1 概述
近期遇到个使用CentOS 5.5的系统,生产环境没有GCC、GDB。要对这台机器抓取关键内存回去用volatility分析。html
思路1:使用工具Dump某个进程的内存。使用cat /proc/[进程PID]maps抓出进程关键内存。linux
在github有类似的工程能够参考:https://github.com/WangYinuo/MemDumpgit
但因为进程太多,这个方案被否认了。github
思路2:使用受害系统一样版本的CentOS系统编译好LiME再去加载.ko模块抓取内存。centos
因为这个版本的yum源中止更新,因此只好使用安装盘自带的RPM包手动安装GCC,编译LiME,制做元数据用volatility分析。tcp
光盘地址:http://vault.centos.org/5.5/isos/x86_64/CentOS-5.5-x86_64-bin-DVD.torrent工具
1.1 安装GCC
- 打开VMWare界面,选择菜单VM--Settings,在对话框中选择CDROM,设置参数为Use ISO image,选择CentOS镜像安装文件;
- 启动虚拟机中的CentOS系统,用root登陆,在桌面上用鼠标右键新建一终端窗口;
- 在终端中输入 cd /media/CentOS_5.5_Final/CentOS 回车
[root@localhost malware]# cd /media/CentOS_5.5_Final/CentOS [root@localhost CentOS]# rpm -ivh cpp-4.1.2-48.el5.x86_64.rpm [root@localhost CentOS]# rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm [root@localhost CentOS]# rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm [root@localhost CentOS]# rpm -ivh glibc-headers-2.5-49.x86_64.rpm [root@localhost CentOS]# rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm [root@localhost CentOS]# rpm -ivh kernel-devel-2.6.18-194.el5.x86_64.rpm [root@localhost CentOS]# rpm -ivh glibc-devel-2.5-49.x86_64.rpm [root@localhost CentOS]# rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm
1.2 编译LiME
[root@localhost CentOS]# tar -zxvf LiME.tar.gz [root@localhost CentOS]# cd /home/yunwei/Desktop/malware/LiME/src/ [root@localhost src]# make make -C /lib/modules/2.6.18-194.el5/build M="/home/yunwei/Desktop/malware/LiME/src" modules make[1]: Entering directory `/usr/src/kernels/2.6.18-194.el5-x86_64' Building modules, stage 2. MODPOST LD [M] /home/yunwei/Desktop/malware/LiME/src/lime.ko make[1]: Leaving directory `/usr/src/kernels/2.6.18-194.el5-x86_64' strip --strip-unneeded lime.ko mv lime.ko lime-2.6.18-194.el5.ko [root@localhost src]# ll total 1176 -rw-r--r-- 1 root root 2557 Sep 28 2017 disk.c -rw-r--r-- 1 root root 168240 May 20 10:44 disk.o -rw-r--r-- 1 root root 41984 May 20 11:46 lime-2.6.18-194.el5.ko -rw-r--r-- 1 root root 1920 Sep 28 2017 lime.h -rw-r--r-- 1 root root 1151 May 20 10:44 lime.mod.c -rw-r--r-- 1 root root 81632 May 20 10:44 lime.mod.o -rw-r--r-- 1 root root 505173 May 20 10:44 lime.o -rw-r--r-- 1 root root 6614 Sep 28 2017 main.c -rw-r--r-- 1 root root 175408 May 20 10:44 main.o -rw-r--r-- 1 root root 1661 Sep 28 2017 Makefile -rw-r--r-- 1 root root 1722 Sep 28 2017 Makefile.sample -rw-r--r-- 1 root root 0 May 20 10:44 Module.markers -rw-r--r-- 1 root root 0 May 20 10:44 Module.symvers -rw-r--r-- 1 root root 3889 Sep 28 2017 tcp.c -rw-r--r-- 1 root root 166152 May 20 10:44 tcp.o
1.3 抓取内存
/home/yunwei/Desktop/malware/centos5.lime为自定义路径学习
## 进入内核模式抓取内存 [root@localhost src]# insmod lime-`uname -r`.ko path=/home/yunwei/Desktop/malware/centos5.lime format=lime ## 再次抓取内存前要先运行如下命令退出内核模式 [root@localhost src]# rmmod lime
1.4 制做元数据
1.4.1 dwarfdump使用
安装调试文件导出工具dwarfdump:测试
-
- 下载与编译libdwarf
## 解压Libdwarf [root@localhost src]# git clone https://github.com/tomhughes/libdwarf.git [root@localhost src]# tar -zxvf libdwarf.tar.gz ## 光盘安装依赖包 [root@localhost src]# cd /media/CentOS_5.5_Final/CentOS/ [root@localhost src]# rpm -ivh /media/CentOS_5.5_Final/CentOS/elfutils-libelf-0.137-3.el5.x86_64.rpm [root@localhost libdwarf]# rpm -ivh elfutils-libelf-devel-static-0.137-3.el5.x86_64.rpm elfutils-libelf-devel-0.137-3.el5.x86_64.rpm elfutils-libelf-0.137-3.el5.x86_64.rpm ## 编译安装 libdwarf [root@localhost CentOS]# cd /home/yunwei/Desktop/malware/libdwarf [root@localhost CentOS]# ./configure [root@localhost libdwarf]# make ### 若没有报错,则表示安装正确。 [root@localhost libdwarf]# cd dwarfdump/ [root@localhost dwarfdump]# make install cp dwarfdump /usr/local/bin/dwarfdump cp ./dwarfdump.conf /usr/local/lib/dwarfdump.conf cp ./dwarfdump.1 /usr/local/share/man/man1/dwarfdump.1 [root@localhost dwarfdump]# dwarfdump -h ### 输入dwarfdump -h若没有报错,则表示安装正确。
-
- 生成内存镜像
[root@localhost malware]# tar -zxvf volatility.tar.gz [root@localhost malware]# cd volatility/tools/linux/ ## 错误 [root@localhost linux]# make make -C //lib/modules/2.6.18-194.el5/build CONFIG_DEBUG_INFO=y M="/home/yunwei/Desktop/malware/volatility/tools/linux" modules make[1]: Entering directory `/usr/src/kernels/2.6.18-194.el5-x86_64' CC [M] /home/yunwei/Desktop/malware/volatility/tools/linux/module.o /home/yunwei/Desktop/malware/volatility/tools/linux/module.c:214: error: redefinition of ‘struct module_sect_attr’ /home/yunwei/Desktop/malware/volatility/tools/linux/module.c:221: error: redefinition of ‘struct module_sect_attrs’ /home/yunwei/Desktop/malware/volatility/tools/linux/module.c:375:5: warning: "STATS" is not defined /home/yunwei/Desktop/malware/volatility/tools/linux/module.c:391:5: warning: "DEBUG" is not defined make[2]: *** [/home/yunwei/Desktop/malware/volatility/tools/linux/module.o] Error 1 make[1]: *** [_module_/home/yunwei/Desktop/malware/volatility/tools/linux] Error 2 make[1]: Leaving directory `/usr/src/kernels/2.6.18-194.el5-x86_64' make: *** [dwarf] Error 2 ### 注释掉 198,7 ~ 221,7,编译问题就解决了 /* #if LINUX_VERSION_CODE == KERNEL_VERSION(2,6,18) .... struct module_sections module_sect_attrs; #endif */ ## 注释代码以后,编译输出状态 [root@localhost linux]# make make -C //lib/modules/2.6.18-194.el5/build CONFIG_DEBUG_INFO=y M="/home/yunwei/Desktop/malware/volatility-2.6/tools/linux" modules make[1]: Entering directory `/usr/src/kernels/2.6.18-194.el5-x86_64' CC [M] /home/yunwei/Desktop/malware/volatility-2.6/tools/linux/module.o /home/yunwei/Desktop/malware/volatility-2.6/tools/linux/module.c:354:5: warning: "STATS" is not defined /home/yunwei/Desktop/malware/volatility-2.6/tools/linux/module.c:370:5: warning: "DEBUG" is not defined Building modules, stage 2. MODPOST CC /home/yunwei/Desktop/malware/volatility-2.6/tools/linux/module.mod.o LD [M] /home/yunwei/Desktop/malware/volatility-2.6/tools/linux/module.ko make[1]: Leaving directory `/usr/src/kernels/2.6.18-194.el5-x86_64' dwarfdump -di module.ko > module.dwarf make -C //lib/modules/2.6.18-194.el5/build M="/home/yunwei/Desktop/malware/volatility-2.6/tools/linux" clean make[1]: Entering directory `/usr/src/kernels/2.6.18-194.el5-x86_64' CLEAN /home/yunwei/Desktop/malware/volatility-2.6/tools/linux/.tmp_versions make[1]: Leaving directory `/usr/src/kernels/2.6.18-194.el5-x86_64'
1.5 volatility使用内存镜像分析
将module.dwarf文件和/boot中对应目标系统内核版本的System.map文件打包成.zip文件,放入/volatility/volatility/plugins/overlays/linux/目录中ui
## 打包元数据为CentOS5.5_2.6.18-194.el5-x86_64.zip [root@localhost linux]# zip CentOS5.5_2.6.18-194.el5-x86_64.zip module.dwarf /boot/System.map-`uname -r` ## 将CentOS5.5_2.6.18-194.el5-x86_64.zip放到volatility-master\volatility\plugins\overlays\linux目录下 ## 测试命令-列举进程 D:\malware\volatility-master>vol.py -f "D:\malware\CentOS5.5_2.6.18-194.el5_test.lime" --profile=LinuxCentOS5_5_2_6_18-194_el5-x86_64x64 linux_pslist Volatility Foundation Volatility Framework 2.6 Offset Name Pid PPid Uid Gid DTB Start Time ------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ---------- 0xffff81003fe3a7a0 init 1 0 0 0 0x0000000013332000 2018-05-20 11:33:20 UTC+0000 0xffff81003fe3a040 migration/0 2 1 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000 0xffff81003fe3e7e0 ksoftirqd/0 3 1 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000 0xffff81003fe3e080 events/0 4 1 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000 0xffff810037fe7820 khelper 5 1 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000 0xffff810037fd90c0 kthread 14 1 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000 0xffff810037cdc040 kblockd/0 18 14 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000 0xffff81003f4ea7e0 kacpid 19 14 0 0 ------------------ 2018-05-20 11:33:20 UTC+0000
1.6 参考
Linux安装GCC的一系列问题的解决
https://blog.csdn.net/yvanboyang/article/details/73274004
CentOS 5.5 安装GCC与g++步骤
https://www.linuxidc.com/Linux/2011-07/38657.htm
CentOS 6.5使用安装盘自带的RPM包手动安装gcc
https://blog.csdn.net/testcs_dn/article/details/41727767
Volatility学习笔记二-制做SLES11SP2的profile
https://www.jianshu.com/p/28848d3d9c1b
Build Volatility profile on Centos 5
http://vdchuyen.com/blog/2016/01/01/build-volatility-centos-profile.html