LiME 实时获取Linux内存

2021-08-20 本文已影响0人偷油考拉

Memory Forensics
GitHub - LiME
Live Memory Acquisition on Linux Systems

LiME ~ Linux Memory Extractor

可加载内核模块（LKM - Loadable Kernel Module），允许从Linux和基于Linux的设备（如Android）获取易失性内存。
这使得LiME独一无二，因为它是第一个允许在Android设备上捕获完整内存的工具。
它最大程度地减少了获取过程中用户和内核空间进程的交互，这使得它在抓取内存上比为专门设计为获取Linux内存的其他工具更可靠。

获取源码

git clone https://github.com/504ensicsLabs/LiME.git

编译

[root@localhost ~]# cd LiME/src/

[root@localhost src]# make
make -C /lib/modules/3.10.0-1160.36.2.el7.x86_64/build M="/root/LiME/src" modules
make[1]: Entering directory `/usr/src/kernels/3.10.0-1160.36.2.el7.x86_64'
  CC [M]  /root/LiME/src/tcp.o
/root/LiME/src/tcp.c: In function ‘setup_tcp’:
/root/LiME/src/tcp.c:75:5: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
     int opt = 1;
     ^
  CC [M]  /root/LiME/src/disk.o
/root/LiME/src/disk.c: In function ‘write_vaddr_disk’:
/root/LiME/src/disk.c:99:5: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
     mm_segment_t fs;
     ^
  CC [M]  /root/LiME/src/main.o
  CC [M]  /root/LiME/src/hash.o
  CC [M]  /root/LiME/src/deflate.o
  LD [M]  /root/LiME/src/lime.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/LiME/src/lime.mod.o
  LD [M]  /root/LiME/src/lime.ko
make[1]: Leaving directory `/usr/src/kernels/3.10.0-1160.36.2.el7.x86_64'
strip --strip-unneeded lime.ko
mv lime.ko lime-3.10.0-1160.36.2.el7.x86_64.ko

[root@localhost src]# ls
deflate.c  deflate.o  disk.c  disk.o  hash.c  hash.o  lime-3.10.0-1160.36.2.el7.x86_64.ko  lime.h  lime.mod.c  lime.mod.o  lime.o  main.c  main.o  Makefile  Makefile.sample  modules.order  Module.symvers  tcp.c  tcp.o

加载LiME Kernel Module

path 指定dump文件在磁盘上的存储路径
format 指定格式
timeout 0 ~ disable the timeout so the slow region will be acquired.

[root@localhost src]# insmod lime-3.10.0-1160.36.2.el7.x86_64.ko "path=/root/ram.lime format=lime timeout=0"
[root@localhost src]# 
[root@localhost src]# lsmod |grep lime
lime                   17425  0

查看dump文件

一会就可以看到dump文件了


[root@localhost ~]# free -h
              total        used        free      shared  buff/cache   available
Mem:           2.0G        194M         69M        8.8M        1.7G        1.6G
Swap:          1.6G        264K        1.6G

[root@localhost ~]# ll -h /root/ram.lime 
-r--r--r--. 1 root root 2.0G Aug 19 05:30 /root/ram.lime

清除lime

[root@localhost ~]# rmmod lime
[root@localhost ~]# lsmod |grep lime
[root@localhost ~]# ll -h /root/ram.lime 
-r--r--r--. 1 root root 2.0G Aug 19 05:30 /root/ram.lime