文章目录
前言
硬件评估
machinfo.csv
key,value
Manufacturer,"VMware, Inc."
Product Name,"VMware20,1"
Version,None
Serial Number,VMware-56 4d 0c 50 fb 4f d3 7f-99 70 f5 23 20 3b 6d 31
fork 2169:
execve("/usr/sbin/dmidecode", ["dmidecode"], 0x17ae4e0 /* 25 vars */) = 0
[root@localhost ~]# dmidecode |grep VMware-56 -C 10
BIOS is upgradeable
ACPI is supported
Targeted content distribution is supported
UEFI is supported
Handle 0x0001, DMI type 1, 27 bytes
System Information
Manufacturer: VMware, Inc.
Product Name: VMware20,1
Version: None
Serial Number: VMware-56 4d e1 a3 2b e0 3b 04-ae c7 e9 61 7c d7 16 f0
pci_device_detail.csv
driver,module,name,bdf,vid,did,classcode,svid,sdid,certified,compatible
ata_piix,"ata_piix, ata_generic",IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev 01),00:07.1,8086,7111,"['01', '01', '8a']",15ad,1976,True,support
vmwgfx,vmwgfx,VGA compatible controller: VMware SVGA II Adapter,00:0f.0,15ad,0405,"['03', '00', '00']",15ad,0405,False,support
mptspi,mptspi,SCSI storage controller: Broadcom / LSI 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI (rev 01),00:10.0,1000,0030,"['01', '00', '00']",15ad,1976,True,support
e1000,e1000,Ethernet controller: Intel Corporation 82545EM Gigabit Ethernet Controller (Copper) (rev 01),02:00.0,8086,100f,"['02', '00', '00']",15ad,0750,True,support
fork 2125:
execve("/usr/sbin/lspci", ["lspci", "-x", "-k"], 0x25b64e0 /* 25 vars */) = 0
pci_devlist.csv
driver,module,name,bdf,vid,did,classcode,svid,sdid,certified,compatible
,,Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host bridge (rev 01),00:00.0,8086,7190,"['06', '00', '00']",15ad,1976,False,not support
,,PCI bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX AGP bridge (rev 01),00:01.0,8086,7191,"['06', '04', '00']",,,False,not support
,,ISA bridge: Intel Corporation 82371AB/EB/MB PIIX4 ISA (rev 08),00:07.0,8086,7110,"['06', '01', '00']",15ad,1976,False,not support
ata_piix,"ata_piix, ata_generic",IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev 01),00:07.1,8086,7111,"['01', '01', '8a']",15ad,1976,False,not support
,i2c_piix4,Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 08),00:07.3,8086,7113,"['06', '80', '00']",15ad,1976,False,not support
vmw_vmci,vmw_vmci,System peripheral: VMware Virtual Machine Communication Interface (rev 10),00:07.7,15ad,0740,"['08', '80', '00']",15ad,0740,False,not support
vmwgfx,vmwgfx,VGA compatible controller: VMware SVGA II Adapter,00:0f.0,15ad,0405,"['03', '00', '00']",15ad,0405,False,not support
mptspi,mptspi,SCSI storage controller: Broadcom / LSI 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI (rev 01),00:10.0,1000,0030,"['01', '00', '00']",15ad,1976,False,not support
,,PCI bridge: VMware PCI bridge (rev 02),00:11.0,15ad,0790,"['06', '04', '01']",,,False,not support
fork 2125:
execve("/usr/sbin/lspci", ["lspci", "-x", "-k"], 0x25b64e0 /* 25 vars */) = 0
系统评估
kconfig
os_service
-
主要python功能
#!/bin/python3.9 import sys sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages'] from ance.collector.service import ServiceCollector sc = ServiceCollector() arg = sc.collect() print(arg)
./service.py name state status 0 -.mount generated 1 boot-efi.mount generated 2 tmp.mount disabled 3 session-1.scope transient 4 session-10.scope transient .. ... ... ... 92 fwupd-refresh.timer disabled 93 mdcheck_continue.timer disabled 94 mdcheck_start.timer disabled 95 mdmonitor-oneshot.timer disabled 96 unbound-anchor.timer enabled active [97 rows x 3 columns]
-
fork systemctl…
strace -ff -o ../strace/sys.strace /usr/bin/python3.9 ./service.py
bpftrace -e 'tracepoint:syscalls:sys_enter_execve { join(args->argv) }' systemctl list-unit-files | grep -vi "UNIT FILE" | grep -v stat
fork 16561: execve("/usr/bin/systemctl", ["systemctl", "is-active", "unbound-anchor.timer"], 0x5580e9110fd0 /* 46 vars */) = 0 ......
os_env
- ance
#!/bin/python3.9 import sys sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages'] from ance.collector.env import EnvCollector ec = EnvCollector() arg = ec.collect() print(arg)
metadata 没有用到
-
ance
#!/bin/python3.9 """ __pyx_pw_4ance_9collector_6distro_11OSCollector_11_collect_metadata """ import sys sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages'] from ance.collector.distro import OSCollector oc = OSCollector() arg = oc.collect(()) print(arg.metadata)
-
strace
openat(AT_FDCWD, "/etc/os-release", O_RDONLY|O_CLOEXEC) = 5
syscmd
-
ance
#!/bin/python3.9 import sys sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages'] # # __pyx_pw_4ance_9collector_6syscmd_15SyscmdCollector # from ance.collector.syscmd import SyscmdCollector oc = SyscmdCollector() arg = oc.collect() print(arg)
myance/syscmd.py path cmd 0 /usr/bin [ 1 /usr/bin 2to3 2 /usr/bin 2to3-3.6 3 /usr/bin 2to3-3.9 4 /usr/bin abicompat ... ... ... 1438 /usr/sbin xtables-monitor 1439 /usr/sbin xtables-nft-multi 1440 /usr/sbin zdump 1441 /usr/sbin zic 1442 /usr/sbin zramctl [1443 rows x 2 columns]
kernel abi
- ance
#!/bin/python3.9 import sys sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages'] # # __pyx_pw_4ance_7scanner_4kabi_11KabiScanner_3scan # from ance.scanner.kabi import KabiScanner """ ance 使用 __pyx_pw_4ance_5utils_7extract_1extract 解压 """ import gzip with gzip.open('/usr/lib/modules/5.10.134-13.an8.x86_64/symvers.gz', 'rb') as f_in: with open('/tmp/symvers', 'wb') as f_out: f_out.write(f_in.read()) oc = KabiScanner() arg = oc.scan('/tmp/symvers', '5.10.134-13.an8.x86_64') print(arg)
kernel cmdline
- ance
#!/bin/python3.9 import sys sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages'] # # __pyx_pw_4ance_9collector_8kcmdline_17KcmdlineCollector_1__init__ # __pyx_pw_4ance_9collector_8kcmdline_17KcmdlineCollector_3collect # from ance.collector.kcmdline import KcmdlineCollector oc = KcmdlineCollector() arg = oc.collect('5.10.134-13.an8.x86_64') print(arg)
- strace
execve("/bin/sh", ["/bin/sh", "-c", "cat /proc/cmdline"], 0x55dd3bc33200 /* 45 vars */) = 0
kernel config
-
ance
#!/bin/python3.9 import sys sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages'] """ __pyx_pw_4ance_7scanner_7kconfig_14KconfigScanner_1__init__: __pyx_self = <cython_function_or_method at remote 0x7fffe3b24e10> __pyx_v_self = <KconfigScanner at remote 0x7fffe36f7130> __pyx_pw_4ance_7scanner_7kconfig_14KconfigScanner_3scan: __pyx_self = <cython_function_or_method at remote 0x7fffe3b24ee0> __pyx_args = (<KconfigScanner(result_dir='/tmp/ance/results', mount_dir='/mnt/ance', config=None) at remote 0x7fffe36f7130>, '/usr/lib/modules/5.10.134-13.an8.x86_64/config', '5.10.134-13.an8.x86_64') __pyx_kwds = 0x0 """ from ance.scanner.kconfig import KconfigScanner oc = KconfigScanner() arg = oc.scan('/usr/lib/modules/5.10.134-13.an8.x86_64/config', '5.10.134-13.an8.x86_64') print(arg)
myance/kernel_config.py kernel_version key value 0 5.10.134-13.an8.x86_64 config_cc_version_text "gcc (GCC) 8.5.0 20210514 (Anolis 8.5.0-10.0.2)" 1 5.10.134-13.an8.x86_64 config_cc_is_gcc y 2 5.10.134-13.an8.x86_64 config_gcc_version 80500 3 5.10.134-13.an8.x86_64 config_ld_version 230000000 4 5.10.134-13.an8.x86_64 config_clang_version 0 ... ... ... ... 3904 5.10.134-13.an8.x86_64 config_atomic64_selftest y 3905 5.10.134-13.an8.x86_64 config_async_raid6_test m 3906 5.10.134-13.an8.x86_64 config_test_kstrtox y 3907 5.10.134-13.an8.x86_64 config_test_bpf m 3908 5.10.134-13.an8.x86_64 config_test_livepatch m [3909 rows x 3 columns]
-
strace
openat(AT_FDCWD, "/usr/lib/modules/5.10.134-13.an8.x86_64/config", O_RDONLY|O_CLOEXEC) = 3
kernel ko
- ance
#!/bin/python3.9 import sys sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages'] """ __pyx_pw_4ance_7scanner_6kolist_13KolistScanner_1__init__: __pyx_self = <cython_function_or_method at remote 0x7fffe3afd040> __pyx_v_self = <KolistScanner at remote 0x7fffe3683bb0> __pyx_pw_4ance_7scanner_6kolist_13KolistScanner_3scan: __pyx_self = <cython_function_or_method at remote 0x7fffe3afd110> __pyx_args = (<KolistScanner(result_dir='/tmp/ance/results', mount_dir='/mnt/ance', config=None) at remote 0x7fffe3683bb0>, ['/usr/lib/modules/5.10.134-13.an8.x86_64/modules.builtin', '/usr/lib/modules/5.10.134-13.an8.x86_64/modules.order'], '5.10.134-13.an8.x86_64') __pyx_kwds = 0x0 """ from ance.scanner.kolist import KolistScanner oc = KolistScanner() arg = oc.scan(['/usr/lib/modules/5.10.134-13.an8.x86_64/modules.builtin', '/usr/lib/modules/5.10.134-13.an8.x86_64/modules.order'], '5.10.134-13.an8.x86_64') print(arg)
/root/ance/gdb/trace-ance.py kernel_version ko_name source ko_path 0 5.10.134-13.an8.x86_64 amd-uncore.ko builtin kernel/arch/x86/events/amd/amd-uncore.ko 1 5.10.134-13.an8.x86_64 msr.ko builtin kernel/arch/x86/kernel/msr.ko 2 5.10.134-13.an8.x86_64 cpuid.ko builtin kernel/arch/x86/kernel/cpuid.ko 3 5.10.134-13.an8.x86_64 glue_helper.ko builtin kernel/arch/x86/crypto/glue_helper.ko 4 5.10.134-13.an8.x86_64 aesni-intel.ko builtin kernel/arch/x86/crypto/aesni-intel.ko ... ... ... ... ... 2254 5.10.134-13.an8.x86_64 hv_sock.ko order kernel/net/vmw_vsock/hv_sock.ko 2255 5.10.134-13.an8.x86_64 vsock_loopback.ko order kernel/net/vmw_vsock/vsock_loopback.ko 2256 5.10.134-13.an8.x86_64 hookers.ko order kernel/net/hookers/hookers.ko 2257 5.10.134-13.an8.x86_64 irqbypass.ko order kernel/virt/lib/irqbypass.ko 2258 5.10.134-13.an8.x86_64 oprofile.ko order kernel/arch/x86/oprofile/oprofile.ko [2259 rows x 4 columns]
- strace
openat(AT_FDCWD, "/usr/lib/modules/5.10.134-13.an8.x86_64/modules.order", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/modules/5.10.134-13.an8.x86_64/modules.builtin", O_RDONLY|O_CLOEXEC) = 3
kernel params
- ance
#!/bin/python3.9 import sys sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages'] """ 2023-11-01 10:35:59,045 [INFO]: collecting kernel(5.10.134-13.an8.x86_64) kparams __pyx_pw_4ance_9collector_7kparams_16KparamsCollector_1__init__: __pyx_self = <cython_function_or_method at remote 0x7fffe374be10> __pyx_v_self = <KparamsCollector at remote 0x7fffe36f5070> __pyx_pw_4ance_9collector_7kparams_16KparamsCollector_3collect: __pyx_self = <cython_function_or_method at remote 0x7fffe374bee0> __pyx_args = (<KparamsCollector(config={'exclude_keys': ['fs.inode-nr', 'fs.dentry-state', 'fs.file-nr', 'fs.inode-state', 'kernel.sched_domain.cpu', 'kernel.ns_last_pid', 'kernel.random.entropy_avail', 'kernel.random.uuid']}) at remote 0x7fffe36f5070>, '5.10.134-13.an8.x86_64') __pyx_kwds = 0x0 """ from ance.collector.kparams import KparamsCollector oc = KparamsCollector() arg = oc.collect('5.10.134-13.an8.x86_64') print(arg)
myance/kernel_params.py kernel_version key value 0 5.10.134-13.an8.x86_64 abi.vsyscall32 1 1 5.10.134-13.an8.x86_64 crypto.fips_enabled 0 2 5.10.134-13.an8.x86_64 debug.exception-trace 1 3 5.10.134-13.an8.x86_64 debug.kprobes-optimization 1 4 5.10.134-13.an8.x86_64 dev.cdrom.autoclose 1 ... ... ... ... 1069 5.10.134-13.an8.x86_64 vm.user_reserve_kbytes 131072 1070 5.10.134-13.an8.x86_64 vm.vfs_cache_pressure 100 1071 5.10.134-13.an8.x86_64 vm.watermark_boost_factor 15000 1072 5.10.134-13.an8.x86_64 vm.watermark_scale_factor 10 1073 5.10.134-13.an8.x86_64 vm.zone_reclaim_mode 0 [1003 rows x 3 columns]
- strace
execve("/bin/sh", ["/bin/sh", "-c", "sysctl -a --ignore 2>/dev/null"], 0x55c1db1af2d0 /* 46 vars */) = 0
syscall
- ance
#!/bin/python3.9 import sys sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages'] """ 2023-11-01 10:50:06,068 [INFO]: collecting kernel(5.10.134-13.an8.x86_64) ksyscall __pyx_pw_4ance_9collector_8ksyscall_17KsyscallCollector_1__init__: __pyx_self = <cython_function_or_method at remote 0x7fffe32a1040> __pyx_v_self = <KsyscallCollector at remote 0x7fffe36e4340> __pyx_pw_4ance_9collector_8ksyscall_17KsyscallCollector_3collect: __pyx_self = <cython_function_or_method at remote 0x7fffe32a1110> __pyx_args = (<KsyscallCollector(config=None) at remote 0x7fffe36e4340>, '5.10.134-13.an8.x86_64') __pyx_kwds = 0x0 """ from ance.collector.ksyscall import KsyscallCollector oc = KsyscallCollector() arg = oc.collect('5.10.134-13.an8.x86_64') print(arg)
myance/kernel_syscall.py kernel_version number name 0 5.10.134-13.an8.x86_64 0 read 1 5.10.134-13.an8.x86_64 1 write 2 5.10.134-13.an8.x86_64 2 open 3 5.10.134-13.an8.x86_64 3 close 4 5.10.134-13.an8.x86_64 4 stat .. ... ... ... 356 5.10.134-13.an8.x86_64 445 landlock_add_rule 357 5.10.134-13.an8.x86_64 446 landlock_restrict_self 358 5.10.134-13.an8.x86_64 447 memfd_secret 359 5.10.134-13.an8.x86_64 448 process_mrelease 360 5.10.134-13.an8.x86_64 449 futex_waitv [361 rows x 3 columns]
- strace
execve("/bin/sh", ["/bin/sh", "-c", "ausyscall --dump | awk 'NR == 1 "...], 0x5559b4c0b2d0 /* 46 vars */) = 0
abi
-
ance
#!/bin/python3.9 import sys sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages'] # # __pyx_pw_4ance_7scanner_4kabi_11KabiScanner_3scan # from ance.scanner.abi import ABIScanner """ ance 使用 __pyx_pw_4ance_5utils_7extract_1extract 解压 """ oc = ABIScanner() arg = oc.scan('/usr/bin/ld') arg.to_csv('./csv')
-
strace
execve("/bin/sh", ["/bin/sh", "-c", "timeout 5s abidw --drop-undefine"...], 0x55e42cf04dc0 /* 45 vars */) = 0
https://github.com/iqiyi/xHook/blob/master/docs/overview/android_plt_hook_overview.zh-CN.md
存在的问题
- env
- env 来自于fork执行env,这样会导致env的环境变量依然继承于ance的python环境,和直接获取os.environ没什么区别
- 直接使用python的os.environ更简单
- env的结果没有处理正确,对于env中的多行信息,处理错误
- 例:env处理结果中出现了一个
}
的环境变量,其实这个符号是上个函数的结束花括号罢了 - 可以使用
env -0
,使用\0
分割env的返回消息
- 例:env处理结果中出现了一个
- env 来自于fork执行env,这样会导致env的环境变量依然继承于ance的python环境,和直接获取os.environ没什么区别
- syscmd
- 貌似扫描的目录是固定的,如
/usr/bin``````/usr/sbin/
- 应该使用环境变量中
PATH
提供的路径
- 应该使用环境变量中
- 貌似扫描的目录是固定的,如