メモリダンプ解析 - linux -

はじめに

なぜメモリダンプをするのかや何ができるのかなどはリンク先に書いてあるので 省略する.

Tools

  • LiME(Linux Memory Extractor)
  • volatility

使い方

Prerequisites

sudo apt install -y linux-headers-$(uname -r)
sudo apt install -y build-essential
sudo apt install -y dwarfdump pcregrep libpcre++-dev python-dev python-pip
pip install pycrypto Distorm3 OpenPyxl ujson

Downloads & Build

LiME

git clone https://github.com/504ensicsLabs/LiME
cd LiME/src/
make

volatility

git clone https://github.com/volatilityfoundation/volatility
cd volatility/tools/linux
sudo make -C /lib/modules/$(uname -r)/build CONFIG_DEBUG_INFO=y M=$PWD modules
dwarfdump -di ./module.o > module.dwarf
sudo zip Debian4908.zip module.dwarf /boot/System.map-$(uname -r)
cd ../../ # move to project root
cp tools/linux/Debian4908.zip volatility/plugins/overlays/linux/

dump

sudo insmod lime-$(uname -r).ko "path=dump.mem format=lime timeout=0"
OR
sudo insmod lime-$(uname -r).ko "path=tcp:4444 format=lime timeout=0"
nc 10.10.1.10 4444 > dump.mem

# cleanup
sudo rmmod lime

analysis

# how to use vol.py
python vol.py --info 
# test
python vol.py --plugins=contrib/plugins -f debian-latest.lime --profile=LinuxDebian4908x64 linux_banner

リンク