vCenter获取锁屏Hash之volatility
字数 1863 2025-08-26 22:12:02
VMware vCenter锁屏Hash提取技术详解
一、前言
在VMware vCenter/ESXI环境中,Windows虚拟机经常处于锁屏状态。本文介绍如何通过内存分析工具Volatility提取vmem文件中的锁屏Hash,从而获取服务器权限。
二、技术思路
1. 环境分析
- VMware vCenter/ESXI自带Python 3.6.8环境
- 需要从虚拟机内存文件(vmem)中提取Hash
- 主要工具:Volatility内存取证工具
2. 可选方案
-
Python3方案:
- 直接在ESXI中部署Volatility3
- 使用PyInstaller打包Volatility3为可执行文件
- 在ESXI上打包
- 在其他Linux环境(尽可能接近ESXI)打包
-
Python2方案:
- 使用官方提供的Volatility2可执行文件
- 注意:Volatility3官方未提供可执行文件(因打包文件可能被识别为恶意软件)
三、详细实施过程
1. 直接在ESXI中部署Volatility3(不推荐)
问题:需要大量系统库和pip依赖,环境配置复杂
所需依赖:
yum install zlib zlib-devel bzip2-devel ncurses-devel sqlite-devel \
readline-devel gcc libffi libffi-devel gcc-c++ openssl-devel tk-devel \
xz-devel epel-release python35-devel
pip依赖:
pip3 install pefile==2018.8.8 backports.lzma pycryptodome importlib-metadata==0.6
2. 打包Volatility3方案(推荐)
2.1 环境准备
- 推荐系统:CentOS 7.9(与ESXI的GLIBC库版本一致,自带Python3.6)
- 安装编译依赖:
yum install zlib zlib-devel bzip2-devel ncurses-devel sqlite-devel \
readline-devel gcc libffi libffi-devel gcc-c++ openssl-devel tk-devel
2.2 获取Volatility3
git clone https://github.com/volatilityfoundation/volatility3
2.3 安装依赖
- 安装Python开发包:
yum install epel-release -y
yum install python3-devel -y
- 安装pip依赖:
pip3 install -r requirements.txt
# 或使用国内源
pip3 install -r requirements.txt -i http://pypi.douban.com/simple --trusted-host pypi.douban.com
2.4 安装Volatility3
pip3 install --upgrade setuptools
python3 setup.py install
2.5 测试功能
python3 vol.py -vv
python3 vol.py -f xxx.vmem windows.info
python3 vol.py -f xxx.vmem windows.hashdump
2.6 安装PyInstaller
pip3 install pyinstaller==3.6
2.7 打包Volatility3
修改vol.spec文件,增加hashdump和yarascan插件:
# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0
# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0#
import os
import sys
from PyInstaller.building.api import PYZ, EXE,COLLECT
from PyInstaller.building.build_main import Analysis
from PyInstaller.utils.hooks import collect_submodules, collect_data_files, collect_dynamic_libs
block_cipher = None
binaries = []
try:
import capstone
binaries = collect_dynamic_libs('capstone')
except ImportError:
pass
# Volatility must be findable in sys.path in order for collect_submodules to work
# This adds the current working directory, which should usually do the trick
sys.path.append(os.path.dirname(os.path.abspath(SPEC)))
vol_analysis = Analysis(['vol.py', 'volatility3/framework/plugins/windows/hashdump.py', 'volatility3/framework/plugins/yarascan.py'],
pathex = [],
binaries = binaries,
datas = collect_data_files('volatility3.framework') + \
collect_data_files('volatility3.framework.automagic', include_py_files = True) + \
collect_data_files('volatility3.framework.plugins', include_py_files = True) + \
collect_data_files('volatility3.framework.layers', include_py_files = True) + \
collect_data_files('volatility3.schemas') + \
collect_data_files('volatility3.plugins', include_py_files = True),
hiddenimports = collect_submodules('volatility3.framework.automagic') + \
collect_submodules('volatility3.framework.plugins') + \
collect_submodules('volatility3.framework.symbols'),
hookspath = [],
runtime_hooks = [],
excludes = [],
win_no_prefer_redirects = False,
win_private_assemblies = False,
cipher = block_cipher,
noarchive = False)
vol_pyz = PYZ(vol_analysis.pure, vol_analysis.zipped_data, cipher = block_cipher)
vol_exe = EXE(vol_pyz, vol_analysis.scripts, [('u', None, 'OPTION')], exclude_binaries=True,
name = 'vol',
icon = os.path.join('doc', 'source', '_static', 'favicon.ico'),
debug = False,
bootloader_ignore_signals = False,
strip = False,
upx = True,
runtime_tmpdir = None,
console = True)
vol_coll = COLLECT(vol_exe, vol_analysis.binaries, vol_analysis.zipfiles, vol_analysis.datas,
strip=False,
upx=True,
upx_exclude=[],
name = 'vol')
执行打包:
pyinstaller vol-new.spec
2.8 处理打包结果
- 解压
base_library.zip到当前目录 - 将打包好的
vol文件夹压缩后传输到ESXI服务器
2.9 使用打包工具
在ESXI上解压后,赋予执行权限即可使用。注意:
- 需要ESXI能出网(Volatility3需要从微软下载符号库)
- 不出网状态下解Hash约需3-7分钟
3. 断网环境处理方案
当目标ESXI无法联网时,需手动下载符号库(PDB文件):
- 从调试信息中获取所需PDB文件信息:
Symbol file could not be downloaded from remote server
Required symbol library path not found: ntkrnlmp.pdb\118018959D8D7CA5AAB45B75AED5A976-1
The symbols can be downloaded later using pdbconv.py -p ntkrnlmp.pdb -g 118018959D8D7CA5AAB45B75AED5A9761
- 使用
pdbconv.py下载符号库:
python3 pdbconv.py -p ntkrnlmp.pdb -g 118018959D8D7CA5AAB45B75AED5A9761
- 将下载的符号库放入指定目录:
/tmp/vol/volatility3/framework/symbols/windows/ntkrnlmp.pdb/
四、常见问题解决
1. GLIBC版本问题
- 现象:打包的程序在ESXI上无法运行
- 原因:打包环境的GLIBC版本高于目标ESXI
- 解决方案:
- 使用CentOS 7.x系统打包(GLIBC 2.17)
- 避免使用Ubuntu/Kali等GLIBC版本较高的系统
2. "No module named 'encodings'"错误
- 解决:解压
base_library.zip到当前目录
3. 功能异常问题
- 原因:打包时未包含必要插件
- 解决:在spec文件中明确添加所需插件(hashdump.py和yarascan.py)
4. 环境变量问题
- 现象:命令行运行pdbconv.py提示"No module named 'volatility3'"
- 解决:在脚本中添加Volatility3项目路径:
sys.path.append("/path/to/volatility3-develop")
五、版本兼容性对比
| 版本 | Windows 7 | Windows 10 | Server 2008 | Server 2012 | Server 2016 | Server 2019 |
|---|---|---|---|---|---|---|
| Volatility2 | ✔️ | ❌ | ✔️ | ❌ | ❌ | ❌ |
| Volatility3 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
六、总结与优化方向
-
当前状态:
- 打包后的Volatility3可在ESXI上运行
- 不出网环境下提取Hash需3-7分钟
-
优化方向:
- 进一步优化工具,目标3分钟内完成Hash提取
- 研究离线符号库的完整解决方案
- 探索更高效的内存分析方法
-
关键点:
- 选择正确的打包环境(CentOS 7.x)
- 确保包含所有必要插件
- 处理好符号库下载问题
- 注意GLIBC版本兼容性
通过本文介绍的方法,可以有效地从VMware vCenter/ESXI环境的Windows虚拟机中提取锁屏Hash,为系统维护和应急响应提供技术支持。