Linux Memory Forensics
本文最后更新于 270 天前,其中的信息可能已经有所发展或是发生改变。

这学期修了门计算机取证的课程(虽然并不能学到什么),其中一个小组任务写一个Linux取证的实验报告,没什么难度,但是还是在制作profile的时候踩一堆坑,仔细想想之前的比赛似乎也很少一次成功过;之前一直看的别人的记录,感觉多多少少不适用于自己的情况,还是亲自写一遍,也算是加深印象。

volatility2做profile问题实在是太多,之后再磨,今天先只写volatility3的版本

Dump

环境:

Linux 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

涉及工具

https://github.com/504ensicsLabs/LiME
https://github.com/microsoft/avml
  • 制作内存镜像,更推荐使用avml,比起LiME更新更加活跃,并且在最近的测试中,LiME出现制作的内存镜像无法使用volatility3获取Linux version的问题
$ cat /proc/version
Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024
# 使用如下命令查看镜像内核时无输出
# vol -f linux.mem banners.Banners
# 关于这块的代码实现。镜像中确实找不到类似"Linux version"的字样,懒得深究原因,还是用avml吧
@classmethod
def locate_banners(
    cls, context: interfaces.context.ContextInterface, layer_name: str
):
    """Identifies banners from a memory image"""
    layer = context.layers[layer_name]
    for offset in layer.scan(
        context=context,
        scanner=scanners.RegExScanner(
            rb"(Linux version|Darwin Kernel Version) [0-9]+\.[0-9]+\.[0-9]+"
        ),
    ):
        data = layer.read(offset, 0xFFF)
        data_index = data.find(b"\x00")
        if data_index > 0:
            data = data[:data_index].strip()
            failed = [
                char
                for char in data
                if char
                not in b" #()+,;/-.0123456789:@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz~"
            ]
            if not failed:
                yield format_hints.Hex(offset), str(
                    data, encoding="latin-1", errors="?"
                )
  • 获取未压缩镜像
$ ./avml linux.lime

Analyse

环境:

Linux test-virtual-machine 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

涉及工具

https://github.com/volatilityfoundation/dwarf2json
https://github.com/volatilityfoundation/volatility3
  • 安装volatility3
$ sudo apt install unzip zip python3-pip -y
$ git clone https://github.com/volatilityfoundation/volatility3.git
$ cd volatility3
$ pip3 install -r requirements.txt
$ python3 setup.py build
$ sudo python3 setup.py install

// 此时volatility3将会被安装至/usr/local/lib/python3.10/dist-packages/volatility3-2.7.0-py3.10.egg/volatility3(install 结束后会有输出安装路径,自己查看即可)
// 类似输出
......
Best match: pefile 2023.2.7
Processing pefile-2023.2.7-py3-none-any.whl
Installing pefile-2023.2.7-py3-none-any.whl to /usr/local/lib/python3.10/dist-packages
Adding pefile 2023.2.7 to easy-install.pth file

Installed /usr/local/lib/python3.10/dist-packages/pefile-2023.2.7-py3.10.egg
Finished processing dependencies for volatility3==2.7.0
  • 构建dwarf2json
$ go build
  • 查看镜像内核版本
$ vol -f linux.lime banners.Banners
Volatility 3 Framework 2.7.0
Progress:  100.00		PDB scanning finished                  
Offset	Banner

0x1f2c4b60	Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x27dbac98	Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x28561098	Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x2c36cee8	Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x403a0cd8	Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x50200200	Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x52235778	Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)6)
0x620cbba0	Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x6ae7d0d8	Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x6ec88f28	Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
  • 下载对应版本的.ddeb
http://ddebs.ubuntu.com/pool/main/l/linux/
  • 安装
$ wget http://ddebs.ubuntu.com/pool/main/l/linux/linux-image-unsigned-5.15.0-94-generic-dbgsym_5.15.0-94.104_amd64.ddeb
$ dpkg -i ./linux-image-unsigned-5.15.0-94-generic-dbgsym_5.15.0-94.104_amd64.ddeb
  • 生成profile,执行时机器内存最好大一些,不然容易卡住
$ ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-5.15.0-94-generic > linux-image-5.15.0-94.104-generic.json
  • .json放到安装目录的symbols/linux或者framework/symbols/linux
$ cp linux-image-5.15.0-94.104-generic.json /usr/local/lib/python3.10/dist-packages/volatility3-2.7.0-py3.10.egg/volatility3/framework/symbols/linux/
  • 取证
$ chmod 755 linux.lime && vol -f linux.lime linux.bash
test@test-virtual-machine:~$ sudo vol -f linux.lime linux.bash
Volatility 3 Framework 2.7.0
Progress:  100.00		Stacking attempts finished                 
PID	Process	CommandTime	Command

1453	bash	2024-04-15 12:30:24.000000 	sudo -i
1453	bash	2024-04-15 12:30:24.000000 	sudo -i
1453	bash	2024-04-15 12:30:24.000000 	ls
1453	bash	2024-04-15 12:30:26.000000 	ls
1453	bash	2024-04-15 12:30:28.000000 	whoami
1453	bash	2024-04-15 12:30:29.000000 	pwd
1453	bash	2024-04-15 12:30:30.000000 	id
1453	bash	2024-04-15 12:30:50.000000 	echo "flag{volatility3_and_avml}"
1453	bash	2024-04-15 12:30:54.000000 	ls
1453	bash	2024-04-15 12:31:03.000000 	wget https://github.com/microsoft/avml/releases/download/v0.13.0/avml
1453	bash	2024-04-15 12:31:07.000000 	ls
1453	bash	2024-04-15 12:31:11.000000 	chmod +x avml 
1453	bash	2024-04-15 12:31:15.000000 	./avml linux.mem
1453	bash	2024-04-15 12:31:21.000000 	sudo ./avml linux.mem

$ sudo vol -f linux.lime linux
test@test-virtual-machine:~$ sudo vol -f linux.lime linux
Volatility 3 Framework 2.7.0
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config] [--save-config SAVE_CONFIG]
                  [--clear-cache] [--cache-path CACHE_PATH] [--offline] [--filters FILTERS] [--single-location SINGLE_LOCATION] [--stackers [STACKERS ...]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
                  plugin ...
volatility: error: argument plugin: plugin linux matches multiple plugins (linux.bash.Bash, linux.capabilities.Capabilities, linux.check_afinfo.Check_afinfo, linux.check_creds.Check_creds, linux.check_idt.Check_idt, linux.check_modules.Check_modules, linux.check_syscall.Check_syscall, linux.elfs.Elfs, linux.envars.Envars, linux.iomem.IOMem, linux.keyboard_notifiers.Keyboard_notifiers, linux.kmsg.Kmsg, linux.library_list.LibraryList, linux.lsmod.Lsmod, linux.lsof.Lsof, linux.malfind.Malfind, linux.mountinfo.MountInfo, linux.proc.Maps, linux.psaux.PsAux, linux.pslist.PsList, linux.psscan.PsScan, linux.pstree.PsTree, linux.sockstat.Sockstat, linux.tty_check.tty_check)
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇