libvmi 和volatility

首先，为什么之前配过了 libvmi 还要做 volatility :

#include <libvmi/libvmi.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/mman.h>
#include <stdio.h>

int main (int argc, char **argv)
{
    vmi_instance_t vmi;
    unsigned char *memory = NULL;
    uint32_t offset;
    addr_t list_head = 0, current_list_entry = 0, next_list_entry = 0;
    addr_t current_process = 0;
    addr_t tmp_next = 0;
    char *procname = NULL;
    uint32_t pid = 0;
    unsigned long tasks_offset, pid_offset, name_offset;
    status_t status;

    /* this is the VM or file that we are looking at */
    if (argc != 2) {
        printf("Usage: %s <vmname>\n", argv[0]);
        return 1;
    } // if

    char *name = argv[1];

    /* initialize the libvmi library */
    if (vmi_init(&vmi, VMI_AUTO | VMI_INIT_COMPLETE, name) == VMI_FAILURE) {
        printf("Failed to init LibVMI library.\n");
        return 1;
    }　//初始化libvmi库，初始化libvmi实例；
    if (VMI_OS_LINUX == vmi_get_ostype(vmi)) {
        tasks_offset = vmi_get_offset(vmi, "linux_tasks");
        name_offset = vmi_get_offset(vmi, "linux_name");
        pid_offset = vmi_get_offset(vmi, "linux_pid");
    }　//初始化偏移；
    else if (VMI_OS_WINDOWS == vmi_get_ostype(vmi)) {
        tasks_offset = vmi_get_offset(vmi, "win_tasks");
        if (0 == tasks_offset) {
            printf("Failed to find win_tasks\n");
            goto error_exit;
        }
        name_offset = vmi_get_offset(vmi, "win_pname");
        if (0 == name_offset) {
            printf("Failed to find win_pname\n");
            goto error_exit;
        }
        pid_offset = vmi_get_offset(vmi, "win_pid");
        if (0 == pid_offset) {
            printf("Failed to find win_pid\n");
            goto error_exit;
        }
    }

    /* pause the vm for consistent memory access */
    if (vmi_pause_vm(vmi) != VMI_SUCCESS) {
        printf("Failed to pause VM\n");
        goto error_exit;
    } // if

    /* demonstrate name and id accessors */
    char *name2 = vmi_get_name(vmi);

    if (VMI_FILE != vmi_get_access_mode(vmi)) {
        unsigned long id = vmi_get_vmid(vmi);

        printf("Process listing for VM %s (id=%lu)\n", name2, id);
    }
    else {
        printf("Process listing for file %s\n", name2);
    }
    free(name2);
    /* get the head of the list */
    if (VMI_OS_LINUX == vmi_get_ostype(vmi)) {
        /* Begin at PID 0, the 'swapper' task. It's not typically shown by OS
         *  utilities, but it is indeed part of the task list and useful to
         *  display as such.
         */
        current_process = vmi_translate_ksym2v(vmi, "init_task");
    }
    else if (VMI_OS_WINDOWS == vmi_get_ostype(vmi)) {

        // find PEPROCESS PsInitialSystemProcess
        vmi_read_addr_ksym(vmi, "PsInitialSystemProcess", &current_process);

    }

    /* walk the task list */
    list_head = current_process + tasks_offset;
    current_list_entry = list_head;

    status = vmi_read_addr_va(vmi, current_list_entry, 0, &next_list_entry);
    if (status == VMI_FAILURE) {
        printf("Failed to read next pointer at 0x%lx before entering loop\n",
                current_list_entry);
        goto error_exit;
    }

    printf("Next list entry is at: %lx\n", next_list_entry);
 do {
        vmi_read_32_va(vmi, current_process + pid_offset, 0, &pid);

        procname = vmi_read_str_va(vmi, current_process + name_offset, 0);

        if (!procname) {
            printf("Failed to find procname\n");
            goto error_exit;
        }

        /* print out the process name */
        printf("[%5d] %s (struct addr:%lx)\n", pid, procname, current_process);
        if (procname) {
            free(procname);
            procname = NULL;
        }

        current_list_entry = next_list_entry;
        current_process = current_list_entry - tasks_offset;

        /* follow the next pointer */

        status = vmi_read_addr_va(vmi, current_list_entry, 0, &next_list_entry);
        if (status == VMI_FAILURE) {
            printf("Failed to read next pointer in loop at %lx\n", current_list_entry);
            goto error_exit;
        }

    } while (next_list_entry != list_head);//解析过程

    error_exit: if (procname)
        free(procname);

    vmi_resume_vm(vmi);//重启挂起的虚拟机
    vmi_destroy(vmi);//销毁VMI实例

    return 0;
}                                                                                                                                          

顺序是：挂起虚拟机 -> 获取内存镜像 ->根据sysmap的系统偏移或许需要的信息 -> 重启虚拟机 -> 销毁vmi创建的实例。。。因此在整个解析过程中，虚拟机都是暂停的状态。volatility的工作模式：挂起虚拟机 -> 获取内存镜像 -> 重启虚拟机 -> 解析。。节约了解析的时间，因此虚拟机用户是不会有挂起的感觉。

＃下面开始配环境
1. 直接从 github 下载就可以：
mkdir vol
cd vol
wget http://downloads.volatilityfoundation.org/releases/2.6/volatility-2.6.zip
unzip volatility-2.6.zip
cd volatility-2.6
python setup.py build
python setup.py install
2. 测试安装是否成功
python vol.py –info
3. 然后根据报错添加没有安装的包
4. 进入虚拟机，同样的方式，安装volatility，然后进入
cd volatility-master/tools/linux
make
获取到module.dwarf文件
5.然后加上/boot路径下的系统System.map-3.2.0-23-generic文件，生成对应系统的profile文件
6.zip ubuntu1204.zip volatility-master/tools/linux/module.dwarf /boot/System.map-3.2.0-23-generic
7.然后把这个ubuntu1204.zip文件拷贝到：
vol/volatility-master/volatility/plugins/overlays/linux
8.运行volatility，看能否获得进程列表
9.可以使用libvmi提供的python接口解析
10.初始化pyvmi接口
cd libvmi-master/tools/pyvmi
python setup.py install
然后将libvmi-0.10.1/tools/pyvmi/下的pyvmiaddressspace.py拷贝到：volatility-master/volatility/plugins/addrspaces/下即可。
11.查看profile名称
python vol.py –info
查看对应版本对应的profile文件
13.python vol.py linux_pslist -l vmi://ubuntu12 –profile=LinuxUbuntu1204x64
得到进程列表

 Name                 Pid             PPid            Uid             Gid    DTB                Start Time
------------------ -------------------- -------