Estoy buscando ayuda posible con respecto a la adquisición de memoria de un sistema Linux.
Hasta ahora no he podido adquirir ni inspeccionar el volcado de memoria con herramientas conocidas.
Se han utilizado las siguientes herramientas de adquisición de memoria; LiME & linpmem .
Si bien puedo recuperar y analizar una captura de memoria del mismo sistema mientras arranco a un env de Linux en vivo. No he podido realizar el mismo análisis exitoso desde el sistema instalado.
Hay un rootkit que usa métodos anti-forenses, o subvierte la adquisición de memoria cuando usa lima, o se bloquea cuando usa la adquisición de memoria directa de pmem.
Aunque he leído algunos de los últimos artículos publicados sobre la adquisición de memoria; adquisición de memoria resistente anti-forense , hasta este momento no he tenido éxito.
Tal vez pueda solicitar ayuda, gracias de antemano.
Aquí hay algunos detalles sobre el sistema, así como información sobre los seguridades incurridas durante la adquisición.
$ uname -a Linux x80h 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/*release* DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS" NAME="Ubuntu" VERSION="16.04.4 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.4 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial ''' Here is the stack error that pops up in 'dmesg' ''' [52849.103024] usercopy: kernel memory exposure attempt detected from ffff95699500c000 (radix_tree_node) (4096 bytes) [52849.103029] ------------[ cut here ]------------ [52849.103030] kernel BUG at /build/linux-hwe-qx9Tq0/linux-hwe-4.13.0/mm/usercopy.c:72! [52849.103047] invalid opcode: 0000 [#6] SMP PTI [52849.104093] Modules linked in: pmem(OE) binfmt_misc pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) nls_iso8859_1 snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel intel_rapl snd_hda_codec snd_hda_core snd_hwdep x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel arc4 thinkpad_acpi snd_pcm kvm nvram hci_uart snd_seq_midi iwlmvm snd_seq_midi_event mac80211 snd_rawmidi btbcm snd_seq snd_seq_device snd_timer irqbypass rtsx_pci_ms memstick ucsi_acpi serdev snd intel_cstate typec_ucsi iwlwifi intel_rapl_perf cfg80211 wmi_bmof mei_me btqca input_leds joydev serio_raw typec soundcore shpchp idma64 btintel virt_dma intel_pch_thermal mei intel_lpss_pci bluetooth intel_lpss_acpi ecdh_generic intel_lpss tpm_crb ipt_REJECT nf_reject_ipv4 acpi_pad nf_log_ipv4 nf_log_common [52849.108995] mac_hid xt_LOG xt_multiport xt_limit xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_addrtype xt_conntrack ip6_tables nf_conntrack_netbios_ns nf_conntrack_broadcast nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack parport_pc libcrc32c ppdev iptable_filter lp ip_tables x_tables parport autofs4 algif_skcipher af_alg dm_crypt i915 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc rtsx_pci_sdmmc uas aesni_intel usb_storage aes_x86_64 i2c_algo_bit crypto_simd glue_helper e1000e drm_kms_helper cryptd syscopyarea psmouse ptp sysfillrect sysimgblt ahci pps_core fb_sys_fops rtsx_pci libahci drm wmi i2c_hid pinctrl_sunrisepoint hid pinctrl_intel video [last unloaded: pmem] [52849.112902] CPU: 2 PID: 13827 Comm: dcfldd Tainted: G D OE 4.13.0-37-generic #42~16.04.1-Ubuntu [52849.114444] Hardware name: LENOVO 20HKCTO1WW/20HKCTO1WW, BIOS N1TET46W (1.20 ) 02/26/2018 [52849.115786] task: ffff9579a3e6df00 task.stack: ffffa416863f8000 [52849.117106] RIP: 0010:__check_object_size+0x6e/0x1a0 [52849.118373] RSP: 0018:ffffa416863fbe28 EFLAGS: 00010282 [52849.119636] RAX: 0000000000000066 RBX: 0000000000001000 RCX: 0000000000000000 [52849.120939] RDX: 0000000000000000 RSI: ffff957a1f496578 RDI: ffff957a1f496578 [52849.122175] RBP: ffffa416863fbe48 R08: 0000000000019270 R09: 0000000000001beb [52849.123488] R10: 0000000000000248 R11: ffffffffbf9491ed R12: 0000000000000001 [52849.125067] R13: ffff95699500d000 R14: ffff95699500c000 R15: 0000000000004000 [52849.126430] FS: 00007fcd0b9d7700(0000) GS:ffff957a1f480000(0000) knlGS:0000000000000000 [52849.127841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [52849.129179] CR2: 00007f4d2a2edaec CR3: 00000010567c2001 CR4: 00000000003606e0 [52849.130452] Call Trace: [52849.131715] pmem_read+0x143/0x197 [pmem] [52849.133027] __vfs_read+0x1b/0x40 [52849.134195] vfs_read+0x93/0x130 [52849.135545] SyS_read+0x55/0xc0 [52849.136883] do_syscall_64+0x67/0x120 [52849.138134] entry_SYSCALL64_slow_path+0x25/0x25 [52849.139346] RIP: 0033:0x7fcd0b507260 [52849.140624] RSP: 002b:00007fff87020908 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [52849.141820] RAX: ffffffffffffffda RBX: 000055effb874380 RCX: 00007fcd0b507260 [52849.143085] RDX: 0000000000008000 RSI: 000055effbaf1000 RDI: 0000000000000000 [52849.144216] RBP: 0000000000008000 R08: 00007fcd0b9d7700 R09: 0000000000000000 [52849.145407] R10: 0000000000000000 R11: 0000000000000246 R12: 000055effbaf1000 [52849.146423] R13: 0000000000000000 R14: 0000000000008000 R15: 000055effb8743b0 [52849.147487] Code: 48 0f 45 d1 48 c7 c6 1b 4b 2c bf 48 c7 c1 8e 44 2b bf 48 0f 44 f1 49 89 d9 49 89 c0 4c 89 f1 48 c7 c7 60 4b 2c bf e8 13 63 e9 ff 0b 48 83 ff 10 0f 86 0c 01 00 00 e8 71 48 e2 ff 84 c0 74 6e [52849.148642] RIP: __check_object_size+0x6e/0x1a0 RSP: ffffa416863fbe28 ''' I ran the memory acquisition through 'strace' and was able to capture the core dump it initiated if that helps. '''$ cat /var/crash/cat _usr_bin_strace.0.crash ProblemType: Crash Architecture: amd64 Date: Mon Apr 9 00:21:52 2018 DistroRelease: Ubuntu 16.04 ExecutablePath: /usr/bin/strace ExecutableTimestamp: 1452699271 ProcCmdline: strace -o out.log -f dcfldd if=/dev/pmem bs=512 of=/mem-20180409-00:21:22.img ProcCwd: /usr/sbin/volatility ProcEnviron: SHELL=/bin/bash TERM=xterm PATH=(custom, user) LANG=en_US.UTF-8 LANGUAGE=en_US ProcMaps: 55949c7ed000-55949c886000 r-xp 00000000 fd:04 1574278 /usr/bin/strace 55949ca85000-55949cac0000 r--p 00098000 fd:04 1574278 /usr/bin/strace 55949cac0000-55949cac1000 rw-p 000d3000 fd:04 1574278 /usr/bin/strace 55949cac1000-55949cac4000 rw-p 00000000 00:00 0 55949ea2c000-55949ea4d000 rw-p 00000000 00:00 0 [heap] 7ff1c9117000-7ff1c92d7000 r-xp 00000000 fd:01 6291697 /lib/x86_64-linux-gnu/libc-2.23.so 7ff1c92d7000-7ff1c94d7000 ---p 001c0000 fd:01 6291697 /lib/x86_64-linux-gnu/libc-2.23.so 7ff1c94d7000-7ff1c94db000 r--p 001c0000 fd:01 6291697 /lib/x86_64-linux-gnu/libc-2.23.so 7ff1c94db000-7ff1c94dd000 rw-p 001c4000 fd:01 6291697 /lib/x86_64-linux-gnu/libc-2.23.so 7ff1c94dd000-7ff1c94e1000 rw-p 00000000 00:00 0 7ff1c94e1000-7ff1c9507000 r-xp 00000000 fd:01 6291695 /lib/x86_64-linux-gnu/ld-2.23.so 7ff1c96dd000-7ff1c96e0000 rw-p 00000000 00:00 0 7ff1c9706000-7ff1c9707000 r--p 00025000 fd:01 6291695 /lib/x86_64-linux-gnu/ld-2.23.so 7ff1c9707000-7ff1c9708000 rw-p 00026000 fd:01 6291695 /lib/x86_64-linux-gnu/ld-2.23.so 7ff1c9708000-7ff1c9709000 rw-p 00000000 00:00 0 7fff8adb2000-7fff8add3000 rw-p 00000000 00:00 0 [stack] 7fff8add3000-7fff8add6000 r--p 00000000 00:00 0 [vvar] 7fff8add6000-7fff8add8000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] ProcStatus: Name: strace Umask: 0022 State: S (sleeping) Tgid: 13487 Ngid: 0 Pid: 13487 PPid: 7765 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 256 Groups: 0 NStgid: 13487 NSpid: 13487 NSpgid: 13487 NSsid: 5983 VmPeak: 5224 kB VmSize: 5204 kB VmLck: 0 kB VmPin: 0 kB VmHWM: 1268 kB VmRSS: 1268 kB RssAnon: 292 kB RssFile: 976 kB RssShmem: 0 kB VmData: 192 kB VmStk: 132 kB VmExe: 612 kB VmLib: 1952 kB VmPTE: 36 kB VmPMD: 12 kB VmSwap: 0 kB HugetlbPages: 0 kB Threads: 1 SigQ: 0/256640 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 0000000000305007 SigCgt: 0000000000000000 CapInh: 0000000000000000 CapPrm: 0000003fffffffff CapEff: 0000003fffffffff CapBnd: 0000003fffffffff CapAmb: 0000000000000000 NoNewPrivs: 0 Seccomp: 0 Cpus_allowed: ff Cpus_allowed_list: 0-7 Mems_allowed: 00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001 Mems_allowed_list: 0 voluntary_ctxt_switches: 2755031 nonvoluntary_ctxt_switches: 2872 Signal: 11 Uname: Linux 4.13.0-37-generic x86_64 UserGroups: _LogindSession: c2 CoreDump: base64 H4sICAAAAAAC/0NvcmVEdW1wAA==