Docker镜像逆向分析教程<\/h1>

环境准备<\/h2>

安装Docker<\/h3>
curl -fsSL https:\/\/get.docker.com | bash -s docker --mirror Aliyun
<\/span><\/span><\/code><\/pre>安装DIVE工具<\/h3>
wget https:\/\/github.com\/wagoodman\/dive\/releases\/download\/v0.9.2\/dive_0.9.2_linux_amd64.deb
<\/span><\/span>sudo apt install .\/dive_0.9.2_linux_amd64.deb
<\/span><\/span><\/code><\/pre>镜像分析流程<\/h2>
1. 拉取并导出镜像<\/h3>
sudo docker pull ubuntu
<\/span><\/span>sudo docker save -o ubuntu.tar ubuntu
<\/span><\/span><\/code><\/pre>2. 解压镜像文件<\/h3>
解压ubuntu.tar<\/code>后会得到以下文件结构：<\/p>

manifest.json<\/code> - 镜像清单文件<\/li>
[hash].json<\/code> - 镜像配置文件<\/li>
[hash]\/layer.tar<\/code> - 镜像层文件<\/li>
VERSION<\/code> - 版本文件<\/li>
<\/ul>
3. 分析manifest.json<\/h3>
示例内容：<\/p>
[{
<\/span><\/span>  "Config"<\/span>: "825d55fb6340083b06e69e02e823a02918f3ffb575ed2a87026d4645a7fd9e1b.json"<\/span>,
<\/span><\/span>  "RepoTags"<\/span>: ["ubuntu:latest"<\/span>],
<\/span><\/span>  "Layers"<\/span>: ["8f7ee37aa1d53dcded9b5c22b0a57d8bb8d35d9f42273651668e7aca23bd7581\/layer.tar"<\/span>]
<\/span><\/span>}]
<\/span><\/span><\/code><\/pre>关键字段：<\/p>

Config<\/code>: 指向镜像配置JSON文件<\/li>
RepoTags<\/code>: 镜像名称和标签<\/li>
Layers<\/code>: 镜像层列表<\/li>
<\/ul>
4. 分析镜像配置文件<\/h3>
配置文件（如825d55fb6340...json<\/code>）包含以下重要信息：<\/p>
{
<\/span><\/span>  "architecture"<\/span>: "amd64"<\/span>,
<\/span><\/span>  "config"<\/span>: {
<\/span><\/span>    "Cmd"<\/span>: ["bash"<\/span>],
<\/span><\/span>    "Env"<\/span>: ["PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin"<\/span>]
<\/span><\/span>  },
<\/span><\/span>  "history"<\/span>: [
<\/span><\/span>    {
<\/span><\/span>      "created"<\/span>: "2022-04-05T22:20:50.696744314Z"<\/span>,
<\/span><\/span>      "created_by"<\/span>: "\/bin\/sh -c #(nop) ADD file:b83df51ab7caf8a4dc35f730f5a18a59403300c59eecae4cf5779cba0f6fda6e in \/ "<\/span>
<\/span><\/span>    },
<\/span><\/span>    {
<\/span><\/span>      "created"<\/span>: "2022-04-05T22:20:51.04675426Z"<\/span>,
<\/span><\/span>      "created_by"<\/span>: "\/bin\/sh -c #(nop) CMD [\"bash\"]"<\/span>,
<\/span><\/span>      "empty_layer"<\/span>: true<\/span>
<\/span><\/span>    }
<\/span><\/span>  ],
<\/span><\/span>  "rootfs"<\/span>: {
<\/span><\/span>    "type"<\/span>: "layers"<\/span>,
<\/span><\/span>    "diff_ids"<\/span>: ["sha256:c5ec52c98b3193052e15d783aca2bef10d8d829fa0d58fedfede511920b8f997"<\/span>]
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点：<\/p>

history<\/code>字段记录镜像构建历史，每个Dockerfile命令通常对应一个层<\/li>
empty_layer: true<\/code>表示该操作不改变文件系统<\/li>
rootfs.diff_ids<\/code>列出各层的校验和<\/li>
<\/ul>
5. 分析镜像层<\/h3>
解压layer.tar<\/code>可查看该层对文件系统的修改：<\/p>

包含完整的Linux文件系统结构<\/li>
在ubuntu镜像中，主要命令位于usr\/bin<\/code>目录<\/li>
<\/ul>
使用DIVE工具分析<\/h2>
主要功能<\/h3>

显示镜像层列表及各层大小<\/li>
提供镜像效率统计（浪费空间百分比）<\/li>
可视化各层文件系统变更<\/li>
<\/ol>
常用快捷键<\/h3>

Ctrl+Spacebar<\/code>: 左右面板切换<\/li>
Spacebar<\/code>: 打开\/关闭目录树<\/li>
Ctrl+A<\/code>: 显示\/隐藏添加的文件<\/li>
Ctrl+R<\/code>: 显示\/隐藏移除的文件<\/li>
Ctrl+M<\/code>: 显示\/隐藏修改的文件<\/li>
Ctrl+U<\/code>: 显示\/隐藏未修改的文件<\/li>
Ctrl+L<\/code>: 显示镜像层变动<\/li>
Ctrl+\/<\/code>: 过滤文件<\/li>
Ctrl+C<\/code>: 退出<\/li>
<\/ul>
实际操作示例<\/h3>

运行容器并修改：<\/li>
<\/ol>
docker run -it --name ubuntu_test ubuntu
<\/span><\/span>echo hello > hello.txt
<\/span><\/span>echo world > world.txt
<\/span><\/span>exit
<\/span><\/span><\/code><\/pre>
提交为新镜像并分析：<\/li>
<\/ol>
docker commit ubuntu_test ubuntu_test
<\/span><\/span>docker save -o ubuntu_test.tar ubuntu_test
<\/span><\/span>sudo dive ubuntu_test
<\/span><\/span><\/code><\/pre>其他分析工具<\/h2>

contains<\/strong> - 在线分析容器镜像<\/li>
trivy<\/strong> - 镜像漏洞扫描工具<\/li>
Clair<\/strong> - 静态分析容器漏洞<\/li>
Anchore<\/strong> - 深度分析docker镜像<\/li>
Dagda<\/strong> - 检测木马、恶意软件<\/li>
Aqua Security<\/strong> - 云原生应用保护<\/li>
<\/ol>
参考链接<\/h2>

Docker镜像规范<\/a><\/li>
Docker命令文档<\/a><\/li>
优化镜像大小指南<\/a><\/li>
Docker安全工具<\/a><\/li>
<\/ol>
Docker镜像逆向分析教程<\/h1>

环境准备<\/h2>

镜像分析流程<\/h2>

使用DIVE工具分析<\/h2>

参考链接<\/h2> Docker镜像规范<\/a><\/li> Docker命令文档<\/a><\/li> 优化镜像大小指南<\/a><\/li> Docker安全工具<\/a><\/li> <\/ol>

参考链接<\/h2>

Docker镜像规范<\/a><\/li>
Docker命令文档<\/a><\/li>
优化镜像大小指南<\/a><\/li>
Docker安全工具<\/a><\/li> <\/ol>
