我们的老师给我们做了一个来自VBox(Ubuntu 16.04.9)的内存转储的作业,并说我们需要得到的消息是由当前在VM中运行的ELF打印的。
这是我在图片上运行pslist后得到的结果。
Offset Name Pid PPid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
0xffff88007c998000 systemd 1 0 0 0 0x000000003552e000 -
0xffff88007c998e00 kthreadd 2 0 0 0 ------------------ -
0xffff88007c999c00 ksoftirqd/0 3 2 0 0 ------------------ -
0xffff88007c99aa00 kworker/0:0 4 2 0 0 ------------------ -
0xffff88007c99b800 kworker/0:0H 5 2 0 0 ------------------ -
0xffff88007c99c600 kworker/u4:0 6 2 0 0 ------------------ -
0xffff88007c99d400 rcu_sched 7 2 0 0 ------------------ -
0xffff88007c99e200 rcu_bh 8 2 0 0 ------------------ -
0xffff88007c99f000 migration/0 9 2 0 0 ------------------ -
0xffff88007c9f0000 watchdog/0 10 2 0 0 ------------------ -
0xffff88007c9f1c00 watchdog/1 11 2 0 0 ------------------ -
0xffff88007c9f2a00 migration/1 12 2 0 0 ------------------ -
0xffff88007c9f3800 ksoftirqd/1 13 2 0 0 ------------------ -
0xffff88007c9f4600 kworker/1:0 14 2 0 0 ------------------ -
0xffff88007c9f5400 kworker/1:0H 15 2 0 0 ------------------ -
0xffff88007c9f6200 kdevtmpfs 16 2 0 0 ------------------ -
0xffff88007c9f7000 netns 17 2 0 0 ------------------ -
0xffff88007ca90000 perf 18 2 0 0 ------------------ -
0xffff88007ca90e00 khungtaskd 19 2 0 0 ------------------ -
0xffff88007ca91c00 writeback 20 2 0 0 ------------------ -
0xffff88007ca92a00 ksmd 21 2 0 0 ------------------ -
0xffff88007ca93800 khugepaged 22 2 0 0 ------------------ -
0xffff88007ca94600 crypto 23 2 0 0 ------------------ -
0xffff88007ca95400 kintegrityd 24 2 0 0 ------------------ -
0xffff88007ca96200 bioset 25 2 0 0 ------------------ -
0xffff88007ca97000 kblockd 26 2 0 0 ------------------ -
0xffff88007cb80000 ata_sff 27 2 0 0 ------------------ -
0xffff88007cb80e00 md 28 2 0 0 ------------------ -
0xffff88007cb81c00 devfreq_wq 29 2 0 0 ------------------ -
0xffff88007cb82a00 kworker/u4:1 30 2 0 0 ------------------ -
0xffff88007cb83800 kworker/0:1 31 2 0 0 ------------------ -
0xffff88007cb84600 kworker/1:1 32 2 0 0 ------------------ -
0xffff88007cb86200 kswapd0 34 2 0 0 ------------------ -
0xffff88007cb87000 vmstat 35 2 0 0 ------------------ -
0xffff880075ec0000 fsnotify_mark 36 2 0 0 ------------------ -
0xffff880075ec0e00 ecryptfs-kthrea 37 2 0 0 ------------------ -
0xffff880075f27000 kthrotld 53 2 0 0 ------------------ -
0xffff88007cb85400 acpi_thermal_pm 54 2 0 0 ------------------ -
0xffff880075fc8000 bioset 55 2 0 0 ------------------ -
0xffff880075fc8e00 bioset 56 2 0 0 ------------------ -
0xffff880075fc9c00 bioset 57 2 0 0 ------------------ -
0xffff880075fcaa00 bioset 58 2 0 0 ------------------ -
0xffff880075fcb800 bioset 59 2 0 0 ------------------ -
0xffff880075fcc600 bioset 60 2 0 0 ------------------ -
0xffff880075fcd400 bioset 61 2 0 0 ------------------ -
0xffff880075fce200 bioset 62 2 0 0 ------------------ -
0xffff880075fcf000 scsi_eh_0 63 2 0 0 ------------------ -
0xffff880075f26200 scsi_tmf_0 64 2 0 0 ------------------ -
0xffff880075f24600 scsi_eh_1 65 2 0 0 ------------------ -
0xffff880075f22a00 scsi_tmf_1 66 2 0 0 ------------------ -
0xffff880075f20e00 kworker/u4:2 67 2 0 0 ------------------ -
0xffff880075f25400 kworker/u4:3 68 2 0 0 ------------------ -
0xffff880075ec6200 ipv6_addrconf 72 2 0 0 ------------------ -
0xffff880035595400 deferwq 85 2 0 0 ------------------ -
0xffff880035596200 charger_manager 86 2 0 0 ------------------ -
0xffff880035593800 bioset 87 2 0 0 ------------------ -
0xffff880034c49c00 kworker/0:2 126 2 0 0 ------------------ -
0xffff8800355e5400 kpsmoused 139 2 0 0 ------------------ -
0xffff880034ee8e00 kworker/0:3 156 2 0 0 ------------------ -
0xffff880075ec2a00 kworker/1:1H 166 2 0 0 ------------------ -
0xffff880034eef000 scsi_eh_2 167 2 0 0 ------------------ -
0xffff880034eee200 scsi_tmf_2 168 2 0 0 ------------------ -
0xffff880034eed400 bioset 169 2 0 0 ------------------ -
0xffff880075f23800 raid5wq 241 2 0 0 ------------------ -
0xffff880035590000 bioset 272 2 0 0 ------------------ -
0xffff880035594600 kworker/0:1H 295 2 0 0 ------------------ -
0xffff880035597000 jbd2/sda1-8 297 2 0 0 ------------------ -
0xffff880035590e00 ext4-rsv-conver 298 2 0 0 ------------------ -
0xffff880034c4aa00 systemd-journal 354 1 0 0 0x0000000079614000 -
0xffff880035592a00 iscsi_eh 356 2 0 0 ------------------ -
0xffff880079103800 kworker/1:2 370 2 0 0 ------------------ -
0xffff880034eeaa00 kauditd 372 2 0 0 ------------------ -
0xffff88007a478e00 ib_addr 382 2 0 0 ------------------ -
0xffff88007a479c00 ib_mcast 385 2 0 0 ------------------ -
0xffff88007a47aa00 ib_nl_sa_wq 386 2 0 0 ------------------ -
0xffff88007a47b800 ib_cm 387 2 0 0 ------------------ -
0xffff88007a47c600 iw_cm_wq 389 2 0 0 ------------------ -
0xffff88007a47d400 rdma_cm 391 2 0 0 ------------------ -
0xffff880075ec4600 lvmetad 394 1 0 0 0x000000007c36c000 -
0xffff88007a478000 kworker/1:3 399 2 0 0 ------------------ -
0xffff880079100000 systemd-udevd 408 1 0 0 0x000000007c2c8000 -
0xffff880079100e00 iprt-VBoxWQueue 493 2 0 0 ------------------ -
0xffff880034ebf000 ttm_swap 649 2 0 0 ------------------ -
0xffff88007a076200 atd 730 1 0 0 0x000000007c3f8000 -
0xffff88007a070000 lxcfs 738 1 0 0 0x0000000079fe0000 -
0xffff88007b68b800 accounts-daemon 739 1 0 0 0x0000000079fe2000 -
0xffff880034eb8e00 rsyslogd 745 1 104 108 0x0000000079530000 -
0xffff880034c4e200 cron 754 1 0 0 0x000000007a08c000 -
0xffff88007942c600 systemd-logind 758 1 0 0 0x000000007a6d6000 -
0xffff880079429c00 acpid 777 1 0 0 0x000000007917c000 -
0xffff880079428000 snapd 783 1 0 0 0x0000000079768000 -
0xffff880079428e00 dbus-daemon 785 1 107 111 0x0000000079470000 -
0xffff88007b17b800 dhclient 846 1 0 0 0x000000007a430000 -
0xffff88007942aa00 polkitd 898 1 0 0 0x0000000079b92000 -
0xffff880034ebd400 mdadm 907 1 0 0 0x000000007c3fc000 -
0xffff88007b17f000 VBoxService 941 1 0 0 0x000000007862e000 -
0xffff880034ebc600 named 1018 1 110 115 0x0000000079aa4000 -
0xffff88007a32c600 sshd 1023 1 0 0 0x0000000034dbc000 -
0xffff88007b179c00 iscsid 1036 1 0 0 0x000000007afdc000 -
0xffff88007b178e00 iscsid 1037 1 0 0 0x0000000079bd0000 -
0xffff88007b68f000 irqbalance 1079 1 0 0 0x000000007a462000 -
0xffff88007b688000 login 1084 1 0 1000 0x0000000079dc0000 -
0xffff88007a074600 systemd 1157 1 1000 1000 0x0000000034c16000 -
0xffff88007a073800 (sd-pam) 1160 1157 1000 1000 0x0000000079a92000 -
0xffff88007a075400 bash 1166 1084 1000 1000 0x0000000035720000 -
0xffff8800355e3800 ht0p 1192 1166 1000 1000 0x000000007b982000 -
0xffff8800355e6200 htop 1193 1166 1000 1000 0x000000007b9a2000 -我尝试在那里的很多进程上运行procdump,然后在它们上运行strings,但似乎没有任何“消息”。我真的不知道下一步该做什么,我是否需要以某种方式提取从内存中运行的ELF?你也知道它可能是什么过程或者我该怎么办?
答案 0 :(得分:1)
如果确定它是ELF文件,并且文件扩展名为.ELF,则可以使用Volatility dumpfiles模块并搜索与.ELF匹配的正则表达式,例如...
vol.py --profile=$PROFILE -f $MEMPATH dumpfiles -n -i -r \\.elf --dump-dir=$OUTDIR
-n:在输出中使用原始文件名
-r:使用正则表达式
-i:不区分大小写