Passerby A · 2014/08/22 16:44

0 x00 preface

In order to detect the Rootkit in Linux, I tried the long-known but unused tool Volatility. Considering the actual situation of domestic servers, CentOS 5.5 is selected as the experimental platform. The use of a tool I thought would be fairly simple, but the reality is rather convoluted… After a lot of practice and lessons, I have written some notes and sorted them into FAQ, thus forming this article for exchange and discussion with my friends.

0 x01 body

Q1: What is Volatility?

A1: Volatility is a cross-platform forensic tool written by Python and used for memory analysis. Its purpose is to extract volatile data from data crimes, and it can also be used for the detection and removal of rootkits.

Q2: What’s the general principle?

A2: The Linux system. map file lists the detailed syscall, while the kernel-header source code contains much of the kernel’s data in dwarfdump generated module. Dwarf files Structure, package the above two files into profiles. Using this profile to parse the dumped physical memory, it is easy to find active processes (Linux_pSAUx), network traffic (linux_netstat), active files (linux_lsof), driver modules (linux_lsmod), and so on embedded in the Rootkit.

Q3: Python2.6 is installed in CentOS 5X for running volatility. Yum that relies on Python2.4 cannot run.

A3: After compiling and installing Python2.6, do the following:

#mv /usr/bin/python /usr/bin/python2.4
#ln -s /usr/local/bin/python2.6 /usr/bin/python
#vi /usr/bin/yum
Copy the code

Will file start #! Change the/usr/bin/python #! The/usr/bin/python2.4

Q4: Python vol.py is executed, and an error message is displayed

Volatile Systems Volatility Framework 2.3.1 \ | * * * Failed to import Volatility. Plugins. Registry. Registryapi (ImportError:  No module named Crypto.Hash)Copy the code

A4: Volatility requires the support of PyCrypto for Hash operations

#yum install pycrypto
Copy the code

Q5: Python still prompts you to run yum install pycrypto

Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash)
Copy the code

A5: Print the path to the Crypto lib library and verify that PYTHon2.7 can import the Crypto library.

#python
import Crypto
import os
print(Crypto.__file__);
print (dir(Crypto));
print(os.listdir(os.path.dirname(Crypto.__file__)))
Copy the code

Python2.4 failed to import Crypto library. Python2.4 failed to import Crypto library

# cp - ivR/usr/lib/python2.4 Crypto / / usr/lib/python2.7 / site - packages /Copy the code

Q6: prompts after python vol.py is executed

RuntimeWarning: Python C API version mismatch for module Crypto.Hash.MD4: This Python has API version 1013, module Crypto.Hash.MD4 has version 1012.from Crypto.Hash import MD5, MD4
Copy the code

A6: Pycrypto installed with yum or apt does not affect the use of pycrypto.

# wget - https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz # tar ZXVF pycrypto - 2.6.1. Tar. Gz # python Setup. Py install # ll/usr/local/lib/python2.7 / site - packages/Crypto /Copy the code

Q7: Now that the volatility is normal, it’s time to make a profile. Then how to create a profile?

A7: A separate profile needs to be created for the different kernel of each Linux distribution, which is generally not generic, as shown in the following example:

#cd volatility/tools/linux #make #head module.dwarf #zip volatility/volatility/plugins/overlays/linux/Ubuntu1204.zip Volatility/tools/Linux/module. The dwarf/boot/System. The map - 3.2.0-23 - genericCopy the code

Q8:CentOS 5X does not appear to have dwarfdump by default.

A8: CentOS does not provide dwarfdump sources, but Fedora Repository source does, simply run the yum install elfutils-libelf-devel command. Unfortunately, with ElFutils-libelf-devel installed, dwarfdump can’t be found either. So make it your own

# wget - v / / http://www.prevanders.net/libdwarf-20140519.tar.gz website to download the latest version #. / configure # make dd / / You may need to be root to do the following copy commands #cp dwarfdump/dwarfdump /usr/local/bin #cp dwarfdump/dwarfdump.conf /usr/local/libCopy the code

Q9: CentOS 5X cannot compile module. Dwarf?

A9:

#yum install kernel- $(uname -r) kernel-devel-$(uname -r) -- y //CentOS #apt-get install Linux - 'uname -r' //UbuntuCopy the code

If the software version there is no matching source, then manually download and install Usually in the support version can be downloaded at http://pkgs.org/download/kernel-headers# Otherwise, only Google itself.

Q10: The profile is successfully created and memory is dumped. But execute the following command:

#dd if=/dev/mem of=/tmp/ram.dump bs=1MB count=1024 
Copy the code

Dump only has 1MB of memory, not 1GB.

A10: Memory access is protected after a certain Linux Kernel version 2.6.x, and complete memory cannot be dumped. You can use third-party tools such as Lime/fmem to dump memory.

Q11: Lime source code only generates a KO driver file, no ELF file, how to dump memory?

A11:

#insmod lime. Ko "path=/ TMP /mem.lime format=limeCopy the code

Q12: Lime works well on Ubuntu/Debian. Why is it wrong on CentOS

#insmod lime. Ko "path=/ TMP /mem.lime format=lime" insmod: error inserting 'lime. Ko ': -1 Unknown symbol in moduleCopy the code

A12: Insmod command parameters in CentOS do not accept double quotation marks. Run insmod lim. ko path=/ TMP /mem.lime format=lime.

Q13: If you want to check the network connection between volatility and dump memory, run the volatility command on CentOS

#vol -f /tmp/centos.lime --profile=LinuxCentOS510.zip   linux_netstat 
Copy the code

prompt

ERROR: Volatility. Addrspace: Invalid profile LinuxCentOS510.zip selectedCopy the code

A13: Don’t need to pick up the absolute path behind the profile, still not tried, again read document in English, the original profile file is created in the specified directory volatility/plugins/overlays/Linux/in the main program vol. Py starts, will read the initial in the directory The ILE file is automatically given a new name so that the profile can be called properly. To query an existing profile name, run the following command:

#vol --info |grep Linux 
LinuxCentOS505x64 - A Profile for Linux CentOS510 x64
linux_banner            - Prints the Linux banner information
linux_yarascan          - A shell in the Linux memory image
Copy the code

So the correct command to invoke the Volatility plug-in would be:

#vol -f /tmp/centos.lime --profile=LinuxCentOS510x64 linux_netstat
Copy the code

Q14: Run on CentOS 5X_64

#vol -f /tmp/centos.lime --profile=LinuxCentOS510x64 linux_netstat
Copy the code

Error message:

No suitable address space mapping found
Copy the code

A14: this question involves the relevant source in. / volatility/plugins/overlays. / Linux/Linux 64 py.

#vi linux64.py
class VolatilityDTB(obj.VolatilityMagic):
    """A scanner for DTB values."""
    def generate_suggestions(self):
        """Tries to locate the DTB."""
        profile = self.obj_vm.profile
        yield profile.get_symbol("init_level4_pgt") - 0xffffffff80000000
Copy the code

Possible causes of this problem: In the 2.6.18.x kernel of CentOS_X64, CONFIG_RELOCATABLE=y is used when the kernel is compiled. The first 2MB of the physical memory is reserved. When obtaining the physical address (DTB), the offset needs to be added 0x200000 (2M). DTB address =(” init_level4_pgt “) -0xffFFFFFF80000000 (2G) -0x200000(2M) so we need to modify the code as follows:

#cd .. /volatility/plugins/overlays/linux #vi linux.pyCopy the code

Change shift = 0xffffFFFF80000000 to shift = 0xFFffffff7FE00000 in line 1000

#vi linux64.py
Copy the code

Also modify line 38 of linux64.py to

yield profile.get_symbol("init_level4_pgt") - 0xffffffff80000000
Copy the code

Instead of

yield profile.get_symbol("init_level4_pgt") - 0xffffffff7fe00000
Copy the code

Execute the command again, all clear,Over.

Q15: Is volatility required for Linux kernel versions? Scope of application?

A15: Volatility is supported by current version 2.3.1

32-bit Linux kernels 2.6.11 to 3.5    
64-bit Linux kernels 2.6.11 to 3.5    
OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
Copy the code

Other systems:

Windows 32-bit Windows XP Service Pack 2 and 3 
32-bit Windows 2003 Server Service Pack 0, 1, 2 
32-bit Windows Vista Service Pack 0, 1, 2 
32-bit Windows 2008 Server Service Pack 1, 2 
32-bit Windows 7 Service Pack 0, 1 
64-bit Windows XP Service Pack 1 and 2 
64-bit Windows 2003 Server Service Pack 1 and 2 
64-bit Windows Vista Service Pack 0, 1, 2 
64-bit Windows 2008 Server Service Pack 1 and 2 
64-bit Windows 2008 R2 Server Service Pack 0 and 1 
64-bit Windows 7 Service Pack 0 and 1 
Mac OSX (new) 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported) 
32-bit 10.6.x Snow Leopard 
64-bit 10.6.x Snow Leopard 
32-bit 10.7.x Lion 
64-bit 10.7.x Lion 
64-bit 10.8.x Mountain Lion (there is no 32-bit version) 
Copy the code

0 x03 outside

To facilitate activation of volatility. Executable

# ln -s/pentoo/volatility - 2.3.1 / vol. Py/usr/bin/volCopy the code