Volatility工具學習

背景

VMware虛擬機系統hang死，手動重啟無法觸發系統panic，從而不能觸發kdump產生vmcore文件進行原因分析；此種情況下需要手動生成虛擬機內存快照，進而利用Volatility工具分析系統hang死的具體原因。

配置

使用VMware創建虛擬機內存快照，同時重啟虛擬機。
下載對應python版本的Volatility 。（python3 Volatility3 )
安裝依賴distorm3

pip install distorm3

正常情況下，完成以上步驟后，就可以使用Volatility工具分析內存快照了。

使用

1、分析系統架構

使用imageinfo參數查看設備信息，找到適配的配置文件。

python vol.py -f /root/vm_snapshot/Test.vmem imageinfo

當然，如果系統信息確定的情況下，也可以直接使用內置的配置文件。

$ python vol.py --info
Volatility Foundation Volatility Framework 2.6.1Profiles
--------
VistaSP0x64           - A Profile for Windows Vista SP0 x64
VistaSP0x86           - A Profile for Windows Vista SP0 x86
... ...

可以看到Volatility僅內置Windows系統的配置文件，因此在Linux系統上imageinfo時，會出現無法正常執行的情形。

$ python vol.py -f /root/vm_snapshot/Test.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...

若出現這種情況，則說明Volatility的配置文件無法分析該系統的內存快照，需要手動構建你自己的 Linux 配置文件。

構建過程中，可能會出現一下編譯錯誤，如gcc版本錯誤，dwarf庫未找到等等，解決方案都可以在網上找到，這里就不一一贅述了。

$ cd tools/linux/
$ pwd
/root/volatility/tools/linux
$ ls
kcore  Makefile  Makefile.enterprise  module.c
$ make
make -C //lib/modules/4.9.0-19-linx-security-amd64/build CONFIG_DEBUG_INFO=y M="/root/volatility/tools/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-4.9.0-19-linx-security-amd64'CC [M]  /root/volatility/tools/linux/module.oBuilding modules, stage 2.MODPOST 1 modulesCC      /root/volatility/tools/linux/module.mod.oLD [M]  /root/volatility/tools/linux/module.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.9.0-19-linx-security-amd64'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/4.9.0-19-linx-security-amd64/build M="/root/volatility/tools/linux" clean
make[1]: Entering directory '/usr/src/linux-headers-4.9.0-19-linx-security-amd64'CLEAN   /root/volatility/tools/linux/.tmp_versionsCLEAN   /root/volatility/tools/linux/Module.symvers
make[1]: Leaving directory '/usr/src/linux-headers-4.9.0-19-linx-security-amd64'

編譯完成之后，目錄下會出現一個module.dwarf文件，我們需要將該文件與系統符號表一起打包，創建Volatility插件。

$ ls -l module.dwarf
-rw-r--r-- 1 root root 3191958 4月  16 11:23 module.dwarf
$ ls -l /boot/System.map-4.9.0-19-linx-security-amd64
-rw-r--r-- 1 root root 3220023 6月  25  2024 /boot/System.map-4.9.0-19-linx-security-amd64
$ zip volatility/plugins/overlays/linux/Linx_6.0.80.zip tools/linux/module.dwarf /boot/System.map-4.9.0-19-linx-security-amd64
updating: tools/linux/module.dwarf (deflated 91%)
updating: boot/System.map-4.9.0-19-linx-security-amd64 (deflated 79%)

上述操作完成后，可以使用--info查詢插件是否正常安裝。

$ python vol.py -f /root/vm_snapshot/Test.vmem --info|grep Linx
Volatility Foundation Volatility Framework 2.6.1
LinuxLinx_6_0_80x64   - A Profile for Linux Linx_6.0.80 x64

2、使用

使用-h參數查看配置文件支持的命令。

$ python vol.py -f /root/vm_snapshot/Test.vmem --profile=LinuxLinx_6_0_80x64 -h
Volatility Foundation Volatility Framework 2.6.1
Usage: Volatility - A memory forensics analysis platform.Options:-h, --help            list all available options and their default values.Default values may be set in the configuration file(/etc/volatilityrc)--conf-file=/root/.volatilityrcUser based configuration file-d, --debug           Debug volatility--plugins=PLUGINS     Additional plugin directories to use (colon separated)--info                Print information about all registered objects--cache-directory=/root/.cache/volatilityDirectory where cache files are stored--cache               Use caching--tz=TZ               Sets the (Olson) timezone for displaying timestampsusing pytz (if installed) or tzset-f FILENAME, --filename=FILENAMEFilename to use when opening an image--profile=LinuxLinx_6_0_80x64Name of the profile to load (use --info to see a listof supported profiles)-l file:///root/vm_snapshot/Test.vmem, --location=file:///root/vm_snapshot/Test.vmemA URN location from which to load an address space-w, --write           Enable write support--dtb=DTB             DTB Address--shift=SHIFT         Mac KASLR shift address--output=text         Output in this format (support is module specific, seethe Module Output Options below)--output-file=OUTPUT_FILEWrite output in this file-v, --verbose         Verbose information--physical_shift=PHYSICAL_SHIFTLinux kernel physical shift address--virtual_shift=VIRTUAL_SHIFTLinux kernel virtual shift address-g KDBG, --kdbg=KDBG  Specify a KDBG virtual address (Note: for 64-bitWindows 8 and above this is the address ofKdCopyDataBlock)--force               Force utilization of suspect profile--cookie=COOKIE       Specify the address of nt!ObHeaderCookie (valid forWindows 10 only)-k KPCR, --kpcr=KPCR  Specify a specific KPCR addressSupported Plugin Commands:imagecopy       Copies a physical address space out as a raw DD imagelimeinfo        Dump Lime file format informationlinux_apihooks  Checks for userland apihookslinux_arp       Print the ARP tablelinux_aslr_shift        Automatically detect the Linux ASLR shiftlinux_banner    Prints the Linux banner informationlinux_bash      Recover bash history from bash process memorylinux_bash_env  Recover a process' dynamic environment variableslinux_bash_hash Recover bash hash table from bash process memorylinux_check_afinfo      Verifies the operation function pointers of network protocolslinux_check_creds       Checks if any processes are sharing credential structureslinux_check_fop Check file operation structures for rootkit modificationslinux_check_idt Checks if the IDT has been alteredlinux_check_inline_kernel       Check for inline kernel hookslinux_check_modules     Compares module list to sysfs info, if availablelinux_check_syscall     Checks if the system call table has been alteredlinux_check_tty Checks tty devices for hookslinux_cpuinfo   Prints info about each active processorlinux_dentry_cache      Gather files from the dentry cachelinux_dmesg     Gather dmesg bufferlinux_dump_map  Writes selected memory mappings to disklinux_dynamic_env       Recover a process' dynamic environment variableslinux_elfs      Find ELF binaries in process mappingslinux_enumerate_files   Lists files referenced by the filesystem cachelinux_find_file Lists and recovers files from memorylinux_getcwd    Lists current working directory of each processlinux_hidden_modules    Carves memory to find hidden kernel moduleslinux_ifconfig  Gathers active interfaceslinux_info_regs It's like 'info registers' in GDB. It prints out all thelinux_iomem     Provides output similar to /proc/iomemlinux_kernel_opened_files       Lists files that are opened from within the kernellinux_keyboard_notifiers        Parses the keyboard notifier call chainlinux_ldrmodules        Compares the output of proc maps with the list of libraries from libdllinux_library_list      Lists libraries loaded into a processlinux_librarydump       Dumps shared libraries in process memory to disklinux_list_raw  List applications with promiscuous socketslinux_lsmod     Gather loaded kernel moduleslinux_lsof      Lists file descriptors and their pathlinux_malfind   Looks for suspicious process mappingslinux_memmap    Dumps the memory map for linux taskslinux_moddump   Extract loaded kernel moduleslinux_mount     Gather mounted fs/deviceslinux_mount_cache       Gather mounted fs/devices from kmem_cachelinux_netfilter Lists Netfilter hookslinux_netscan   Carves for network connection structureslinux_netstat   Lists open socketslinux_pidhashtable      Enumerates processes through the PID hash tablelinux_pkt_queues        Writes per-process packet queues out to disklinux_plthook   Scan ELF binaries' PLT for hooks to non-NEEDED imageslinux_proc_maps Gathers process memory mapslinux_proc_maps_rb      Gathers process maps for linux through the mappings red-black treelinux_procdump  Dumps a process's executable image to disklinux_process_hollow    Checks for signs of process hollowinglinux_psaux     Gathers processes along with full command line and start timelinux_psenv     Gathers processes along with their static environment variableslinux_pslist    Gather active tasks by walking the task_struct->task listlinux_pslist_cache      Gather tasks from the kmem_cachelinux_psscan    Scan physical memory for processeslinux_pstree    Shows the parent/child relationship between processeslinux_psxview   Find hidden processes with various process listingslinux_recover_filesystem        Recovers the entire cached file system from memorylinux_route_cache       Recovers the routing cache from memorylinux_sk_buff_cache     Recovers packets from the sk_buff kmem_cachelinux_slabinfo  Mimics /proc/slabinfo on a running machinelinux_strings   Match physical offsets to virtual addresses (may take a while, VERY verbose)linux_threads   Prints threads of processeslinux_tmpfs     Recovers tmpfs filesystems from memorylinux_truecrypt_passphrase      Recovers cached Truecrypt passphraseslinux_vma_cache Gather VMAs from the vm_area_struct cachelinux_volshell  Shell in the memory imagelinux_yarascan  A shell in the Linux memory imagembrparser       Scans for and parses potential Master Boot Records (MBRs)patcher         Patches memory based on page scansraw2dmp         Converts a physical memory sample to a windbg crash dumpvmwareinfo      Dump VMware VMSS/VMSN information

Volatility3 使用

Volatility3在用法上與Volatility差異不大，只是支持的參數列表發生了較大變化，可以使用-h查看支持的插件列表。其中較大的差別在于Volatility3拋棄了構建起來較為復雜的 profile，轉而使用符號表。而由于Linux 版本很多很雜，并沒有提供非常全面的符號表，想要使用的話必須使用 dwarf2json生成自己的符號文件。

$ ./dwarf2json linux
No files specified
Usage: dwarf2json linux [OPTIONS]--elf PATH           ELF file PATH to extract symbol and type information--elf-symbols PATH   ELF file PATH to extract only symbol information--elf-types PATH     ELF file PATH to extract only type information--system-map PATH    System.Map file PATH to extract symbol information

--system-map參數指定/boot目錄下的系統符號表文件，--elf文件必須指定帶調試符號的vmlinuz文件。將dwarf2json的輸出結果保存到Volatility3根目錄，就可以正常使用了。

$ ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-4.4.0-137-generic > output.json
# Volatility3分析進程
$ python3 vol.py -f /vm_snapshot/Test.vmem -s . linux.pslist.PsList