新建虚拟机,使用 ubuntu-22.04.2-desktop-amd64.iso
作为安装镜像,正常完成安装,选择最小化安装,并且安装过程中不进行自动更新
等待安装完成后,为纯净状态制作快照
然后安装必要的软件包:
- openssh-server
- make
- gcc
- net-tools
randark@randark-test:~$ sudo mv /etc/apt/sources.list /etc/apt/sources.list.bak
randark@randark-test:~$ sudo nano /etc/apt/sources.list
# 将 apt 的源仓库地址换为 ustc 中科大源
randark@randark-test:~$ sudo apt update
......
randark@randark-test:~$ sudo apt install openssh-server gcc make net-tools
......
randark@randark-test:~$ sudo systemctl enable ssh
Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ssh
randark@randark-test:~$ sudo systemctl start ssh
然后,通过 ssh 与 sftp 进行操作:首先,将 AVML 的二进制文件传输到测试机上,并授予执行权限,然后开始制作镜像
randark@randark-test:~$ chmod +x avml
randark@randark-test:~$ sudo ./avml out.lime
randark@randark-test:~$ ls -lh
total 4.1G
-rwxrwxr-x 1 randark randark 6.4M 10 月 26 00:01 avml
-rw------- 1 root root 4.0G 10 月 26 00:02 out.lime
drwx------ 3 randark randark 4.0K 10 月 25 23:52 snap
成功得到 out.lime
内存镜像文件
接下来,开始构建 dwarf
内核调试文件,与获取 System.map
内存表文件
首先,确定 Linux Kernel 的版本
randark@randark-test:~$ uname -a
Linux randark-test 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
然后传输 dwarf 内核调试文件的编译文件:volatility/tools/linux,并尝试进行编译
randark@randark-test:~/linux$ ls -lh
total 32K
drwxrwxr-x 2 randark randark 4.0K 10 月 24 23:54 kcore
-rw-rw-r-- 1 randark randark 384 10 月 24 23:54 Makefile
-rw-rw-r-- 1 randark randark 314 10 月 24 23:54 Makefile.enterprise
-rw-rw-r-- 1 randark randark 18K 10 月 24 23:54 module.c
randark@randark-test:~/linux$ make
make -C //lib/modules/6.2.0-35-generic/build CONFIG_DEBUG_INFO=y M="/home/randark/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-6.2.0-35-generic'
warning: the compiler differs from the one used to build the kernel
The kernel was built by: x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
You are using: gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
CC [M] /home/randark/linux/module.o
/home/randark/linux/module.c:136: warning: "__rcu" redefined
136 | #define __rcu
|
In file included from <command-line>:
././include/linux/compiler_types.h:52: note: this is the location of the previous definition
52 | # define __rcu BTF_TYPE_TAG(rcu)
|
MODPOST /home/randark/linux/Module.symvers
ERROR: modpost: missing MODULE_LICENSE() in /home/randark/linux/module.o
make[2]: *** [scripts/Makefile.modpost:138: /home/randark/linux/Module.symvers] Error 1
make[1]: *** [Makefile:1978: modpost] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-6.2.0-35-generic'
make: *** [Makefile:10: dwarf] Error 2
可以发现编译过程中存在致命错误:modpost: missing MODULE_LICENSE() in /home/randark/linux/module.o
在 module.c
的文件末尾加上以下语句:
MODULE_LICENSE("GPL");
或者执行:
echo 'MODULE_LICENSE("GPL");' >> module.c
继续尝试编译:
randark@randark-test:~/linux$ make
make -C //lib/modules/6.2.0-35-generic/build CONFIG_DEBUG_INFO=y M="/home/randark/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-6.2.0-35-generic'
warning: the compiler differs from the one used to build the kernel
The kernel was built by: x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
You are using: gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
CC [M] /home/randark/linux/module.o
/home/randark/linux/module.c:136: warning: "__rcu" redefined
136 | #define __rcu
|
In file included from <command-line>:
././include/linux/compiler_types.h:52: note: this is the location of the previous definition
52 | # define __rcu BTF_TYPE_TAG(rcu)
|
MODPOST /home/randark/linux/Module.symvers
CC [M] /home/randark/linux/module.mod.o
LD [M] /home/randark/linux/module.ko
BTF [M] /home/randark/linux/module.ko
Skipping BTF generation for /home/randark/linux/module.ko due to unavailability of vmlinux
make[1]: Leaving directory '/usr/src/linux-headers-6.2.0-35-generic'
dwarfdump -di module.ko > module.dwarf
/bin/sh: 1: dwarfdump: not found
继续发现存在致命错误:/bin/sh: 1: dwarfdump: not found
查阅相关文档 Creating a new profile 后,得知需要安装以下工具:
- dwarfdump
继续尝试编译:
randark@randark-test:~/linux$ make
make -C //lib/modules/6.2.0-35-generic/build CONFIG_DEBUG_INFO=y M="/home/randark/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-6.2.0-35-generic'
warning: the compiler differs from the one used to build the kernel
The kernel was built by: x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
You are using: gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
CC [M] /home/randark/linux/module.o
/home/randark/linux/module.c:136: warning: "__rcu" redefined
136 | #define __rcu
|
In file included from <command-line>:
././include/linux/compiler_types.h:52: note: this is the location of the previous definition
52 | # define __rcu BTF_TYPE_TAG(rcu)
|
MODPOST /home/randark/linux/Module.symvers
CC [M] /home/randark/linux/module.mod.o
LD [M] /home/randark/linux/module.ko
BTF [M] /home/randark/linux/module.ko
Skipping BTF generation for /home/randark/linux/module.ko due to unavailability of vmlinux
make[1]: Leaving directory '/usr/src/linux-headers-6.2.0-35-generic'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/6.2.0-35-generic/build M="/home/randark/linux" clean
make[1]: Entering directory '/usr/src/linux-headers-6.2.0-35-generic'
CLEAN /home/randark/linux/Module.symvers
make[1]: Leaving directory '/usr/src/linux-headers-6.2.0-35-generic'
randark@randark-test:~/linux$ ls -lh
total 3.0M
drwxrwxr-x 2 randark randark 4.0K 10 月 24 23:54 kcore
-rw-rw-r-- 1 randark randark 384 10 月 24 23:54 Makefile
-rw-rw-r-- 1 randark randark 314 10 月 24 23:54 Makefile.enterprise
-rw-rw-r-- 1 randark randark 18K 10 月 26 00:14 module.c
-rw-rw-r-- 1 randark randark 2.9M 10 月 26 00:19 module.dwarf
成功得到了 dwarf 内核调试文件。接下来获取 System.map
内存表文件
randark@randark-test:~/linux$ ls -lh /boot/System.map-$(uname -r)
-rw------- 1 root root 7.7M 10 月 6 17:29 /boot/System.map-6.2.0-35-generic