Volatility工具学习

背景

VMware虚拟机系统hang死，手动重启无法触发系统panic，从而不能触发kdump产生vmcore文件进行原因分析；此种情况下需要手动生成虚拟机内存快照，进而利用Volatility工具分析系统hang死的具体原因。

配置

使用VMware创建虚拟机内存快照，同时重启虚拟机。
下载对应python版本的Volatility 。（python3 Volatility3 )
安装依赖distorm3

pip install distorm3

正常情况下，完成以上步骤后，就可以使用Volatility工具分析内存快照了。

使用

1、分析系统架构

使用imageinfo参数查看设备信息，找到适配的配置文件。

python vol.py -f /root/vm_snapshot/Test.vmem imageinfo

当然，如果系统信息确定的情况下，也可以直接使用内置的配置文件。

$ python vol.py --info
Volatility Foundation Volatility Framework 2.6.1Profiles
--------
VistaSP0x64           - A Profile for Windows Vista SP0 x64
VistaSP0x86           - A Profile for Windows Vista SP0 x86
... ...

可以看到Volatility仅内置Windows系统的配置文件，因此在Linux系统上imageinfo时，会出现无法正常执行的情形。

$ python vol.py -f /root/vm_snapshot/Test.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...

若出现这种情况，则说明Volatility的配置文件无法分析该系统的内存快照，需要手动构建你自己的 Linux 配置文件。

构建过程中，可能会出现一下编译错误，如gcc版本错误，dwarf库未找到等等，解决方案都可以在网上找到，这里就不一一赘述了。

$ cd tools/linux/
$ pwd
/root/volatility/tools/linux
$ ls
kcore  Makefile  Makefile.enterprise  module.c
$ make
make -C //lib/modules/4.9.0-19-linx-security-amd64/build CONFIG_DEBUG_INFO=y M="/root/volatility/tools/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-4.9.0-19-linx-security-amd64'CC [M]  /root/volatility/tools/linux/module.oBuilding modules, stage 2.MODPOST 1 modulesCC      /root/volatility/tools/linux/module.mod.oLD [M]  /root/volatility/tools/linux/module.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.9.0-19-linx-security-amd64'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/4.9.0-19-linx-security-amd64/build M="/root/volatility/tools/linux" clean
make[1]: Entering directory '/usr/src/linux-headers-4.9.0-19-linx-security-amd64'CLEAN   /root/volatility/tools/linux/.tmp_versionsCLEAN   /root/volatility/tools/linux/Module.symvers
make[1]: Leaving directory '/usr/src/linux-headers-4.9.0-19-linx-security-amd64'

编译完成之后，目录下会出现一个module.dwarf文件，我们需要将该文件与系统符号表一起打包，创建Volatility插件。

$ ls -l module.dwarf
-rw-r--r-- 1 root root 3191958 4月  16 11:23 module.dwarf
$ ls -l /boot/System.map-4.9.0-19-linx-security-amd64
-rw-r--r-- 1 root root 3220023 6月  25  2024 /boot/System.map-4.9.0-19-linx-security-amd64
$ zip volatility/plugins/overlays/linux/Linx_6.0.80.zip tools/linux/module.dwarf /boot/System.map-4.9.0-19-linx-security-amd64
updating: tools/linux/module.dwarf (deflated 91%)
updating: boot/System.map-4.9.0-19-linx-security-amd64 (deflated 79%)

上述操作完成后，可以使用--info查询插件是否正常安装。

$ python vol.py -f /root/vm_snapshot/Test.vmem --info|grep Linx
Volatility Foundation Volatility Framework 2.6.1
LinuxLinx_6_0_80x64   - A Profile for Linux Linx_6.0.80 x64

2、使用

使用-h参数查看配置文件支持的命令。

$ python vol.py -f /root/vm_snapshot/Test.vmem --profile=LinuxLinx_6_0_80x64 -h
Volatility Foundation Volatility Framework 2.6.1
Usage: Volatility - A memory forensics analysis platform.Options:-h, --help            list all available options and their default values.Default values may be set in the configuration file(/etc/volatilityrc)--conf-file=/root/.volatilityrcUser based configuration file-d, --debug           Debug volatility--plugins=PLUGINS     Additional plugin directories to use (colon separated)--info                Print information about all registered objects--cache-directory=/root/.cache/volatilityDirectory where cache files are stored--cache               Use caching--tz=TZ               Sets the (Olson) timezone for displaying timestampsusing pytz (if installed) or tzset-f FILENAME, --filename=FILENAMEFilename to use when opening an image--profile=LinuxLinx_6_0_80x64Name of the profile to load (use --info to see a listof supported profiles)-l file:///root/vm_snapshot/Test.vmem, --location=file:///root/vm_snapshot/Test.vmemA URN location from which to load an address space-w, --write           Enable write support--dtb=DTB             DTB Address--shift=SHIFT         Mac KASLR shift address--output=text         Output in this format (support is module specific, seethe Module Output Options below)--output-file=OUTPUT_FILEWrite output in this file-v, --verbose         Verbose information--physical_shift=PHYSICAL_SHIFTLinux kernel physical shift address--virtual_shift=VIRTUAL_SHIFTLinux kernel virtual shift address-g KDBG, --kdbg=KDBG  Specify a KDBG virtual address (Note: for 64-bitWindows 8 and above this is the address ofKdCopyDataBlock)--force               Force utilization of suspect profile--cookie=COOKIE       Specify the address of nt!ObHeaderCookie (valid forWindows 10 only)-k KPCR, --kpcr=KPCR  Specify a specific KPCR addressSupported Plugin Commands:imagecopy       Copies a physical address space out as a raw DD imagelimeinfo        Dump Lime file format informationlinux_apihooks  Checks for userland apihookslinux_arp       Print the ARP tablelinux_aslr_shift        Automatically detect the Linux ASLR shiftlinux_banner    Prints the Linux banner informationlinux_bash      Recover bash history from bash process memorylinux_bash_env  Recover a process' dynamic environment variableslinux_bash_hash Recover bash hash table from bash process memorylinux_check_afinfo      Verifies the operation function pointers of network protocolslinux_check_creds       Checks if any processes are sharing credential structureslinux_check_fop Check file operation structures for rootkit modificationslinux_check_idt Checks if the IDT has been alteredlinux_check_inline_kernel       Check for inline kernel hookslinux_check_modules     Compares module list to sysfs info, if availablelinux_check_syscall     Checks if the system call table has been alteredlinux_check_tty Checks tty devices for hookslinux_cpuinfo   Prints info about each active processorlinux_dentry_cache      Gather files from the dentry cachelinux_dmesg     Gather dmesg bufferlinux_dump_map  Writes selected memory mappings to disklinux_dynamic_env       Recover a process' dynamic environment variableslinux_elfs      Find ELF binaries in process mappingslinux_enumerate_files   Lists files referenced by the filesystem cachelinux_find_file Lists and recovers files from memorylinux_getcwd    Lists current working directory of each processlinux_hidden_modules    Carves memory to find hidden kernel moduleslinux_ifconfig  Gathers active interfaceslinux_info_regs It's like 'info registers' in GDB. It prints out all thelinux_iomem     Provides output similar to /proc/iomemlinux_kernel_opened_files       Lists files that are opened from within the kernellinux_keyboard_notifiers        Parses the keyboard notifier call chainlinux_ldrmodules        Compares the output of proc maps with the list of libraries from libdllinux_library_list      Lists libraries loaded into a processlinux_librarydump       Dumps shared libraries in process memory to disklinux_list_raw  List applications with promiscuous socketslinux_lsmod     Gather loaded kernel moduleslinux_lsof      Lists file descriptors and their pathlinux_malfind   Looks for suspicious process mappingslinux_memmap    Dumps the memory map for linux taskslinux_moddump   Extract loaded kernel moduleslinux_mount     Gather mounted fs/deviceslinux_mount_cache       Gather mounted fs/devices from kmem_cachelinux_netfilter Lists Netfilter hookslinux_netscan   Carves for network connection structureslinux_netstat   Lists open socketslinux_pidhashtable      Enumerates processes through the PID hash tablelinux_pkt_queues        Writes per-process packet queues out to disklinux_plthook   Scan ELF binaries' PLT for hooks to non-NEEDED imageslinux_proc_maps Gathers process memory mapslinux_proc_maps_rb      Gathers process maps for linux through the mappings red-black treelinux_procdump  Dumps a process's executable image to disklinux_process_hollow    Checks for signs of process hollowinglinux_psaux     Gathers processes along with full command line and start timelinux_psenv     Gathers processes along with their static environment variableslinux_pslist    Gather active tasks by walking the task_struct->task listlinux_pslist_cache      Gather tasks from the kmem_cachelinux_psscan    Scan physical memory for processeslinux_pstree    Shows the parent/child relationship between processeslinux_psxview   Find hidden processes with various process listingslinux_recover_filesystem        Recovers the entire cached file system from memorylinux_route_cache       Recovers the routing cache from memorylinux_sk_buff_cache     Recovers packets from the sk_buff kmem_cachelinux_slabinfo  Mimics /proc/slabinfo on a running machinelinux_strings   Match physical offsets to virtual addresses (may take a while, VERY verbose)linux_threads   Prints threads of processeslinux_tmpfs     Recovers tmpfs filesystems from memorylinux_truecrypt_passphrase      Recovers cached Truecrypt passphraseslinux_vma_cache Gather VMAs from the vm_area_struct cachelinux_volshell  Shell in the memory imagelinux_yarascan  A shell in the Linux memory imagembrparser       Scans for and parses potential Master Boot Records (MBRs)patcher         Patches memory based on page scansraw2dmp         Converts a physical memory sample to a windbg crash dumpvmwareinfo      Dump VMware VMSS/VMSN information

Volatility3 使用

Volatility3在用法上与Volatility差异不大，只是支持的参数列表发生了较大变化，可以使用-h查看支持的插件列表。其中较大的差别在于Volatility3抛弃了构建起来较为复杂的 profile，转而使用符号表。而由于Linux 版本很多很杂，并没有提供非常全面的符号表，想要使用的话必须使用 dwarf2json生成自己的符号文件。

$ ./dwarf2json linux
No files specified
Usage: dwarf2json linux [OPTIONS]--elf PATH           ELF file PATH to extract symbol and type information--elf-symbols PATH   ELF file PATH to extract only symbol information--elf-types PATH     ELF file PATH to extract only type information--system-map PATH    System.Map file PATH to extract symbol information

--system-map参数指定/boot目录下的系统符号表文件，--elf文件必须指定带调试符号的vmlinuz文件。将dwarf2json的输出结果保存到Volatility3根目录，就可以正常使用了。

$ ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-4.4.0-137-generic > output.json
# Volatility3分析进程
$ python3 vol.py -f /vm_snapshot/Test.vmem -s . linux.pslist.PsList