{"id":553,"date":"2016-01-16T23:11:54","date_gmt":"2016-01-16T15:11:54","guid":{"rendered":"http:\/\/blog.md5.red\/?p=553"},"modified":"2016-01-19T14:29:22","modified_gmt":"2016-01-19T06:29:22","slug":"linux%e4%b8%8b%e5%86%85%e5%ad%98%e5%8f%96%e8%af%81%e5%b7%a5%e5%85%b7volatility%e7%9a%84%e4%bd%bf%e7%94%a8","status":"publish","type":"post","link":"https:\/\/blog.md5.red\/?p=553","title":{"rendered":"Linux\u4e0b\u5185\u5b58\u53d6\u8bc1\u5de5\u5177Volatility\u7684\u4f7f\u7528"},"content":{"rendered":"

#01\u7b80\u4ecb<\/strong><\/p>\n

Volatility\u662f\u5f00\u6e90\u7684Windows\uff0cLinux\uff0cMaC\uff0cAndroid\u7684\u5185\u5b58\u53d6\u8bc1\u5206\u6790\u5de5\u5177\uff0c\u7531python\u7f16\u5199\u6210\uff0c\u547d\u4ee4\u884c\u64cd\u4f5c\uff0c\u652f\u6301\u5404\u79cd\u64cd\u4f5c\u7cfb\u7edf\u3002<\/strong>
\n\u9879\u76ee\u5730\u5740\uff1ahttps:\/\/code.google.com\/p\/volatility\/<\/a>
\n\u53ea\u4ecb\u7ecd\u7b80\u5355\u7684\u4f7f\u7528\uff0c\u8be6\u7ec6\u4f7f\u7528\u65b9\u6cd5\u53ef\u4ee5\u770bCheatSheet\u3002\u5728\u5b98\u65b9\u7f51\u7ad9\u5305\u542bLinux\u7684\u76f8\u5173\u547d\u4ee4\u53c2\u8003\uff1a<\/p>\n

https:\/\/code.google.com\/p\/volatility\/wiki\/LinuxCommandReference23#linux_pidhashtable\uff0c\u542b\u4ee5\u4e0b\u5185\u5bb9<\/p>\n

Processes\r\nlinux_pslist\r\nlinux_psaux\r\nlinux_pstree\r\nlinux_pslist_cache\r\nlinux_pidhashtable\r\nlinux_psxview\r\nlinux_lsof\r\nProcess\u00a0Memory\r\nlinux_memmap\r\nlinux_proc_maps\r\nlinux_dump_map\r\nlinux_bash\r\nKernel\u00a0Memory\u00a0and\u00a0Objects\r\nlinux_lsmod\r\nlinux_moddump\r\nlinux_tmpfs\r\nRootkit\u00a0Detection\r\nlinux_check_afinfo\r\nlinux_check_tty\r\nlinux_keyboard_notifier\r\nlinux_check_creds\r\nlinux_check_fop\r\nlinux_check_idt\r\nlinux_check_syscall\r\nlinux_check_modules\r\nlinux_check_creds\r\nNetworking\r\nlinux_arp\r\nlinux_ifconfig\r\nlinux_route_cache\r\nlinux_netstat\r\nlinux_pkt_queues\r\nlinux_sk_buff_cache\r\nSystem\u00a0Information\r\nlinux_cpuinfo\r\nlinux_dmesg\r\nlinux_iomem\r\nlinux_slabinfo\r\nlinux_mount\r\nlinux_mount_cache\r\nlinux_dentry_cache\r\nlinux_find_file\r\nlinux_vma_cache\r\nMiscellaneous\r\nlinux_volshell\r\nlinux_yarascan<\/span><\/pre>\n
#02\u5b89\u88c5<\/strong>
\n\u6e90\u4ee3\u7801\u5b89\u88c5\u65b9\u6cd5\uff1a
\napt-get install subversion-tools
\nsvn checkout http:\/\/volatility.googlecode.com\/svn\/trunk\/ \/usr\/local\/src\/volatility\/<\/code>
\n\u53c2\u8003\uff1ahttps:\/\/code.google.com\/p\/volatility\/wiki\/VolatilityInstallation<\/a><\/p>\n
Back Track\u548cKali Linux\u4e2d\u81ea\u5e26\u6b64\u7a0b\u5e8f\u3002
\n\u4ee5Kali-Linux\u4e3a\u4f8b\uff0cvolatility\u5728\u201c\u5e94\u7528\u7a0b\u5e8f\u201d-\u201cKali Linux\u201d-\u201c\u6570\u5b57\u53d6\u8bc1\u201d-\u201c\u5185\u5b58\u53d6\u8bc1\u5de5\u5177\u96c6\u201d\u4e2d\u3002<\/p>\n
#03\u57fa\u672c\u4f7f\u7528\u547d\u4ee4<\/strong>
\n<\/code><\/p>\n
.\/vol.py\u00a0\u2010f\u00a0[image]\u00a0\u00ad\u2010profile=[profile]\u00a0[plugin]<\/span><\/pre>\n
\u5e94\u8be5\u662f\u4e00\u4e2aBug\uff0c-f\u540e\u9762\u9700\u8981\u8ddf\u7edd\u5bf9\u8def\u5f84\uff08Kali\uff09\u3002<\/p>\n
    \n
      \n
    1. \u67e5\u770b\u626b\u63cf\u68c0\u67e5\u3001\u63d2\u4ef6\u3001\u5730\u5740\u7a7a\u95f4\u7b49\u4fe1\u606f<\/li>\n<\/ol>\n<\/ol>\n
      .\/vol.py\u00a0--info<\/span><\/pre>\n
        \n
          \n
        1. \u67e5\u770b\u5e2e\u52a9\u4fe1\u606f<\/li>\n<\/ol>\n<\/ol>\n
          .\/vol.py\u00a0-h\/--help<\/span><\/pre>\n
            \n
              \n
            1. \u67e5\u770b\u6307\u5b9a\u63d2\u4ef6\u7684\u8bf4\u660e<\/li>\n<\/ol>\n<\/ol>\n
              .\/vol.py\u00a0[plugin]\u00a0--help<\/span><\/pre>\n
                \n
                  \n
                1. \u4ece\u6269\u5c55\u76ee\u5f55\u52a0\u8f7d\u63d2\u4ef6<\/li>\n<\/ol>\n<\/ol>\n
                  .\/vol.py\u00a0--plugins=[path][plugin]<\/span><\/pre>\n
                    \n
                      \n
                    1. \u68c0\u67e5\u7ed3\u679c\u8f93\u51fa<\/li>\n<\/ol>\n<\/ol>\n
                      .\/vol.py\u00a0--output-file=[file]<\/span><\/pre>\n
                      #04\u5236\u4f5cLinux\u7cfb\u7edf\u7684Profile<\/strong>
                      \nVolatility\u81ea\u5e26\u4e00\u4e9bwindows\u7cfb\u7edf\u7684profile\uff0cLinux\u7cfb\u7edf\u7684Profile\u9700\u8981\u81ea\u5df1\u5236\u4f5c\uff0c\u5236\u4f5c\u7684\u65b9\u6cd5\u5982\u4e0b\uff1a
                      \n\uff08\u5b9e\u9645\u662f\u5c06module.dwarf\u548csystem.map\u6253\u5305\u6210\u4e00\u4e2azip\u6587\u4ef6\uff0c\u63a5\u7740\u5c06zip\u6587\u4ef6\u79fb\u52a8\u5230 volatility\/plugins\/overlays\/linux\/ \u4e2d\u3002\uff09
                      \nLinux\u7684Profile\u6587\u4ef6\u662f\u4e00\u4e2azip\u7684\u538b\u7f29\u5305\u3002
                      \n\u51c6\u5907\u00a0https:\/\/code.google.com\/p\/volatility\/wiki\/LinuxMemoryForensics<\/a><\/p>\n
                      $\u00a0sudo\u00a0zip\u00a0volatility\/volatility\/plugins\/overlays\/linux\/Ubuntu1204.zip\u00a0volatility\/tools\/linux\/module.dwarf\u00a0\/boot\/System.map-3.2.0-23-generic<\/span><\/p>\n
                      \u5b9e\u9645\u4e5f\u53ef\u4ee5\u5728 https:\/\/github.com\/KDPryor\/LinuxVolProfiles<\/a> \u5904\u76f4\u63a5\u4e0b\u8f7d\u5df2\u7ecf\u505a\u597d\u7684profile\u3002
                      \n\u5728kali\u4e0b\u4f4d\u7f6e\u653e\u5728\/usr\/share\/volatility\/volatility\/plugins\/overlays\/<\/p>\n
                      \u5982\u679c\u77e5\u9053dump\u7684\u5185\u5b58\u662f\u90a3\u79cd\u64cd\u4f5c\u7cfb\u7edf\u548c\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\u7684\uff0c\u53ef\u4ee5\u76f4\u63a5\u6307\u5b9aprofile;\u5982\u679c\u4e0d\u77e5\u9053\u662f\u90a3\u79cd\u7cfb\u7edf\u7684\u5185\u5b58\uff0c\u53ef\u4ee5\u4f7f\u7528imageinfo\u9009\u9879\uff0cvolatility\u4f1a\u5c1d\u8bd5\u81ea\u52a8\u5224\u65ad\u5185\u5b58\u7684\u7c7b\u578b<\/p>\n
                      vol\u00a0-f\u00a0\/root\/Downloads\/pexit.vmem\u00a0imageinfo<\/span><\/pre>\n
                      #05\u83b7\u53d6\u5185\u5b58\u955c\u50cf<\/strong>
                      \n\u53c2\u8003\u00a0                      http:\/\/www.forensicswiki.org\/wiki\/Tools%3aMemory_Imaging<\/a><\/span><\/p>\n
                      \u6216\u8005 \u5185\u5b58\u955c\u50cf\u83b7\u53d6<\/a><\/p>\n
                      #06\u4f7f\u7528\u793a\u4f8b<\/strong>
                      \n\u68c0\u67e5\u5185\u5b58\u8fdb\u7a0b<\/p>\n
                      \"13931612006331\"<\/a><\/p>\n
                      - \u4e86\u89e3Linux\u7cfb\u7edf\u5e38\u89c1\u7cfb\u7edf\u8fdb\u7a0b\uff1b<\/p>\n
                      - \u67e5\u770b\u81ea\u52a8\u4efb\u52a1\u8fdb\u7a0b\uff1b<\/p>\n
                      - \u5982\u679c\u7cfb\u7edf\u6ca1\u6709\u91cd\u542f\u8fc7\uff0c\u4f46\u90e8\u5206\u8fdb\u7a0b\u90fd\u662f\u5f00\u673a\u542f\u52a8\uff0c\u67e5\u770b\u8fdb\u7a0b\u8fd0\u884c\u65f6\u95f4\uff1b<\/p>\n
                      \u4e0a\u9762\u6709\u8fdb\u7a0b\u53f71517\u300127157\u30017334\u521b\u5efa\u7684\u65f6\u95f4\u660e\u663e\u4e0e\u5176\u4ed6\u8fdb\u7a0b\u7684\u521b\u5efa\u65f6\u95f4\u4e0d\u540c\uff0c\u4e3a\u53ef\u7591\u8fdb\u7a0b<\/p>\n
                      \u68c0\u67e5\u8fdb\u7a0b\u8be6\u7ec6\u4fe1\u606f<\/strong>
                      \n<\/code><\/p>\n
                      vol\u00a0-f\u00a0\/root\/Downloads\/pexit.vmem\u00a0--profile=LinuxUbuntu1004_pae32-33x86\u00a0linux_psaux<\/span><\/pre>\n
                      \"\"<\/a><\/p>\n
                      1517\u8fdb\u7a0b\uff0c\u4f4d\u7f6e\u5728\/usr\/bin\/httpd\uff0c\u53e6\u591627157\u8fdb\u7a0b\u7684\u53c2\u6570\u662f -B -c\uff0c\u901a\u8fc7\u67e5\u627ersyslogd\u7684\u5e2e\u52a9\u6587\u4ef6\u53d1\u73b0rsyslogd\u5e76\u6ca1\u6709-B\u7684\u53c2\u6570\u3002
                      \n\u901a\u8fc7linux_pidhashtable\u53c2\u6570\u53ef\u4ee5\u67e5\u627e\u5230\u9690\u85cf\u7684\u8fdb\u7a0b<\/p>\n
                      \u53ef\u4ee5\u770b\u5230\u67094\u4e2arsyslogd\u8fdb\u7a0b\u4e0e27157\u7684\u8fdb\u7a0b\u540c\u65f6\u5efa\u7acb\u3002
                      \n\u4f7f\u7528linux_netstat\u67e5\u770b\u7f51\u7edc\u94fe\u63a5\u60c5\u51b5\u3002<\/strong>
                      \n<\/code><\/p>\n
                      vol\u00a0-f\u00a0\/root\/Downloads\/pexit.vmem\u00a0--profile=LinuxUbuntu1004_pae32-33x86\u00a0linux_netstat<\/span><\/pre>\n
                      \"\"<\/a><\/p>\n
                      \u5f02\u5e38\u94fe\u63a5\u7684\u5730\u5740\u4e3a210.177.175.82
                      \n\u53ef\u4ee5\u901a\u8fc7linux_route_cache\u53c2\u6570\u67e5\u770b\u8def\u7531\u8868\u60c5\u51b5\u3002<\/strong><\/p>\n
                      vol\u00a0-f\u00a0\/root\/Downloads\/pexit.vmem\u00a0--profile=LinuxUbuntu1004_pae32-33x86\u00a0linux_route_cache<\/span><\/pre>\n
                      \"\"<\/a><\/p>\n
                      \u4f7f\u7528linux_lsof\u547d\u4ee4\u67e5\u770b1517\u548c27157\u8fdb\u7a0b\u76f8\u5173\u7684\u6587\u4ef6<\/strong><\/p>\n
                      vol\u00a0-f\u00a0\/root\/Downloads\/pexit.vmem\u00a0--profile=LinuxUbuntu1004_pae32-33x86\u00a0linux_lsof<\/span><\/pre>\n
                      \"\"<\/a><\/p>\n
                      \u6ce8\u610f\u201c\/tmp\/.ICE-unix\/-log\/\u201d\u6587\u4ef6
                      \n\u4f7f\u7528linux_proc_maps\u53c2\u6570\uff0c\u53ef\u4ee5\u67e5\u770b\u8fdb\u7a0b\u7ec6\u8282\u5305\u62ec\u5171\u4eab\u5e93\u3001\u5f00\u59cb\u548c\u7ed3\u675f\u7684\u4f4d\u7f6e\u7b49\u4fe1\u606f<\/strong><\/p>\n
                      vol\u00a0-f\u00a0\/root\/Downloads\/pexit.vmem\u00a0--profile=LinuxUbuntu1004_pae32-33x86\u00a0linux_proc_maps\u00a0|\u00a0grep\u00a01517<\/span><\/pre>\n
                      \u67e5\u770b\u53ef\u7591\u6587\u4ef6\u7684\u4f4d\u7f6e<\/strong><\/p>\n
                      vol\u00a0-f\u00a0\/root\/Downloads\/pexit.vmem\u00a0--profile=LinuxUbuntu1004_pae32-33x86\u00a0linux_find_file\u00a0-F\u00a0\"\/tmp\/.ICE-unix\/-log\/httpds\"<\/span><\/pre>\n
                      \"\"<\/a><\/p>\n
                      vol\u00a0-f\u00a0\/root\/Downloads\/pexit.vmem\u00a0--profile=LinuxUbuntu1004_pae32-33x86\u00a0linux_find_file\u00a0-i\u00a00xf5a4e568\u00a0-O\u00a0\/root\/dump<\/span><\/pre>\n
                      \"\"<\/a><\/p>\n
                      strings\u00a0\/root\/dump\r\n\r\n<\/span><\/pre>\n
                      \u53c2\u8003\uff1a<\/strong><\/p>\n
                      http:\/\/sempersecurus.blogspot.com\/2013\/12\/a-forensic-overview-of-linux-perlbot.html\r\nhttps:\/\/code.google.com\/p\/volatility\/wiki\/LinuxCommandReference23#linux_pidhashtable\r\n\r\n\u8f6c\u81ea\uff1ahttp:\/\/www.freebuf.com\/articles\/system\/26763.html\r\n<\/span><\/pre>\n","protected":false},"excerpt":{"rendered":"
                      #01\u7b80\u4ecb Volatility\u662f\u5f00\u6e90\u7684Windows\uff0cLinux\uff0cMaC\uff0cAndroid\u7684\u5185\u5b58\u53d6\u8bc1\u5206\u6790\u5de5\u5177\uff0c ...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[77,78,79],"class_list":["post-553","post","type-post","status-publish","format-standard","hentry","category-48","tag-volatility","tag-78","tag-79"],"_links":{"self":[{"href":"https:\/\/blog.md5.red\/index.php?rest_route=\/wp\/v2\/posts\/553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.md5.red\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.md5.red\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.md5.red\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.md5.red\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=553"}],"version-history":[{"count":5,"href":"https:\/\/blog.md5.red\/index.php?rest_route=\/wp\/v2\/posts\/553\/revisions"}],"predecessor-version":[{"id":593,"href":"https:\/\/blog.md5.red\/index.php?rest_route=\/wp\/v2\/posts\/553\/revisions\/593"}],"wp:attachment":[{"href":"https:\/\/blog.md5.red\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.md5.red\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=553"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.md5.red\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}