背景
VMware虚拟机系统hang死,手动重启无法触发系统panic,从而不能触发kdump产生vmcore文件进行原因分析;此种情况下需要手动生成虚拟机内存快照,进而利用Volatility工具分析系统hang死的具体原因。
配置
- 使用VMware创建虚拟机内存快照,同时重启虚拟机。
- 下载对应python版本的Volatility 。(python3 Volatility3)
- 安装依赖distorm3
bash
pip install distorm3正常情况下,完成以上步骤后,就可以使用Volatility工具分析内存快照了。
使用
1、分析系统架构
使用imageinfo参数查看设备信息,找到适配的配置文件。
bash
python vol.py -f /root/vm_snapshot/Test.vmem imageinfo当然,如果系统信息确定的情况下,也可以直接使用内置的配置文件。
bash
$ python vol.py --info
Volatility Foundation Volatility Framework 2.6.1
Profiles
--------
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
... ...可以看到Volatility 仅内置Windows系统的配置文件,因此在Linux 系统上imageinfo时,会出现无法正常执行的情形。
bash
$ python vol.py -f /root/vm_snapshot/Test.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...若出现这种情况,则说明Volatility 的配置文件无法分析该系统的内存快照,需要手动构建你自己的 Linux 配置文件。
构建过程中,可能会出现一下编译错误,如gcc版本错误,dwarf库未找到等等,解决方案都可以在网上找到,这里就不一一赘述了。
bash
$ cd tools/linux/
$ pwd
/root/volatility/tools/linux
$ ls
kcore Makefile Makefile.enterprise module.c
$ make
make -C //lib/modules/4.9.0-19-linx-security-amd64/build CONFIG_DEBUG_INFO=y M="/root/volatility/tools/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-4.9.0-19-linx-security-amd64'
CC [M] /root/volatility/tools/linux/module.o
Building modules, stage 2.
MODPOST 1 modules
CC /root/volatility/tools/linux/module.mod.o
LD [M] /root/volatility/tools/linux/module.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.9.0-19-linx-security-amd64'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/4.9.0-19-linx-security-amd64/build M="/root/volatility/tools/linux" clean
make[1]: Entering directory '/usr/src/linux-headers-4.9.0-19-linx-security-amd64'
CLEAN /root/volatility/tools/linux/.tmp_versions
CLEAN /root/volatility/tools/linux/Module.symvers
make[1]: Leaving directory '/usr/src/linux-headers-4.9.0-19-linx-security-amd64'编译完成之后,目录下会出现一个module.dwarf文件,我们需要将该文件与系统符号表一起打包,创建Volatility插件。
bash
$ ls -l module.dwarf
-rw-r--r-- 1 root root 3191958 4月 16 11:23 module.dwarf
$ ls -l /boot/System.map-4.9.0-19-linx-security-amd64
-rw-r--r-- 1 root root 3220023 6月 25 2024 /boot/System.map-4.9.0-19-linx-security-amd64
$ zip volatility/plugins/overlays/linux/Linx_6.0.80.zip tools/linux/module.dwarf /boot/System.map-4.9.0-19-linx-security-amd64
updating: tools/linux/module.dwarf (deflated 91%)
updating: boot/System.map-4.9.0-19-linx-security-amd64 (deflated 79%)上述操作完成后,可以使用--info查询插件是否正常安装。
bash
$ python vol.py -f /root/vm_snapshot/Test.vmem --info|grep Linx
Volatility Foundation Volatility Framework 2.6.1
LinuxLinx_6_0_80x64 - A Profile for Linux Linx_6.0.80 x642、使用
使用-h参数查看配置文件支持的命令。
bash
$ python vol.py -f /root/vm_snapshot/Test.vmem --profile=LinuxLinx_6_0_80x64 -h
Volatility Foundation Volatility Framework 2.6.1
Usage: Volatility - A memory forensics analysis platform.
Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=/root/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/root/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the (Olson) timezone for displaying timestamps
using pytz (if installed) or tzset
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=LinuxLinx_6_0_80x64
Name of the profile to load (use --info to see a list
of supported profiles)
-l file:///root/vm_snapshot/Test.vmem, --location=file:///root/vm_snapshot/Test.vmem
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--shift=SHIFT Mac KASLR shift address
--output=text Output in this format (support is module specific, see
the Module Output Options below)
--output-file=OUTPUT_FILE
Write output in this file
-v, --verbose Verbose information
--physical_shift=PHYSICAL_SHIFT
Linux kernel physical shift address
--virtual_shift=VIRTUAL_SHIFT
Linux kernel virtual shift address
-g KDBG, --kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit
Windows 8 and above this is the address of
KdCopyDataBlock)
--force Force utilization of suspect profile
--cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
Windows 10 only)
-k KPCR, --kpcr=KPCR Specify a specific KPCR address
Supported Plugin Commands:
imagecopy Copies a physical address space out as a raw DD image
limeinfo Dump Lime file format information
linux_apihooks Checks for userland apihooks
linux_arp Print the ARP table
linux_aslr_shift Automatically detect the Linux ASLR shift
linux_banner Prints the Linux banner information
linux_bash Recover bash history from bash process memory
linux_bash_env Recover a process' dynamic environment variables
linux_bash_hash Recover bash hash table from bash process memory
linux_check_afinfo Verifies the operation function pointers of network protocols
linux_check_creds Checks if any processes are sharing credential structures
linux_check_fop Check file operation structures for rootkit modifications
linux_check_idt Checks if the IDT has been altered
linux_check_inline_kernel Check for inline kernel hooks
linux_check_modules Compares module list to sysfs info, if available
linux_check_syscall Checks if the system call table has been altered
linux_check_tty Checks tty devices for hooks
linux_cpuinfo Prints info about each active processor
linux_dentry_cache Gather files from the dentry cache
linux_dmesg Gather dmesg buffer
linux_dump_map Writes selected memory mappings to disk
linux_dynamic_env Recover a process' dynamic environment variables
linux_elfs Find ELF binaries in process mappings
linux_enumerate_files Lists files referenced by the filesystem cache
linux_find_file Lists and recovers files from memory
linux_getcwd Lists current working directory of each process
linux_hidden_modules Carves memory to find hidden kernel modules
linux_ifconfig Gathers active interfaces
linux_info_regs It's like 'info registers' in GDB. It prints out all the
linux_iomem Provides output similar to /proc/iomem
linux_kernel_opened_files Lists files that are opened from within the kernel
linux_keyboard_notifiers Parses the keyboard notifier call chain
linux_ldrmodules Compares the output of proc maps with the list of libraries from libdl
linux_library_list Lists libraries loaded into a process
linux_librarydump Dumps shared libraries in process memory to disk
linux_list_raw List applications with promiscuous sockets
linux_lsmod Gather loaded kernel modules
linux_lsof Lists file descriptors and their path
linux_malfind Looks for suspicious process mappings
linux_memmap Dumps the memory map for linux tasks
linux_moddump Extract loaded kernel modules
linux_mount Gather mounted fs/devices
linux_mount_cache Gather mounted fs/devices from kmem_cache
linux_netfilter Lists Netfilter hooks
linux_netscan Carves for network connection structures
linux_netstat Lists open sockets
linux_pidhashtable Enumerates processes through the PID hash table
linux_pkt_queues Writes per-process packet queues out to disk
linux_plthook Scan ELF binaries' PLT for hooks to non-NEEDED images
linux_proc_maps Gathers process memory maps
linux_proc_maps_rb Gathers process maps for linux through the mappings red-black tree
linux_procdump Dumps a process's executable image to disk
linux_process_hollow Checks for signs of process hollowing
linux_psaux Gathers processes along with full command line and start time
linux_psenv Gathers processes along with their static environment variables
linux_pslist Gather active tasks by walking the task_struct->task list
linux_pslist_cache Gather tasks from the kmem_cache
linux_psscan Scan physical memory for processes
linux_pstree Shows the parent/child relationship between processes
linux_psxview Find hidden processes with various process listings
linux_recover_filesystem Recovers the entire cached file system from memory
linux_route_cache Recovers the routing cache from memory
linux_sk_buff_cache Recovers packets from the sk_buff kmem_cache
linux_slabinfo Mimics /proc/slabinfo on a running machine
linux_strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
linux_threads Prints threads of processes
linux_tmpfs Recovers tmpfs filesystems from memory
linux_truecrypt_passphrase Recovers cached Truecrypt passphrases
linux_vma_cache Gather VMAs from the vm_area_struct cache
linux_volshell Shell in the memory image
linux_yarascan A shell in the Linux memory image
mbrparser Scans for and parses potential Master Boot Records (MBRs)
patcher Patches memory based on page scans
raw2dmp Converts a physical memory sample to a windbg crash dump
vmwareinfo Dump VMware VMSS/VMSN informationVolatility3 使用
Volatility3在用法上与Volatility差异不大,只是支持的参数列表发生了较大变化,可以使用-h查看支持的插件列表。其中较大的差别在于Volatility3抛弃了构建起来较为复杂的 profile,转而使用符号表。而由于Linux 版本很多很杂,并没有提供非常全面的符号表,想要使用的话必须使用 dwarf2json生成自己的符号文件。
bash
$ ./dwarf2json linux
No files specified
Usage: dwarf2json linux [OPTIONS]
--elf PATH ELF file PATH to extract symbol and type information
--elf-symbols PATH ELF file PATH to extract only symbol information
--elf-types PATH ELF file PATH to extract only type information
--system-map PATH System.Map file PATH to extract symbol information--system-map参数指定/boot目录下的系统符号表文件,--elf文件必须指定带调试符号的vmlinuz文件。将dwarf2json的输出结果保存到Volatility3根目录,就可以正常使用了。
bash
$ ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-4.4.0-137-generic > output.json
# Volatility3分析进程
$ python3 vol.py -f /vm_snapshot/Test.vmem -s . linux.pslist.PsList