- 了解volatility
1.Linux Memory Extractor 参考此链接
A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
调试步骤:
~/Documents/work/code/LiME/src$ make
make -C /lib/modules/4.19.37/build M="/home/Documents/work/code/LiME/src" modules
make[1]: Entering directory `/home/Documents/work/code/linux/linux-4.19.37'
CC [M] /home/Documents/work/code/LiME/src/tcp.o
CC [M] /home/Documents/work/code/LiME/src/disk.o
CC [M] /home/Documents/work/code/LiME/src/main.o
CC [M] /home/Documents/work/code/LiME/src/hash.o
CC [M] /home/Documents/work/code/LiME/src/deflate.o
LD [M] /home/Documents/work/code/LiME/src/lime.o
Building modules, stage 2.
MODPOST 1 modules
CC /home/Documents/work/code/LiME/src/lime.mod.o
LD [M] /home/Documents/work/code/LiME/src/lime.ko
make[1]: Leaving directory `/home/Documents/work/code/linux/linux-4.19.37'
strip --strip-unneeded lime.ko
mv lime.ko lime-4.19.37.ko
~/Documents/work/code/LiME/src$ sudo insmod ./lime-4.19.37.ko "path=dump.mem format=lime timeout=0"
2.volatility
2.1.Install 安装参考此链接
2.1.Building a Profile
A profle is a collection of the VTypes, overlays, and object classes for a specifc operating system version and hardware architecture (x86, x64, ARM). In addition to these components, a profle also includes the following:
- Metadata: Data such as the operating system’s name (i.e., “windows”, “mac”, or “linux”), the kernel version, and build numbers
- System call information: Indexes and names of system calls
- Constant values: Global variables that can be found at hard-coded addresses in some operating systems
- Native types: Low-level types for native languages (usually C), including the sizes for integers, longs, and so on
- System map: Addresses of critical global variables and functions (Linux and
Mac only)
Navigate to volatility/tools/linux and type the following:
1.sudo make -C /lib/modules/$(uname -r)/build CONFIG_DEBUG_INFO=y M=$PWD modules
2.dwarfdump -di ./module.o > module.dwarf
3.sudo zip volatility/plugins/overlays/linux/Ubuntu1404-419.zip tools/linux/module.dwarf /boot/System.map-4.19.37
or sudo zip Debian4908.zip module.dwarf /boot/System.map-$(uname -r)
4.cp Debian4908.zip ../../plugins/overlays/linux/
然后执行:
python vol.py --info
Now when running --info we should see our newly created Linux Profile(s) LinuxDebian4908x64 as available. The archive we created will be prepended with Linux and appended with x64 dependent on the architecture type.
2.2.Memory Analysis with Volatility
Once everything is set up correctly and we’ve acquired a forensic image using LiME. We can start our analysis with Volatility.
An example command using options -f memory file, --profile profile name and linux_banner plugin would look something like this:
python vol.py --file=…/…/LiME/src/dump.mem --profile=LinuxUbuntu1404-419x64 linux_psscan
2.3.Linux Command Reference
1>.linux_pslist
python vol.py --file=…/…/LiME/src/dump.mem --profile=LinuxUbuntu1404-419x64 linux_pslist
- https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference
2.4.Linux Volshell 参考此链接
To get the process started, simply run the “linux_volshell” plugin with no arguments.
$python vol.py --file=../../LiME/src/dump.mem --profile=LinuxUbuntu1404-419x64 linux_volshell
Volatility Foundation Volatility Framework 2.6.1
Current context: process init, pid=1 DTB=0xb4444000
Welcome to volshell! Current memory image is:
file:///home/zhaoxiao/Documents/work/code/LiME/src/dump.mem
To get help, type 'hh()'
>>>
This drops you into a Python shell. At this point you have full access to the Volatility namespace as well as all of Python. If you type hh() you are given a help menu which displays the volshell-specific plugins.
The following output shows select members of the task_struct structure:
>>> dt("task_struct")
refer to
- https://github.com/504ensicsLabs/LiME
- https://markuta.com/live-memory-acquisition-on-linux-systems/
- https://github.com/volatilityfoundation/volatility/wiki/Installation
- https://www.youtube.com/watch?v=qoplmHxmOp4
- The Art of Memory Forensics book
来源:CSDN
作者:Hacker_Albert
链接:https://blog.csdn.net/weixin_41028621/article/details/104884601