本文最后更新于 138 天前,其中的信息可能已经有所发展或是发生改变。
这学期修了门计算机取证的课程(虽然并不能学到什么),其中一个小组任务写一个Linux取证
的实验报告,没什么难度,但是还是在制作profile
的时候踩一堆坑,仔细想想之前的比赛似乎也很少一次成功过;之前一直看的别人的记录,感觉多多少少不适用于自己的情况,还是亲自写一遍,也算是加深印象。
volatility2
做profile问题实在是太多,之后再磨,今天先只写volatility3
的版本
Dump
环境:
Linux 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
涉及工具
https://github.com/504ensicsLabs/LiME
https://github.com/microsoft/avml
- 制作内存镜像,更推荐使用
avml
,比起LiME
更新更加活跃,并且在最近的测试中,LiME
出现制作的内存镜像无法使用volatility3
获取Linux version
的问题
$ cat /proc/version
Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024
# 使用如下命令查看镜像内核时无输出
# vol -f linux.mem banners.Banners
# 关于这块的代码实现。镜像中确实找不到类似"Linux version"的字样,懒得深究原因,还是用avml吧
@classmethod
def locate_banners(
cls, context: interfaces.context.ContextInterface, layer_name: str
):
"""Identifies banners from a memory image"""
layer = context.layers[layer_name]
for offset in layer.scan(
context=context,
scanner=scanners.RegExScanner(
rb"(Linux version|Darwin Kernel Version) [0-9]+\.[0-9]+\.[0-9]+"
),
):
data = layer.read(offset, 0xFFF)
data_index = data.find(b"\x00")
if data_index > 0:
data = data[:data_index].strip()
failed = [
char
for char in data
if char
not in b" #()+,;/-.0123456789:@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz~"
]
if not failed:
yield format_hints.Hex(offset), str(
data, encoding="latin-1", errors="?"
)
- 获取未压缩镜像
$ ./avml linux.lime
Analyse
环境:
Linux test-virtual-machine 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
涉及工具
https://github.com/volatilityfoundation/dwarf2json
https://github.com/volatilityfoundation/volatility3
- 安装
volatility3
$ sudo apt install unzip zip python3-pip -y
$ git clone https://github.com/volatilityfoundation/volatility3.git
$ cd volatility3
$ pip3 install -r requirements.txt
$ python3 setup.py build
$ sudo python3 setup.py install
// 此时volatility3将会被安装至/usr/local/lib/python3.10/dist-packages/volatility3-2.7.0-py3.10.egg/volatility3(install 结束后会有输出安装路径,自己查看即可)
// 类似输出
......
Best match: pefile 2023.2.7
Processing pefile-2023.2.7-py3-none-any.whl
Installing pefile-2023.2.7-py3-none-any.whl to /usr/local/lib/python3.10/dist-packages
Adding pefile 2023.2.7 to easy-install.pth file
Installed /usr/local/lib/python3.10/dist-packages/pefile-2023.2.7-py3.10.egg
Finished processing dependencies for volatility3==2.7.0
- 构建
dwarf2json
$ go build
- 查看镜像内核版本
$ vol -f linux.lime banners.Banners
Volatility 3 Framework 2.7.0
Progress: 100.00 PDB scanning finished
Offset Banner
0x1f2c4b60 Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x27dbac98 Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x28561098 Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x2c36cee8 Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x403a0cd8 Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x50200200 Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x52235778 Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)6)
0x620cbba0 Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x6ae7d0d8 Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
0x6ec88f28 Linux version 5.15.0-94-generic (buildd@lcy02-amd64-096) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 (Ubuntu 5.15.0-94.104-generic 5.15.136)
- 下载对应版本的
.ddeb
http://ddebs.ubuntu.com/pool/main/l/linux/
- 安装
$ wget http://ddebs.ubuntu.com/pool/main/l/linux/linux-image-unsigned-5.15.0-94-generic-dbgsym_5.15.0-94.104_amd64.ddeb
$ dpkg -i ./linux-image-unsigned-5.15.0-94-generic-dbgsym_5.15.0-94.104_amd64.ddeb
- 生成
profile
,执行时机器内存最好大一些,不然容易卡住
$ ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-5.15.0-94-generic > linux-image-5.15.0-94.104-generic.json
.json
放到安装目录的symbols/linux
或者framework/symbols/linux
$ cp linux-image-5.15.0-94.104-generic.json /usr/local/lib/python3.10/dist-packages/volatility3-2.7.0-py3.10.egg/volatility3/framework/symbols/linux/
- 取证
$ chmod 755 linux.lime && vol -f linux.lime linux.bash
test@test-virtual-machine:~$ sudo vol -f linux.lime linux.bash
Volatility 3 Framework 2.7.0
Progress: 100.00 Stacking attempts finished
PID Process CommandTime Command
1453 bash 2024-04-15 12:30:24.000000 sudo -i
1453 bash 2024-04-15 12:30:24.000000 sudo -i
1453 bash 2024-04-15 12:30:24.000000 ls
1453 bash 2024-04-15 12:30:26.000000 ls
1453 bash 2024-04-15 12:30:28.000000 whoami
1453 bash 2024-04-15 12:30:29.000000 pwd
1453 bash 2024-04-15 12:30:30.000000 id
1453 bash 2024-04-15 12:30:50.000000 echo "flag{volatility3_and_avml}"
1453 bash 2024-04-15 12:30:54.000000 ls
1453 bash 2024-04-15 12:31:03.000000 wget https://github.com/microsoft/avml/releases/download/v0.13.0/avml
1453 bash 2024-04-15 12:31:07.000000 ls
1453 bash 2024-04-15 12:31:11.000000 chmod +x avml
1453 bash 2024-04-15 12:31:15.000000 ./avml linux.mem
1453 bash 2024-04-15 12:31:21.000000 sudo ./avml linux.mem
$ sudo vol -f linux.lime linux
test@test-virtual-machine:~$ sudo vol -f linux.lime linux
Volatility 3 Framework 2.7.0
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config] [--save-config SAVE_CONFIG]
[--clear-cache] [--cache-path CACHE_PATH] [--offline] [--filters FILTERS] [--single-location SINGLE_LOCATION] [--stackers [STACKERS ...]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
plugin ...
volatility: error: argument plugin: plugin linux matches multiple plugins (linux.bash.Bash, linux.capabilities.Capabilities, linux.check_afinfo.Check_afinfo, linux.check_creds.Check_creds, linux.check_idt.Check_idt, linux.check_modules.Check_modules, linux.check_syscall.Check_syscall, linux.elfs.Elfs, linux.envars.Envars, linux.iomem.IOMem, linux.keyboard_notifiers.Keyboard_notifiers, linux.kmsg.Kmsg, linux.library_list.LibraryList, linux.lsmod.Lsmod, linux.lsof.Lsof, linux.malfind.Malfind, linux.mountinfo.MountInfo, linux.proc.Maps, linux.psaux.PsAux, linux.pslist.PsList, linux.psscan.PsScan, linux.pstree.PsTree, linux.sockstat.Sockstat, linux.tty_check.tty_check)