서버호스팅, 코로케이션, 매니지드호스팅, IDC, 도메인, 웹호스팅 - KOREA IDC
KOREA IDC 바로가기 차이나 다이렉트 기업망 바로가기
 
  • 백업
  • DB
  • 단기
  • 백업
  • DB
  • 단기

(리눅스) volatility를 이용한 메모리 덤프 점검 16499
2014/04/09 09:23:19
 
 
TEST 환경
 
OS : Cent OS 5.9 32bit
Kernel : 2.6.18-348.el5
 
 
● 시스템 침해 및 해킹으로 인한 숨겨진 프로세스를 찾기 위해 작성되었습니다.
시스템이 감염된 상태에서 메모리를 덤프 받아야 정확하게 조회 및 조치를 할 수 있습니다.
 
1. 메모리 덤프 툴인 lime 모듈 구동 및 Dump 작업
(메모리 덤프시 리눅스 기본 명령어인 dd 로 덤프 작업을 하지 않는 이유는 최신 커널들은 dd로 메모리 덤프가 불가능 합니다.)
[root@localhost html]# svn checkout http://lime-forensics.googlecode.com/svn/trunk/ lime-forensics
A    lime-forensics/doc
A    lime-forensics/doc/LiME_Documentation_1.1.pdf
A    lime-forensics/src
A    lime-forensics/src/main.c
A    lime-forensics/src/tcp.c
A    lime-forensics/src/disk.c
A    lime-forensics/src/lime.h
A    lime-forensics/src/Makefile.sample
A    lime-forensics/src/Makefile
체크아웃된 리비전 17.
[root@localhost html]#
[root@localhost html]# cd lime-forensics/src
[root@localhost src]# make
make -C /lib/modules/2.6.18-348.el5/build M=/free/home/sakarago/html/lime-forensics/src modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-348.el5-i686'
  CC [M]  /free/home/sakarago/html/lime-forensics/src/tcp.o
  CC [M]  /free/home/sakarago/html/lime-forensics/src/disk.o
  CC [M]  /free/home/sakarago/html/lime-forensics/src/main.o
  LD [M]  /free/home/sakarago/html/lime-forensics/src/lime.o
  Building modules, stage 2.
  MODPOST
  CC      /free/home/sakarago/html/lime-forensics/src/lime.mod.o
  LD [M]  /free/home/sakarago/html/lime-forensics/src/lime.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.18-348.el5-i686'
strip --strip-unneeded lime.ko
mv lime.ko lime-2.6.18-348.el5.ko
make tidy
make[1]: Entering directory `/free/home/sakarago/html/lime-forensics/src'
rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d
rm -rf \.tmp_versions
make[1]: Leaving directory `/free/home/sakarago/html/lime-forensics/src'
[root@localhost src]# ll
-rw-r--r-- 1 root root  1248  4월  8 13:41 Makefile
-rw-r--r-- 1 root root  1723  4월  8 13:41 Makefile.sample
-rw-r--r-- 1 root root  2117  4월  8 13:41 disk.c
-rw-r--r-- 1 root root 10164  4월  8 13:43 lime-2.6.18-348.el5.ko
-rw-r--r-- 1 root root  1861  4월  8 13:41 lime.h
-rw-r--r-- 1 root root  5028  4월  8 13:41 main.c
-rw-r--r-- 1 root root  3160  4월  8 13:41 tcp.c
[root@localhost src]#
[root@localhost src]# insmod lime-2.6.18-348.el5.ko path=memory.lime format=lime
[root@localhost src]# ll
합계 1049132
-rw-r--r-- 1 root root       1248  4월  8 13:41 Makefile
-rw-r--r-- 1 root root       1723  4월  8 13:41 Makefile.sample
-rw-r--r-- 1 root root       2117  4월  8 13:41 disk.c
-rw-r--r-- 1 root root      10164  4월  8 13:43 lime-2.6.18-348.el5.ko
-rw-r--r-- 1 root root       1861  4월  8 13:41 lime.h
-rw-r--r-- 1 root root       5028  4월  8 13:41 main.c
-r--r--r-- 1 root root 1073216576  4월  8 13:47 memory.lime   <--메모리 크기와 동일한 덤프 파일
-rw-r--r-- 1 root root       3160  4월  8 13:41 tcp.c
[root@localhost src]#
[root@localhost src]# free -m
             total       used       free     shared    buffers     cached
Mem:          1010        988         21          0         99        798    <--메모리 크기
-/+ buffers/cache:         90        920
Swap:         4094          0       4094
[root@localhost src]# 
※ 메모리 덤프 완료
 
2. volatility 설치 및 관련 패키지 설치
[root@localhost html]# svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only
A    volatility-read-only/vol.py
A    volatility-read-only/setup.py
A    volatility-read-only/pyinstaller.spec
A    volatility-read-only/tools
A    volatility-read-only/tools/linux
A    volatility-read-only/tools/linux/module.c
A    volatility-read-only/tools/linux/Makefile
---------------------------------생략---------------------------------------------------------------------------------------------
A    volatility-read-only/PKG-INFO
A    volatility-read-only/MANIFEST.in
A    volatility-read-only/CREDITS.txt
A    volatility-read-only/README.txt
A    volatility-read-only/Makefile
체크아웃된 리비전 3603.
[root@localhost html]#
[root@localhost html]# wget http://siliconslick.com/papitools/centos/5/RPMS/i386/libdwarf-static-0.20110612-1br.el5.ss.i386.rpm
[root@localhost html]#
[root@localhost html]# ll
합계 928
-rw-r--r-- 1 root root 123726  3월  1  2013 libdwarf-0.20110612-1br.el5.ss.i386.rpm
-rw-r--r-- 1 root root 527897  3월  1  2013 libdwarf-devel-0.20110612-1br.el5.ss.i386.rpm
-rw-r--r-- 1 root root 133868  3월  1  2013 libdwarf-static-0.20110612-1br.el5.ss.i386.rpm
-rw-r--r-- 1 root root 134023  3월  1  2013 libdwarf-tools-0.20110612-1br.el5.ss.i386.rpm
drwxr-xr-x 5 root root   4096  4월  8 13:41 lime-forensics
drwxr-xr-x 8 root root   4096  4월  8 14:11 volatility-read-only
[root@localhost html]# rpm -Uvh libdwarf-*
준비 중...                  ########################################### [100%]
   1:libdwarf               ########################################### [ 25%]
   2:libdwarf-tools         ########################################### [ 50%]
   3:libdwarf-devel         ########################################### [ 75%]
   4:libdwarf-static        ########################################### [100%]
[root@localhost html]#
[root@localhost html]# python -V
Python 2.4.3
[root@localhost html]# wget sakarago.kr/Python-2.6.8.tgz
--2014-04-08 16:17:07--  http://sakarago.kr/Python-2.6.8.tgz
Resolving sakarago.kr... 218.145.31.123
Connecting to sakarago.kr|218.145.31.123|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13282574 (13M) [application/x-gzip]
Saving to: `Python-2.6.8.tgz'
100%[==========================================================================>] 13,282,574  4.51M/s   in 2.8s   
2014-04-08 16:17:09 (4.51 MB/s) - `Python-2.6.8.tgz' saved [13282574/13282574]
[root@localhost html]#
[root@localhost html]# tar xvf Python-2.6.8.tgz
[root@localhost html]# cd Python-2.6.8
[root@localhost Python-2.6.8]# ./configure --prefix=/usr/local --with-threads
[root@localhost Python-2.6.8]# make && make install
-----------------------------------------생략-----------------------------------------------------------------------------------------
running install_스크립트s
copying build/스크립트s-2.6/2to3 -> /usr/local/bin
copying build/스크립트s-2.6/smtpd.py -> /usr/local/bin
copying build/스크립트s-2.6/idle -> /usr/local/bin
copying build/스크립트s-2.6/pydoc -> /usr/local/bin
changing mode of /usr/local/bin/2to3 to 755
changing mode of /usr/local/bin/smtpd.py to 755
changing mode of /usr/local/bin/idle to 755
changing mode of /usr/local/bin/pydoc to 755
running install_egg_info
Writing /usr/local/lib/python2.6/lib-dynload/Python-2.6.8-py2.6.egg-info
if test -f /usr/local/bin/python -o -h /usr/local/bin/python; \
        then rm -f /usr/local/bin/python; \
        else true; \
        fi
(cd /usr/local/bin; ln python2.6 python)
rm -f /usr/local/bin/python-config
(cd /usr/local/bin; ln -s python2.6-config python-config)
/usr/bin/install -c -m 644 ./Misc/python.man \
                /usr/local/share/man/man1/python.1
[root@localhost Python-2.6.8]#
[root@localhost Python-2.6.8]# python -V
Python 2.6.8
[root@localhost Python-2.6.8]#
 
 
 
 
※ volatility 사용을 위한 관련 패키지를 설치 했습니다. 
volatility 툴 사용시에는 python을 사용합니다.  volatility 2.x 버전부터는 python 2.6.x 이상을 사용해야 합니다.
 
3. vtypes 생성 및 kernel profile 작성
[root@localhost html]# cd volatility-read-only/tools/linux/
[root@localhost linux]# ll
합계 24
-rw-r--r-- 1 root root   378  4월  8 14:11 Makefile
-rw-r--r-- 1 root root 13831  4월  8 14:11 module.c
drwxr-xr-x 3 root root  4096  4월  8 14:11 pmem
[root@localhost linux]#
[root@localhost linux]# make
make -C //lib/modules/2.6.18-348.el5/build CONFIG_DEBUG_INFO=y M=/free/home/sakarago/html/volatility-read-only/tools/linux modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-348.el5-i686'
  CC [M]  /free/home/sakarago/html/volatility-read-only/tools/linux/module.o
/free/home/sakarago/html/volatility-read-only/tools/linux/module.c:303:5: warning: "STATS" is not defined
/free/home/sakarago/html/volatility-read-only/tools/linux/module.c:319:5: warning: "DEBUG" is not defined
  Building modules, stage 2.
  MODPOST
  CC      /free/home/sakarago/html/volatility-read-only/tools/linux/module.mod.o
  LD [M]  /free/home/sakarago/html/volatility-read-only/tools/linux/module.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.18-348.el5-i686'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/2.6.18-348.el5/build M=/free/home/sakarago/html/volatility-read-only/tools/linux clean
make[1]: Entering directory `/usr/src/kernels/2.6.18-348.el5-i686'
  CLEAN   /free/home/sakarago/html/volatility-read-only/tools/linux/.tmp_versions
make[1]: Leaving directory `/usr/src/kernels/2.6.18-348.el5-i686'
[root@localhost linux]# head module.dwarf
.debug_info
<0><0+11><DW_TAG_compile_unit> DW_AT_stmt_list<0> DW_AT_high_pc<0x0> DW_AT_low_pc<0x0> DW_AT_producer<GNU C 4.1.2 20080704 (Red Hat 4.1.2-54)> DW_AT_language<DW_LANG_C89> DW_AT_name</free/home/sakarago/html/volatility-read-only/tools/linux/module.c> DW_AT_comp_dir</usr/src/kernels/2.6.18-348.el5-i686>
<1><37><DW_TAG_structure_type> DW_AT_sibling<<64>> DW_AT_name<sched_param> DW_AT_byte_size<4> DW_AT_decl_file<44 include/linux/sched.h> DW_AT_decl_line<38>
<2><49><DW_TAG_member> DW_AT_name<sched_priority> DW_AT_decl_file<44 include/linux/sched.h> DW_AT_decl_line<39> DW_AT_type<<64>> DW_AT_data_member_location<DW_OP_plus_uconst 0>
<1><64><DW_TAG_base_type> DW_AT_name<int> DW_AT_byte_size<4> DW_AT_encoding<DW_ATE_signed>
[root@localhost linux]#
[root@localhost linux]# ll
합계 1116
-rw-r--r-- 1 root root     378  4월  8 14:11 Makefile
-rw-r--r-- 1 root root       0  4월  8 16:33 Module.markers
-rw-r--r-- 1 root root       0  4월  8 16:33 Module.symvers
-rw-r--r-- 1 root root   13831  4월  8 14:11 module.c
-rw-r--r-- 1 root root 1111651  4월  8 16:33 module.dwarf
drwxr-xr-x 3 root root    4096  4월  8 14:11 pmem
[root@localhost linux]#
[root@localhost linux]# cd ../../
[root@localhost volatility-read-only]#
[root@localhost volatility-read-only]# zip volatility/plugins/overlays/linux/test.zip tools/linux/module.dwarf /boot/System.map-2.6.18-348.el5
  adding: tools/linux/module.dwarf (deflated 89%)
  adding: boot/System.map-2.6.18-348.el5 (deflated 73%)
[root@localhost volatility-read-only]# ll volatility/plugins/overlays/linux/test.zip
-rw-r--r-- 1 root root 390024  4월  8 16:39 volatility/plugins/overlays/linux/test.zip
[root@localhost volatility-read-only]#
[root@localhost volatility-read-only]# python vol.py --info | grep Profile
Volatility Foundation Volatility Framework 2.3.1
Profiles
Linuxtestx86    - A Profile for Linux test x86
VistaSP0x64     - A Profile for Windows Vista SP0 x64
VistaSP0x86     - A Profile for Windows Vista SP0 x86
VistaSP1x64     - A Profile for Windows Vista SP1 x64
VistaSP1x86     - A Profile for Windows Vista SP1 x86
VistaSP2x64     - A Profile for Windows Vista SP2 x64
VistaSP2x86     - A Profile for Windows Vista SP2 x86
Win2003SP0x86   - A Profile for Windows 2003 SP0 x86
Win2003SP1x64   - A Profile for Windows 2003 SP1 x64
Win2003SP1x86   - A Profile for Windows 2003 SP1 x86
Win2003SP2x64   - A Profile for Windows 2003 SP2 x64
Win2003SP2x86   - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64   - A Profile for Windows 2008 SP1 x64
Win2008SP1x86   - A Profile for Windows 2008 SP1 x86
Win2008SP2x64   - A Profile for Windows 2008 SP2 x64
Win2008SP2x86   - A Profile for Windows 2008 SP2 x86
Win7SP0x64      - A Profile for Windows 7 SP0 x64
Win7SP0x86      - A Profile for Windows 7 SP0 x86
Win7SP1x64      - A Profile for Windows 7 SP1 x64
Win7SP1x86      - A Profile for Windows 7 SP1 x86
WinXPSP1x64     - A Profile for Windows XP SP1 x64
WinXPSP2x64     - A Profile for Windows XP SP2 x64
WinXPSP2x86     - A Profile for Windows XP SP2 x86
WinXPSP3x86     - A Profile for Windows XP SP3 x86
[root@localhost volatility-read-only]#
※ vtypes 생성 후 해당 OS에 맞는 profile 을 생성했습니다. 
 
4. volatility 사용
[root@localhost volatility-read-only]# python vol.py --info | grep Plugins
Plugins
-------
apihooks                - Detect API hooks in process and kernel memory
atoms                   - Print session and window station atom tables
atomscan                - Pool scanner for _RTL_ATOM_TABLE
bioskbd                 - Reads the keyboard buffer from Real Mode memory
callbacks               - Print system-wide notification routines
clipboard               - Extract the contents of the windows clipboard
cmdscan                 - Extract command history by scanning for _COMMAND_HISTORY
--------------------------생략---------------------------------------------------------------------------------------------------
linux_pstree            - Shows the parent/child relationship between processes
linux_psxview           - Find hidden processes with various process listings
linux_route_cache       - Recovers the routing cache from memory
linux_sk_buff_cache     - Recovers packets from the sk_buff kmem_cache
linux_slabinfo          - Mimics /proc/slabinfo on a running machine
linux_tmpfs             - Recovers tmpfs filesystems from memory
linux_vma_cache         - Gather VMAs from the vm_area_struct cache
linux_volshell          - Shell in the memory image
linux_yarascan          - A shell in the Linux memory image
---------------생략-------------------------------------------------------------------------------------------------------------
[root@localhost volatility-read-only]#
[root@localhost volatility-read-only]# python vol.py -f ../lime-forensics/src/memory.lime --profile=Linuxtestx86 linux_pslist
Volatility Foundation Volatility Framework 2.3.1
Offset     Name                 Pid             Uid             Gid    DTB        Start Time
---------- -------------------- --------------- --------------- ------ ---------- ----------
0xf7d4caa0 init                 1               0               0      0x01a8e000 2014-03-18 11:51:17 UTC+0000
0xf7d4c000 migration/0          2               0               0      ---------- 2014-03-18 11:51:17 UTC+0000
0xf7d54aa0 ksoftirqd/0          3               0               0      ---------- 2014-03-18 11:51:17 UTC+0000
0xf7d54550 watchdog/0           4               0               0      ---------- 2014-03-18 11:51:17 UTC+0000
0xf798e550 kjournald            1298            0               0      ---------- 2014-03-18 11:52:06 UTC+0000
0xf7905aa0 kjournald            1300            0               0      ---------- 2014-03-18 11:52:06 UTC+0000
0xf7c4d550 iscsi_eh             1440            0               0      ---------- 2014-03-18 11:52:09 UTC+0000
0xf78edaa0 cnic_wq              1483            0               0      ---------- 2014-03-18 11:52:10 UTC+0000
0xc1b1d550 bnx2i_thread/0       1487            0               0      ---------- 2014-03-18 11:52:10 UTC+0000
0xf78f5aa0 bnx2i_thread/1       1488            0               0      ---------- 2014-03-18 11:52:10 UTC+0000
    1892        4 /eventpoll:/[4905]
    1892        5 /var/log/audit/audit.log
    1892        6 pipe:[4906]
    1892        7 socket:[4891]
    1892        8 pipe:[4906]
    1892        9 socket:[159454]
------------------생략-------------------------------------------------------------------------------------------------------------
[root@localhost volatility-read-only]#
※ 기존 linux 시스템내에 ps -ef | pstree | 등으로 검색이 되지 않는 프로세스를 찾기 위한 방법이기 때문에
ps -ef  명령어와 test.memory 파일의 linux_pslist 와 비교 분석을 하면서 체크를 해보기 바랍니다.
--info 로 정보를 보시면 많은 plugin 존재 합니다. 필자는 pslist,pstree,lsof 정도만 체크 해 보았습니다.
원하는 plugin 을 선택하여 자세한 사항을 체크해 보실수 있습니다.
 
[root@localhost volatility-read-only]# python vol.py -f 메모리덤프파일 --profile=Linuxtestx86 linunx_플러그인
 
참고사항
지능적인 해커들은 루트킷 및 해킹 파일을 숨기거나, 변조를 시켜 둡니다. 또한, 해당 파일을 접근 및 수정시 서버 다운을 유발
시키도록 컴파일 해두기도 합니다.
가장 이상적인 점검 방법은 감염서버에서 메모리 덤프 및 profile 만 생성 후 volatility 구동 서버에서 체크 하기를 권장합니다.  
 
http://iso.linuxquestions.org/backtrack/backtrack-5-r3    <-- volatility 가 설치된 백트랙5 R3 이미지
2014-04-09 09:35:03 에 내용이 수정되었습니다.
  
107 iis 설정 백업/복원, 이전 [0] 2015/05/15 13105
106 컴파일 빠르게 하기 [0] 2015/05/06 9781
105 rsync 및 scp 사용법 과 활용방법 [0] 2015/01/29 24712
104 프로세스 우선순위를 결정하는 nice(niceness) 와 renice 사용법 [0] 2014/12/01 16226
103 Htop( Linux Process Monitoring )사용법 [0] 2014/11/26 11085
(리눅스) volatility를 이용한 메모리 덤프 점검 [0] 2014/04/09 16500
101 nslookup 사용 방법 [0] 2013/12/20 11693
100 apache log rotate [0] 2013/12/13 11173
99 mysql에 입력했던 명령어(history)를 보기 [0] 2013/11/24 18626
98 named 체크 사용방법 [0] 2013/11/22 8128
97 mysql 설치 옵션 , 추천 옵션 정리 [0] 2013/11/20 7230
96 화이트 도메인 (White Domain) 등록 및 확인 방법 [0] kyo0162 2013/11/20 8982
95 Apache의 Worker / Prefork 방식의 차이점과 세팅 방법 [2] 2013/11/06 21977
94 mysql 5.6 설치 메뉴얼 [1] 2013/11/05 11394
93 whois, dig 사용방법 [0] 2013/11/01 6743
맨앞 이전  |1|2|3|4|5|6|7|8|  다음 맨뒤

하단메뉴
(주)인터넷나야나, 서울시 금천구 디지털로9길 99, 1107호(가산동) 전화: 1661-0900, 02-852-4745; 팩스: 02-852-4744
패밀리사이트
회사소개(새창열림) IDC소개 이용약관 개인정보취급방침 이메일무단수집거부 사이트맵 고객센터 인터넷나야나 바로가기(새창열림) 예로 바로가기(새창열림) 내선안내 메일보내기 server@koreaidc.com
네이버키워드광고
워드프레스호스팅