fmem 实时获取Linux内存
2021-08-20 本文已影响0人
偷油考拉
Linux Forensics Series Chapter 1 — Memory Forensics | by Ozan Unal | Medium
fmem
- 下载源码
[root@localhost ~]# git clone https://github.com/NateBrune/fmem.git
Cloning into 'fmem'...
remote: Enumerating objects: 57, done.
remote: Counting objects: 100% (17/17), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 57 (delta 5), reused 9 (delta 3), pack-reused 40
Unpacking objects: 100% (57/57), done.
[root@localhost ~]# cd fmem
[root@localhost fmem]# ls
AUTHORS ChangeLog COPYING debug.h lkm.c Makefile README run.sh TODO
- 编译
编译执行make即可。
失败案例:
[root@localhost fmem]# make
rm -f *.o *.ko *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d
rm -rf \.tmp_versions
make -C /lib/modules/`uname -r`/build KBUILD_EXTMOD=`pwd` modules
make: *** /lib/modules/3.10.0-862.el7.x86_64/build: No such file or directory. Stop.
make: *** [fmem] Error 2
需要安装源码 yum install kernel-devel。但是,当前版本与yum内可安装的版本不一致,就需要先yum update升级一下当前系统。然后重启系统,才能保持版本一致。
那我还抓个爪子的实时内存哦?
成功案例:
[root@localhost fmem]# make
rm -f *.o *.ko *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d
rm -rf \.tmp_versions
make -C /lib/modules/`uname -r`/build KBUILD_EXTMOD=`pwd` modules
make[1]: Entering directory `/usr/src/kernels/3.10.0-1160.36.2.el7.x86_64'
CC [M] /root/fmem/lkm.o
LD [M] /root/fmem/fmem.o
Building modules, stage 2.
MODPOST 1 modules
CC /root/fmem/fmem.mod.o
LD [M] /root/fmem/fmem.ko
make[1]: Leaving directory `/usr/src/kernels/3.10.0-1160.36.2.el7.x86_64'
[root@localhost fmem]# ls
AUTHORS ChangeLog COPYING debug.h fmem.ko fmem.mod.c fmem.mod.o fmem.o lkm.c lkm.o Makefile modules.order Module.symvers README run.sh TODO
- 运行
失败案例:
[root@localhost fmem]# ./run.sh
rmmod: ERROR: Module fmem is not currently loaded
Module: insmod fmem.ko a1=0xffffffff922a64a0 : insmod: ERROR: could not insert module fmem.ko: Unknown symbol in module
[root@localhost fmem]# dmesg -T |tail -n 1
[Thu Aug 19 04:59:31 2021] fmem: Unknown parameter `a1'
牢骚:
该项目早特么没人维护了!转LiME去。
