Problemi di acquisizione della memoria di Linux

Question

Problemi di acquisizione della memoria di Linux

2

Sto cercando assistenza per l'acquisizione della memoria di un sistema Linux.

Fino ad ora non sono stato in grado di acquisire o ispezionare il dump della memoria con strumenti noti.

Sono stati utilizzati i seguenti strumenti di acquisizione della memoria; LiME & linpmem .

Mentre riesco a recuperare e analizzare una presa di memoria dallo stesso sistema mentre si avviava su un live linux env. Non sono stato in grado di eseguire la stessa analisi con esito positivo dal sistema installato.

C'è un rootkit che fa uso di metodi anti-forensi, o sovverta l'acquisizione di memoria quando si usa lime, o si blocca quando si usa l'acquisizione di memoria diretta di pmem.

Mentre ho letto alcuni degli ultimi articoli pubblicati sull'acquisizione della memoria; acquisizione della memoria resiliente anti-forense , sono riuscito fino a questo punto a non essere riuscito.

Forse potrei richiedere assistenza, grazie in anticipo.

Ecco alcuni dettagli sul sistema e informazioni riguardanti i segfault che si verificano durante l'acquisizione.

$ uname -a
Linux x80h 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"
NAME="Ubuntu"
VERSION="16.04.4 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.4 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
'''

Here is the stack error that pops up in 'dmesg'
'''
[52849.103024] usercopy: kernel memory exposure attempt detected from ffff95699500c000 (radix_tree_node) (4096 bytes)
[52849.103029] ------------[ cut here ]------------
[52849.103030] kernel BUG at /build/linux-hwe-qx9Tq0/linux-hwe-4.13.0/mm/usercopy.c:72!
[52849.103047] invalid opcode: 0000 [#6] SMP PTI
[52849.104093] Modules linked in: pmem(OE) binfmt_misc pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) nls_iso8859_1 snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel intel_rapl snd_hda_codec snd_hda_core snd_hwdep x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel arc4 thinkpad_acpi snd_pcm kvm nvram hci_uart snd_seq_midi iwlmvm snd_seq_midi_event mac80211 snd_rawmidi btbcm snd_seq snd_seq_device snd_timer irqbypass rtsx_pci_ms memstick ucsi_acpi serdev snd intel_cstate typec_ucsi iwlwifi intel_rapl_perf cfg80211 wmi_bmof mei_me btqca input_leds joydev serio_raw typec soundcore shpchp idma64 btintel virt_dma intel_pch_thermal mei intel_lpss_pci bluetooth intel_lpss_acpi ecdh_generic intel_lpss tpm_crb ipt_REJECT nf_reject_ipv4 acpi_pad nf_log_ipv4 nf_log_common
[52849.108995]  mac_hid xt_LOG xt_multiport xt_limit xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_addrtype xt_conntrack ip6_tables nf_conntrack_netbios_ns nf_conntrack_broadcast nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack parport_pc libcrc32c ppdev iptable_filter lp ip_tables x_tables parport autofs4 algif_skcipher af_alg dm_crypt i915 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc rtsx_pci_sdmmc uas aesni_intel usb_storage aes_x86_64 i2c_algo_bit crypto_simd glue_helper e1000e drm_kms_helper cryptd syscopyarea psmouse ptp sysfillrect sysimgblt ahci pps_core fb_sys_fops rtsx_pci libahci drm wmi i2c_hid pinctrl_sunrisepoint hid pinctrl_intel video [last unloaded: pmem]
[52849.112902] CPU: 2 PID: 13827 Comm: dcfldd Tainted: G      D    OE   4.13.0-37-generic #42~16.04.1-Ubuntu
[52849.114444] Hardware name: LENOVO 20HKCTO1WW/20HKCTO1WW, BIOS N1TET46W (1.20 ) 02/26/2018
[52849.115786] task: ffff9579a3e6df00 task.stack: ffffa416863f8000
[52849.117106] RIP: 0010:__check_object_size+0x6e/0x1a0
[52849.118373] RSP: 0018:ffffa416863fbe28 EFLAGS: 00010282
[52849.119636] RAX: 0000000000000066 RBX: 0000000000001000 RCX: 0000000000000000
[52849.120939] RDX: 0000000000000000 RSI: ffff957a1f496578 RDI: ffff957a1f496578
[52849.122175] RBP: ffffa416863fbe48 R08: 0000000000019270 R09: 0000000000001beb
[52849.123488] R10: 0000000000000248 R11: ffffffffbf9491ed R12: 0000000000000001
[52849.125067] R13: ffff95699500d000 R14: ffff95699500c000 R15: 0000000000004000
[52849.126430] FS:  00007fcd0b9d7700(0000) GS:ffff957a1f480000(0000) knlGS:0000000000000000
[52849.127841] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[52849.129179] CR2: 00007f4d2a2edaec CR3: 00000010567c2001 CR4: 00000000003606e0
[52849.130452] Call Trace:
[52849.131715]  pmem_read+0x143/0x197 [pmem]
[52849.133027]  __vfs_read+0x1b/0x40
[52849.134195]  vfs_read+0x93/0x130
[52849.135545]  SyS_read+0x55/0xc0
[52849.136883]  do_syscall_64+0x67/0x120
[52849.138134]  entry_SYSCALL64_slow_path+0x25/0x25
[52849.139346] RIP: 0033:0x7fcd0b507260
[52849.140624] RSP: 002b:00007fff87020908 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[52849.141820] RAX: ffffffffffffffda RBX: 000055effb874380 RCX: 00007fcd0b507260
[52849.143085] RDX: 0000000000008000 RSI: 000055effbaf1000 RDI: 0000000000000000
[52849.144216] RBP: 0000000000008000 R08: 00007fcd0b9d7700 R09: 0000000000000000
[52849.145407] R10: 0000000000000000 R11: 0000000000000246 R12: 000055effbaf1000
[52849.146423] R13: 0000000000000000 R14: 0000000000008000 R15: 000055effb8743b0
[52849.147487] Code: 48 0f 45 d1 48 c7 c6 1b 4b 2c bf 48 c7 c1 8e 44 2b bf 48 0f 44 f1 49 89 d9 49 89 c0 4c 89 f1 48 c7 c7 60 4b 2c bf e8 13 63 e9 ff  0b 48 83 ff 10 0f 86 0c 01 00 00 e8 71 48 e2 ff 84 c0 74 6e 
[52849.148642] RIP: __check_object_size+0x6e/0x1a0 RSP: ffffa416863fbe28
'''

I ran the memory acquisition through 'strace' and was able to capture the core dump it initiated if that helps.

'''$ cat /var/crash/cat _usr_bin_strace.0.crash 
ProblemType: Crash
Architecture: amd64
Date: Mon Apr  9 00:21:52 2018
DistroRelease: Ubuntu 16.04
ExecutablePath: /usr/bin/strace
ExecutableTimestamp: 1452699271
ProcCmdline: strace -o out.log -f dcfldd if=/dev/pmem bs=512 of=/mem-20180409-00:21:22.img
ProcCwd: /usr/sbin/volatility
ProcEnviron:
 SHELL=/bin/bash
 TERM=xterm
 PATH=(custom, user)
 LANG=en_US.UTF-8
 LANGUAGE=en_US
ProcMaps:
 55949c7ed000-55949c886000 r-xp 00000000 fd:04 1574278                    /usr/bin/strace
 55949ca85000-55949cac0000 r--p 00098000 fd:04 1574278                    /usr/bin/strace
 55949cac0000-55949cac1000 rw-p 000d3000 fd:04 1574278                    /usr/bin/strace
 55949cac1000-55949cac4000 rw-p 00000000 00:00 0 
 55949ea2c000-55949ea4d000 rw-p 00000000 00:00 0                          [heap]
 7ff1c9117000-7ff1c92d7000 r-xp 00000000 fd:01 6291697                    /lib/x86_64-linux-gnu/libc-2.23.so
 7ff1c92d7000-7ff1c94d7000 ---p 001c0000 fd:01 6291697                    /lib/x86_64-linux-gnu/libc-2.23.so
 7ff1c94d7000-7ff1c94db000 r--p 001c0000 fd:01 6291697                    /lib/x86_64-linux-gnu/libc-2.23.so
 7ff1c94db000-7ff1c94dd000 rw-p 001c4000 fd:01 6291697                    /lib/x86_64-linux-gnu/libc-2.23.so
 7ff1c94dd000-7ff1c94e1000 rw-p 00000000 00:00 0 
 7ff1c94e1000-7ff1c9507000 r-xp 00000000 fd:01 6291695                    /lib/x86_64-linux-gnu/ld-2.23.so
 7ff1c96dd000-7ff1c96e0000 rw-p 00000000 00:00 0 
 7ff1c9706000-7ff1c9707000 r--p 00025000 fd:01 6291695                    /lib/x86_64-linux-gnu/ld-2.23.so
 7ff1c9707000-7ff1c9708000 rw-p 00026000 fd:01 6291695                    /lib/x86_64-linux-gnu/ld-2.23.so
 7ff1c9708000-7ff1c9709000 rw-p 00000000 00:00 0 
 7fff8adb2000-7fff8add3000 rw-p 00000000 00:00 0                          [stack]
 7fff8add3000-7fff8add6000 r--p 00000000 00:00 0                          [vvar]
 7fff8add6000-7fff8add8000 r-xp 00000000 00:00 0                          [vdso]
 ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
ProcStatus:
 Name:  strace
 Umask: 0022
 State: S (sleeping)
 Tgid:  13487
 Ngid:  0
 Pid:   13487
 PPid:  7765
 TracerPid:     0
 Uid:   0       0       0       0
 Gid:   0       0       0       0
 FDSize:        256
 Groups:        0 
 NStgid:        13487
 NSpid: 13487
 NSpgid:        13487
 NSsid: 5983
 VmPeak:            5224 kB
 VmSize:            5204 kB
 VmLck:        0 kB
 VmPin:        0 kB
 VmHWM:     1268 kB
 VmRSS:     1268 kB
 RssAnon:            292 kB
 RssFile:            976 kB
 RssShmem:             0 kB
 VmData:             192 kB
 VmStk:      132 kB
 VmExe:      612 kB
 VmLib:     1952 kB
 VmPTE:       36 kB
 VmPMD:       12 kB
 VmSwap:               0 kB
 HugetlbPages:         0 kB
 Threads:       1
 SigQ:  0/256640
 SigPnd:        0000000000000000
 ShdPnd:        0000000000000000
 SigBlk:        0000000000000000
 SigIgn:        0000000000305007
 SigCgt:        0000000000000000
 CapInh:        0000000000000000
 CapPrm:        0000003fffffffff
 CapEff:        0000003fffffffff
 CapBnd:        0000003fffffffff
 CapAmb:        0000000000000000
 NoNewPrivs:    0
 Seccomp:       0
 Cpus_allowed:  ff
 Cpus_allowed_list:     0-7
 Mems_allowed:  00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
 Mems_allowed_list:     0
 voluntary_ctxt_switches:       2755031
 nonvoluntary_ctxt_switches:    2872
Signal: 11
Uname: Linux 4.13.0-37-generic x86_64
UserGroups: 
_LogindSession: c2
CoreDump: base64
 H4sICAAAAAAC/0NvcmVEdW1wAA==

linux memory forensics

posta jas- 09.04.2018 - 11:08

fonte

0 risposte

Leggi altre domande sui tag linux memory forensics

calcolo dell'hash di scambio per ecdsa-sha2-nistp256 Perché Blizzard's battle.net.exe e agent.exe inviano sempre i dati sulla rete in background 24 ore al giorno? [chiuso]