基于Xen4.7在Ubuntu16.04 LTS搭建Drakvuf使用环境

引言 本文是对这次搭建过程的一次总结。由于个人能力有限，断断续续和小组成员们搭建了半个学期，最后实现了drakvuf官网上示例视频的几个功能。搭建过程中也出了一些问题，最后解决了大部分，剩下虚拟机的网络配置有些问题，还需要完善。 实验环境 ubuntu 16.04 LTS，xen4.7，一台服务器(穷学生买不起符合实验硬件要求的机子，只能向研究所的老师借了一台，感谢T^T)

搭建过程和步骤 好，下面开始正题~~~

1.先装一些必要的依赖

sudo apt-get install wget git bcc bin86 gawk bridge-utilsiproute libcurl3 libcurl4-openssl-dev bzip2 module-init-tools pciutils-devbuild-essential make gcc clang libc6-dev libc6-dev-i386 linux-libc-devzlib1g-dev python python-dev python-twisted python-gevent python-setuptools libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl libbz2-deve2fs libs-dev git-core uuid-dev ocaml libx11-dev bison flex ocaml-find libxz-utils gettext libyajl-dev libpixman-1-dev libaio-dev libfdt-dev cabextract libglib2.0-dev autoconf automake libtool check libjson-c-dev libfuse-dev libsystemd-daemon-dev

报错，把 libsystemd-daemon-dev 改成 libsystemd-dev

2.子模块的安装

在github上下载drakvuf源码；

cd ~ git clone https://github.com/tklengyel/drakvuf cd drakvuf git submodule init git submodule update cd xen ./configure --enable-githttp make -j4 dist-xen make -j4 dist-tools

“git submodule init”就是安装drakvuf所需要的子模块(xen, rekall, libvmi等)

3.分配内存和cpu

sudo su make -j4 install-xen make -j4 install-tools echo "GRUB_CMDLINE_XEN_DEFAULT=\"dom0_mem=4096M,max:4096M dom0_max_vcpus=4 dom0_vcpus_pin=true hap_1gb=false hap_2mb=false altp2m=1 flask_enforcing=1\"" >> /etc/default/grub echo "/usr/local/lib" > /etc/ld.so.conf.d/xen.conf ldconfig echo "none /proc/xen xenfs defaults,nofail 0 0" >> /etc/fstab echo "xen-evtchn" >> /etc/modules echo "xen-privcmd" >> /etc/modules update-rc.d xencommons defaults 19 18 update-rc.d xendomains defaults 21 20 update-rc.d xen-watchdog defaults 22 23

3.重启，进入xen4.7，重启后要按shift键，进入grub引导

update-grub reboot

4.检测 检测内核版本，大于3.8的就行~~

uname -r

检测是否在XEN上运行，结果显示应该是: Running in PV context on Xen v4.7

sudo xen-detect

检测正在运行的domain，这时候应该只有一个Domain0(就是ubuntu~)

xl list

结果长这样子~~

Name ID Mem VCPUs State Time(s) Domain-0 0 4096 2 r----- 614.0

5.给虚拟机分配硬盘空间

lvcreate -L20G -n windows7-sp1 vg

官网上就这一句，但是我折腾了好几天从头开始看怎么在ubuntu的磁盘上分区，最后成功的，具体过程如下(使用了fdisk这个工具)

fdisk分出lvm的类型 Ubuntu是给出一系列的代号对应的lvm类型，大致看一下fdisk的使用方法就能知道了pvcreate /dev/sdb3vgcreate vgpool /dev/sdb3 vgpool是新的卷组名称lvcreate -L 20G -n win7 vgpool

6.生成cfg配置文件

arch = 'x86_64' name = "win7" seclabel='drakvuf:vm_r:drakvuf_domU_t' maxmem = 3000 memory = 3000 vcpus = 1 maxcpus = 1 builder = "hvm" boot = "cd" hap = 1 acpi = 1 on_poweroff = "destroy" on_reboot = "destroy" on_crash = "destroy" vnc=1 vnclisten="0.0.0.0" usb = 1 usbdevice = "tablet" altp2mhvm = 1 shadow_memory = 16 audio=1 soundhw='hda' vif = [ 'type=ioemu,model=e1000,bridge=xenbr0,mac=00:06:5B:BA:7C:01' ] disk = [ 'phy:/dev/vg/windows7-sp1,hda,w', 'file:/path/to/your/windows7.iso,hdc:cdrom,r' ]

要把刚刚的卷组的路径正确填写，iso文件的路径也要正确；cpu和内存可以按照实际需要分配 这时候直接生xl create会报错，就需要添加一个网桥

sudo brctl addbr xenbr0

7.build LibVMI

cd ~/drakvuf/libvmi ./autogen.sh ./configure

结果应该是

Feature | Option | Reason -------------|---------------------------|---------------------------- Xen Support | --enable-xen=yes | yes KVM Support | --enable-kvm=no | libvirt missing File Support | --enable-file=yes | yes Shm-snapshot | --enable-shm-snapshot=no | no -------------|---------------------------|---------------------------- OS | Option -------------|-------------------------------------------------------- Windows | --enable-windows=yes Linux | --enable-linux=yes Tools | Option | Reason -------------|---------------------------|---------------------------- Examples | --enable-examples=yes | yes VMIFS | --enable-vmifs=yes | yes Extra features ---------------------------------------------------------------------- Support of Rekall profiles: yes

然后 build and install LibVMI:

make sudo make install sudo echo "export LD_LIBRARY_PATH=\$LD_LIBRARY_PATH:/usr/local/lib" >> ~/.bashrc cd tools/pyvmi python setup.py build sudo python setup.py install

8.下载 Volatility:

cd ~ git clone https://github.com/volatilityfoundation/volatility cd volatility cp ~/drakvuf/libvmi/tools/pyvmi/pyvmiaddressspace.py volatility/plugins/addrspaces python setup.py build sudo python setup.py install

9.Build and install Rekall

cd ~/drakvuf/rekall/rekall-core sudo pip install setuptools python setup.py build sudo python setup.py install

10.Create the Rekall profile for the Windows domain.

$ sudo xl list Name ID Mem VCPUs State Time(s) Domain-0 0 4024 4 r----- 848.8 win7 7 3000 1 -b---- 94.7 $ sudo win-guid name win7 Windows Kernel found @ 0x2604000 Version: 32-bit Windows 7 PE GUID: 4ce78a09412000 PDB GUID: 684da42a30cc450f81c535b4d18944b12 Kernel filename: ntkrpamp.pdb Multi-processor with PAE (version 5.0 and higher) Signature: 17744. Machine: 332. # of sections: 22. # of symbols: 0. Timestamp: 1290242569. Characteristics: 290. Optional header size: 224. Optional header type: 0x10b Section 1: .text Section 2: _PAGELK Section 3: POOLMI Section 4: POOLCODE Section 5: .data Section 6: ALMOSTRO Section 7: SPINLOCK Section 8: PAGE Section 9: PAGELK Section 10: PAGEKD Section 11: PAGEVRFY Section 12: PAGEHDLS Section 13: PAGEBGFX Section 14: PAGEVRFB Section 15: .edata Section 16: PAGEDATA Section 17: PAGEKDD Section 18: PAGEVRFC Section 19: PAGEVRFD Section 20: INIT Section 21: .rsrc Section 22: .reloc

最关键的是以下两个值

PDB GUID: 684da42a30cc450f81c535b4d18944b12 Kernel filename: ntkrpamp.pdb

11.生成rekall 文件

cd /tmp rekall fetch_pdb ntkrpamp.pdb 684da42a30cc450f81c535b4d18944b12 rekall parse_pdb ntkrpamp.pdb > win7.rekall.json sudo mv win7.rekall.json /root

12.生成LibVMI配置文件

sudo su printf "windows7-sp1 { \n\ ostype = \"Windows\"; \n\ rekall_profile = \"/root/windows7-sp1.rekall.json\"; \n\ }" >> /etc/libvmi.conf exit

或者

sudo gedit /etc/libvmi.conf #将以下内容写入libvmi.conf并保存 win7{ ostype = "Windows"; rekall_profile = "root/win7.rekall.jason"; }

13.检测一些libvmi是否能够使用

sudo process-list windows7-sp1

结果应该是长这样

Process listing for VM windows7-sp1-x86 (id=7) [ 4] System (struct addr:84aba980) [ 220] smss.exe (struct addr:85a44020) [ 300] csrss.exe (struct addr:85f67a68) [ 336] wininit.exe (struct addr:8601e030) [ 348] csrss.exe (struct addr:84ba4030) [ 384] winlogon.exe (struct addr:85966d40) [ 444] services.exe (struct addr:8614c030) [ 460] lsass.exe (struct addr:86171030) [ 468] lsm.exe (struct addr:8617b4f8) [ 564] svchost.exe (struct addr:861d9bc8) [ 628] svchost.exe (struct addr:863fb8a8) [ 816] sppsvc.exe (struct addr:86426838) [ 856] svchost.exe (struct addr:854abd40) [ 880] svchost.exe (struct addr:854c5030) [ 916] svchost.exe (struct addr:854d7a70) [ 1240] svchost.exe (struct addr:8614cb80) [ 1280] svchost.exe (struct addr:854f7d40) [ 1608] spoolsv.exe (struct addr:85578660) [ 1636] svchost.exe (struct addr:85554af0) [ 792] SearchIndexer. (struct addr:8562ac08) [ 1128] taskhost.exe (struct addr:858d9d40) [ 1524] dwm.exe (struct addr:857f3a60) [ 1728] explorer.exe (struct addr:858d9180) [ 1720] regsvr32.exe (struct addr:8605f398) [ 248] svchost.exe (struct addr:863ed030) [ 1024] svchost.exe (struct addr:86420390) [ 256] WmiPrvSE.exe (struct addr:854014a0)

14.build and install drakvuf

cd ~/drakvuf autoreconf -vi ./configure make

15.简单检查一下drakvuf的功能

#-d 是指domain的id sudo ./src/drakvuf -r /root/win7.rekall.json -d 7

有结果在运行的话就是搭建成功了！！撒花！！

大家如果想要搭建的话，最好按照官网给的步骤来！我在搭建完成后的官网的步骤和搭建前的发生了一些改动，完整复制不保证正确 -_-

搭建完成后，进入系统

16.使用vnc连接虚拟机

vncviewer ip : port #ip是domain0的ip地址 #port是5900+domid

连接虚拟机后就是安装系统的过程了。安装完成后，会重启虚拟机。这时候会生成一个img文件，以后要进入这个系统就不需要再从iso文件进入了。所以修改cfg文件如下：

arch = 'x86_64' name = "win7" seclabel='drakvuf:vm_r:drakvuf_domU_t' maxmem = 3000 memory = 3000 vcpus = 1 maxcpus = 1 builder = "hvm" boot = "cd" hap = 1 acpi = 1 on_poweroff = "destroy" on_reboot = "destroy" on_crash = "destroy" vnc=1 vnclisten="0.0.0.0" #貌似还要设置一下密码vncpasswd = "111" usb = 1 usbdevice = "tablet" altp2mhvm = 1 shadow_memory = 16 audio=1 soundhw='hda' vif = [ 'type=ioemu,model=e1000,bridge=xenbr0,mac=00:06:5B:BA:7C:01' ] disk = [ 'phy:/dev/vg/win7,hda,w', 'file:/path/to/your/win7.img,hda,w' ]

最后

xl create win7.cfg vncviewer ip : port

大功告成~

参考网站: https://drakvuf.com/