基于Xen4.7在Ubuntu16.04 LTS搭建Drakvuf使用环境

引言

本文是对这次搭建过程的一次总结。由于个人能力有限，断断续续和小组成员们搭建了半个学期，最后实现了drakvuf官网（https://drakvuf.com/）上示例视频的几个功能。搭建过程中也出了一些问题，最后解决了大部分，剩下虚拟机的网络配置有些问题，还需要完善。

 

实验环境

ubuntu 16.04 LTS，xen4.7，一台服务器(穷学生买不起符合实验硬件要求的机子，只能向研究所的老师借了一台。)

 

搭建过程和步骤

好，下面开始正题。

 

1.先装一些必要的依赖

sudo apt-get install wget git bcc bin86 gawk bridge-utilsiproute libcurl3 libcurl4-openssl-dev bzip2 module-init-tools pciutils-devbuild-essential make gcc clang libc6-dev libc6-dev-i386 linux-libc-devzlib1g-dev python python-dev python-twisted python-gevent python-setuptools libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl libbz2-deve2fs libs-dev git-core uuid-dev ocaml libx11-dev bison flex ocaml-find libxz-utils gettext libyajl-dev libpixman-1-dev libaio-dev libfdt-dev cabextract libglib2.0-dev autoconf automake libtool check libjson-c-dev libfuse-dev libsystemd-daemon-dev

报错，把 libsystemd-daemon-dev 改成 libsystemd-dev

 

2.子模块的安装

在github上下载drakvuf源码；

cd ~

git clone https://github.com/tklengyel/drakvuf

cd drakvuf

git submodule init

git submodule update

cd xen

./configure --enable-githttp

make -j4 dist-xen

make -j4 dist-tools

“Git submodule init”就是安装drakvuf所需要的子模块(xen, rekall, libvmi等)

 

3.分配内存和cpu

sudo su

make -j4 install-xen

make -j4 install-tools

echo "GRUB_CMDLINE_XEN_DEFAULT=\"dom0_mem=4096M,max:4096M dom0_max_vcpus=4 dom0_vcpus_pin=true hap_1gb=false hap_2mb=false altp2m=1 flask_enforcing=1\"" >> /etc/default/grub

echo "/usr/local/lib" > /etc/ld.so.conf.d/xen.conf

ldconfig

echo "none /proc/xen xenfs defaults,nofail 0 0" >> /etc/fstab

echo "xen-evtchn" >> /etc/modules

echo "xen-privcmd" >> /etc/modules

update-rc.d xencommons defaults 19 18

update-rc.d xendomains defaults 21 20

update-rc.d xen-watchdog defaults 22 23

 

4.重启，进入xen4.7，重启后要按shift键，进入grub引导

update-grub

reboot

 

5.检测

检测内核版本，大于3.8的就行。

uname -r

检测是否在XEN上运行，结果显示应该是: Running in PV context on Xen v4.7

sudo xen-detect

检测正在运行的domain，这时候应该只有一个Domain0(就是ubuntu~)

xl list

结果长这样子。

 

6.给虚拟机分配硬盘空间

lvcreate -L20G -n windows7-sp1 vg

官网上就这一句，但是我折腾了好几天从头开始看怎么在ubuntu的磁盘上分区，最后成功的，具体过程如下(使用了fdisk这个工具)

fdisk分出lvm的类型

Ubuntu是给出一系列的代号对应的lvm类型，大致看一下fdisk的使用方法就能知道了

pvcreate /dev/sdb3

vgcreate vgpool /dev/sdb3 vgpool是新的卷组名称

lvcreate -L 20G -n win7 vgpool

 

7.生成cfg配置文件

arch = 'x86_64'

name = "win7"

seclabel='drakvuf:vm_r:drakvuf_domU_t'

maxmem = 3000

memory = 3000

vcpus = 1

maxcpus = 1

builder = "hvm"

boot = "cd"

hap = 1

acpi = 1

on_poweroff = "destroy"

on_reboot = "destroy"

on_crash = "destroy"

vnc=1

vnclisten="0.0.0.0"

usb = 1

usbdevice = "tablet"

altp2mhvm = 1

shadow_memory = 16

audio=1

soundhw='hda'

vif = [ 'type=ioemu,model=e1000,bridge=xenbr0,mac=00:06:5B:BA:7C:01' ]

disk = [ 'phy:/dev/vg/windows7-sp1,hda,w', 'file:/path/to/your/windows7.iso,hdc:cdrom,r' ]

要把刚刚的卷组的路径正确填写，iso文件的路径也要正确；cpu和内存可以按照实际需要分配

这时候直接生xl create会报错，就需要添加一个网桥

sudo brctl addbr xenbr0

 

8.build LibVMI

cd ~/drakvuf/libvmi

./autogen.sh

./configure

结果应该是

然后 build and install LibVMI:

make

sudo make install

sudo echo "export LD_LIBRARY_PATH=\$LD_LIBRARY_PATH:/usr/local/lib" >> ~/.bashrc

cd tools/pyvmi

python setup.py build

sudo python setup.py install

 

9.下载 Volatility:

cd ~

git clone https://github.com/volatilityfoundation/volatility

cd volatility

cp ~/drakvuf/libvmi/tools/pyvmi/pyvmiaddressspace.py volatility/plugins/addrspaces

python setup.py build

sudo python setup.py install

 

10.Build and install Rekall

cd ~/drakvuf/rekall/rekall-core

sudo pip install setuptools

python setup.py build

sudo python setup.py install

 

11.Create the Rekall profile for the Windows domain.

$ sudo xl list

Name　　　　　ID   Mem VCPUs  State   Time(s)

Domain-0　　　　0  4024     4     r-----     848.8

win7　　　　　7  3000     1     -b----      94.7

$ sudo win-guid name win7

Windows Kernel found @ 0x2604000

Version: 32-bit Windows 7

PE GUID: 4ce78a09412000

PDB GUID: 684da42a30cc450f81c535b4d18944b12

Kernel filename: ntkrpamp.pdb

Multi-processor with PAE (version 5.0 and higher)

Signature: 17744.

Machine: 332.

# of sections: 22.

# of symbols: 0.

Timestamp: 1290242569.

Characteristics: 290.

Optional header size: 224.

Optional header type: 0x10b

Section 1: .text

Section 2: _PAGELK

Section 3: POOLMI

Section 4: POOLCODE

Section 5: .data

Section 6: ALMOSTRO

Section 7: SPINLOCK

Section 8: PAGE

Section 9: PAGELK

Section 10: PAGEKD

Section 11: PAGEVRFY

Section 12: PAGEHDLS

Section 13: PAGEBGFX

Section 14: PAGEVRFB

Section 15: .edata

Section 16: PAGEDATA

Section 17: PAGEKDD

Section 18: PAGEVRFC

Section 19: PAGEVRFD

Section 20: INIT

Section 21: .rsrc

Section 22: .reloc

最关键的是以下两个值

PDB GUID: 684da42a30cc450f81c535b4d18944b12

Kernel filename: ntkrpamp.pdb

 

12.生成rekall 文件

cd /tmp

rekall fetch_pdb ntkrpamp.pdb 684da42a30cc450f81c535b4d18944b12

rekall parse_pdb ntkrpamp.pdb > win7.rekall.json

sudo mv win7.rekall.json /root

 

13.生成LibVMI配置文件

sudo su

printf "windows7-sp1 { \n\

ostype = \"Windows\"; \n\

rekall_profile = \"/root/windows7-sp1.rekall.json\"; \n\

}" >> /etc/libvmi.conf

exit

或者

sudo gedit /etc/libvmi.conf

#将以下内容写入libvmi.conf并保存

win7{

ostype = "Windows";

rekall_profile = "root/win7.rekall.jason";

}

 

14.检测一些libvmi是否能够使用

sudo process-list windows7-sp1

结果应该是长这样

Process listing for VM windows7-sp1-x86 (id=7)

[    4] System (struct addr:84aba980)

[  220] smss.exe (struct addr:85a44020)

[  300] csrss.exe (struct addr:85f67a68)

[  336] wininit.exe (struct addr:8601e030)

[  348] csrss.exe (struct addr:84ba4030)

[  384] winlogon.exe (struct addr:85966d40)

[  444] services.exe (struct addr:8614c030)

[  460] lsass.exe (struct addr:86171030)

[  468] lsm.exe (struct addr:8617b4f8)

[  564] svchost.exe (struct addr:861d9bc8)

[  628] svchost.exe (struct addr:863fb8a8)

[  816] sppsvc.exe (struct addr:86426838)

[  856] svchost.exe (struct addr:854abd40)

[  880] svchost.exe (struct addr:854c5030)

[  916] svchost.exe (struct addr:854d7a70)

[ 1240] svchost.exe (struct addr:8614cb80)

[ 1280] svchost.exe (struct addr:854f7d40)

[ 1608] spoolsv.exe (struct addr:85578660)

[ 1636] svchost.exe (struct addr:85554af0)

[  792] SearchIndexer. (struct addr:8562ac08)

[ 1128] taskhost.exe (struct addr:858d9d40)

[ 1524] dwm.exe (struct addr:857f3a60)

[ 1728] explorer.exe (struct addr:858d9180)

[ 1720] regsvr32.exe (struct addr:8605f398)

[  248] svchost.exe (struct addr:863ed030)

[ 1024] svchost.exe (struct addr:86420390)

[  256] WmiPrvSE.exe (struct addr:854014a0)

 

15.build and install drakvuf

cd ~/drakvuf

autoreconf -vi

./configure

make

 

16.简单检查一下drakvuf的功能

#-d 是指domain的id

sudo ./src/drakvuf -r /root/win7.rekall.json -d 7

有结果在运行的话就是搭建成功了。

大家如果想要搭建的话，最好按照官网给的步骤来！我在搭建完成后的官网的步骤和搭建前的发生了一些改动，完整复制不保证正确。

搭建完成后，进入系统。

 

17.使用vnc连接虚拟机

vncviewer ip : port

#ip是domain0的ip地址

#port是5900+domid

连接虚拟机后就是安装系统的过程了。安装完成后，会重启虚拟机。这时候会生成一个img文件，以后要进入这个系统就不需要再从iso文件进入了。所以修改cfg文件如下：

arch = 'x86_64'

name = "win7"

seclabel='drakvuf:vm_r:drakvuf_domU_t'

maxmem = 3000

memory = 3000

vcpus = 1

maxcpus = 1

builder = "hvm"

boot = "cd"

hap = 1

acpi = 1

on_poweroff = "destroy"

on_reboot = "destroy"

on_crash = "destroy"

vnc=1

vnclisten="0.0.0.0"

#貌似还要设置一下密码vncpasswd = "111"

usb = 1

usbdevice = "tablet"

altp2mhvm = 1

shadow_memory = 16

audio=1

soundhw='hda'

vif = [ 'type=ioemu,model=e1000,bridge=xenbr0,mac=00:06:5B:BA:7C:01' ]

disk = [ 'phy:/dev/vg/win7,hda,w', 'file:/path/to/your/win7.img,hda,w' ]

最后

xl create win7.cfg

vncviewer ip : port

大功告成。

 

本文永久更新地址：http://www.linuxdiyf.com/linux/27571.html