CentOS 5.5环境下安装GCC并编译LiME进行内存取证分析<\/h1>

1. 背景与需求分析<\/h2>

在CentOS 5.5系统中进行内存取证分析时，面临以下挑战：<\/p>

生产环境缺少GCC和GDB等基本开发工具<\/li>
系统版本较老，yum源已停止更新<\/li>

需要获取完整内存镜像用于volatility分析<\/li> <\/ul>

2. 解决方案选择<\/h2>

考虑两种方案后选择第二种：<\/p>

进程内存转储方案<\/strong>：使用\/proc\/[PID]\/maps<\/code>抓取单个进程内存（被否决，因进程过多）<\/li>

LiME内核模块方案<\/strong>：编译LiME模块直接获取完整内存镜像<\/li> <\/ol> 3. 环境准备<\/h2> 3.1 获取CentOS 5.5安装镜像<\/h3> 下载地址：http:\/\/vault.centos.org\/5.5\/isos\/x86_64\/CentOS-5.5-x86_64-bin-DVD.torrent<\/p> 3.2 挂载ISO镜像<\/h3> 在VMWare中：<\/p> 选择菜单VM > Settings<\/code><\/li> 选择CDROM<\/code><\/li> 设置参数为Use ISO image<\/code><\/li> 选择下载的CentOS镜像文件<\/li> <\/ol> 4. GCC安装步骤<\/h2> 以root身份执行以下命令安装GCC及相关依赖：<\/p> cd \/media\/CentOS_5.5_Final\/CentOS <\/span><\/span>rpm -ivh cpp-4.1.2-48.el5.x86_64.rpm <\/span><\/span>rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm <\/span><\/span>rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm <\/span><\/span>rpm -ivh glibc-headers-2.5-49.x86_64.rpm <\/span><\/span>rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm # 重复安装确认依赖<\/span> <\/span><\/span>rpm -ivh kernel-devel-2.6.18-194.el5.x86_64.rpm <\/span><\/span>rpm -ivh glibc-devel-2.5-49.x86_64.rpm <\/span><\/span>rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm <\/span><\/span><\/code><\/pre>5. LiME编译与使用<\/h2> 5.1 解压与编译<\/h3> tar -zxvf LiME.tar.gz <\/span><\/span>cd \/home\/yunwei\/Desktop\/malware\/LiME\/src\/ <\/span><\/span>make <\/span><\/span><\/code><\/pre>编译成功后会在src目录下生成lime-2.6.18-194.el5.ko<\/code>内核模块<\/p> 5.2 内存抓取<\/h3> # 抓取内存到指定路径<\/span> <\/span><\/span>insmod lime-`<\/span>uname -r`<\/span>.ko path=<\/span>\/home\/yunwei\/Desktop\/malware\/centos5.lime format=<\/span>lime <\/span><\/span> <\/span><\/span># 完成抓取后卸载模块<\/span> <\/span><\/span>rmmod lime <\/span><\/span><\/code><\/pre>6. 元数据制作（Volatility Profile）<\/h2> 6.1 安装dwarfdump工具<\/h3> 6.1.1 安装依赖<\/h4> cd \/media\/CentOS_5.5_Final\/CentOS\/ <\/span><\/span>rpm -ivh elfutils-libelf-0.137-3.el5.x86_64.rpm <\/span><\/span>rpm -ivh elfutils-libelf-devel-static-0.137-3.el5.x86_64.rpm <\/span><\/span>rpm -ivh elfutils-libelf-devel-0.137-3.el5.x86_64.rpm <\/span><\/span><\/code><\/pre>6.1.2 编译libdwarf<\/h4> git clone https:\/\/github.com\/tomhughes\/libdwarf.git <\/span><\/span>cd libdwarf <\/span><\/span>.\/configure <\/span><\/span>make <\/span><\/span>cd dwarfdump\/ <\/span><\/span>make install <\/span><\/span><\/code><\/pre>6.2 编译volatility工具模块<\/h3> tar -zxvf volatility.tar.gz <\/span><\/span>cd volatility\/tools\/linux\/ <\/span><\/span>make <\/span><\/span><\/code><\/pre>编译问题解决<\/strong>：需要注释掉module.c<\/code>文件中198-221行的代码段：<\/p> \/*#if LINUX_VERSION_CODE == KERNEL_VERSION(2,6,18) <\/span><\/span><\/span>.... <\/span><\/span><\/span>struct module_sections module_sect_attrs; <\/span><\/span><\/span>#endif*\/<\/span> <\/span><\/span><\/code><\/pre>6.3 打包元数据<\/h3> zip CentOS5.5_2.6.18-194.el5-x86_64.zip module.dwarf \/boot\/System.map-`<\/span>uname -r`<\/span> <\/span><\/span><\/code><\/pre>将生成的zip文件放入volatility的插件目录： volatility-master\volatility\plugins\overlays\linux<\/code><\/p> 7. 使用Volatility分析内存镜像<\/h2> 示例命令：<\/p> vol.py -f "D:\malware\CentOS5.5_2.6.18-194.el5_test.lime"<\/span> --profile=<\/span>LinuxCentOS5_5_2_6_18-194_el5-x86_64x64 linux_pslist <\/span><\/span><\/code><\/pre>8. 参考资源<\/h2> Linux安装GCC问题解决：https:\/\/blog.csdn.net\/yvanboyang\/article\/details\/73274004<\/li> CentOS 5.5安装GCC与g++：https:\/\/www.linuxidc.com\/Linux\/2011-07\/38657.htm<\/li> CentOS 6.5手动安装gcc：https:\/\/blog.csdn.net\/testcs_dn\/article\/details\/41727767<\/li> Volatility学习笔记：http:\/\/vdchuyen.com\/blog\/2016\/01\/01\/build-volatility-centos-profile.html<\/li> <\/ol> 9. 关键注意事项<\/h2> 必须使用与目标系统完全匹配的内核版本进行编译<\/li> 内存抓取前确保有足够的磁盘空间<\/li> 每次抓取后必须rmmod lime<\/code>才能进行下一次抓取<\/li> Volatility profile必须与系统内核版本严格匹配<\/li> 老版本系统可能需要手动解决依赖问题<\/li> <\/ol>