 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000 0xffff81003f4ea7e0 kacpid 19 14 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000
1.6 參考
Linux安裝GCC的一系列問題的解決
https://blog.csdn.net/yvanboyang/article/details/73274004
CentOS 5.5 安裝GCC與g++步驟
https://www.linuxidc.com/Linux/2011-07/38657.htm
CentOS 6.5使用安裝盤自帶的RPM包手動安裝gcc
https://blog.csdn.net/testcs_dn/article/details/41727767
Volatility學習筆記二-製做SLES11SP2的profile
https://www.jianshu.com/p/28848d3d9c1b
Build Volatility profile on Centos 5
http://vdchuyen.com/blog/2016/01/01/build-volatility-centos-profile.html