龙蜥anolis centos系统迁移前分析ance组件功能分析

前言

• 分析方法文章
  • 龙蜥anolis系统迁移组件ance逆向分析、追踪venv，cython生成的so库python执行

硬件评估

machinfo.csv

key,value
Manufacturer,"VMware, Inc."
Product Name,"VMware20,1"
Version,None
Serial Number,VMware-56 4d 0c 50 fb 4f d3 7f-99 70 f5 23 20 3b 6d 31

fork 2169:
	execve("/usr/sbin/dmidecode", ["dmidecode"], 0x17ae4e0 /* 25 vars */) = 0

[root@localhost ~]# dmidecode  |grep VMware-56 -C 10
		BIOS is upgradeable
		ACPI is supported
		Targeted content distribution is supported
		UEFI is supported

Handle 0x0001, DMI type 1, 27 bytes
System Information
	Manufacturer: VMware, Inc.
	Product Name: VMware20,1
	Version: None
	Serial Number: VMware-56 4d e1 a3 2b e0 3b 04-ae c7 e9 61 7c d7 16 f0

pci_device_detail.csv

driver,module,name,bdf,vid,did,classcode,svid,sdid,certified,compatible
ata_piix,"ata_piix, ata_generic",IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev 01),00:07.1,8086,7111,"['01', '01', '8a']",15ad,1976,True,support
vmwgfx,vmwgfx,VGA compatible controller: VMware SVGA II Adapter,00:0f.0,15ad,0405,"['03', '00', '00']",15ad,0405,False,support
mptspi,mptspi,SCSI storage controller: Broadcom / LSI 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI (rev 01),00:10.0,1000,0030,"['01', '00', '00']",15ad,1976,True,support
e1000,e1000,Ethernet controller: Intel Corporation 82545EM Gigabit Ethernet Controller (Copper) (rev 01),02:00.0,8086,100f,"['02', '00', '00']",15ad,0750,True,support

fork 2125:
	execve("/usr/sbin/lspci", ["lspci", "-x", "-k"], 0x25b64e0 /* 25 vars */) = 0

pci_devlist.csv

driver,module,name,bdf,vid,did,classcode,svid,sdid,certified,compatible
,,Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host bridge (rev 01),00:00.0,8086,7190,"['06', '00', '00']",15ad,1976,False,not support
,,PCI bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX AGP bridge (rev 01),00:01.0,8086,7191,"['06', '04', '00']",,,False,not support
,,ISA bridge: Intel Corporation 82371AB/EB/MB PIIX4 ISA (rev 08),00:07.0,8086,7110,"['06', '01', '00']",15ad,1976,False,not support
ata_piix,"ata_piix, ata_generic",IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev 01),00:07.1,8086,7111,"['01', '01', '8a']",15ad,1976,False,not support
,i2c_piix4,Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 08),00:07.3,8086,7113,"['06', '80', '00']",15ad,1976,False,not support
vmw_vmci,vmw_vmci,System peripheral: VMware Virtual Machine Communication Interface (rev 10),00:07.7,15ad,0740,"['08', '80', '00']",15ad,0740,False,not support
vmwgfx,vmwgfx,VGA compatible controller: VMware SVGA II Adapter,00:0f.0,15ad,0405,"['03', '00', '00']",15ad,0405,False,not support
mptspi,mptspi,SCSI storage controller: Broadcom / LSI 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI (rev 01),00:10.0,1000,0030,"['01', '00', '00']",15ad,1976,False,not support
,,PCI bridge: VMware PCI bridge (rev 02),00:11.0,15ad,0790,"['06', '04', '01']",,,False,not support 

fork 2125:
	execve("/usr/sbin/lspci", ["lspci", "-x", "-k"], 0x25b64e0 /* 25 vars */) = 0

系统评估

kconfig

os_service

• 主要python功能

  #!/bin/python3.9
  
  import sys
  sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages']
  
  from ance.collector.service import ServiceCollector
  
  sc = ServiceCollector()
  arg = sc.collect() 
  
  print(arg)
  

  ./service.py 
                         name      state  status
  0                   -.mount  generated        
  1            boot-efi.mount  generated        
  2                 tmp.mount   disabled        
  3           session-1.scope  transient        
  4          session-10.scope  transient        
  ..                      ...        ...     ...
  92      fwupd-refresh.timer   disabled        
  93   mdcheck_continue.timer   disabled        
  94      mdcheck_start.timer   disabled        
  95  mdmonitor-oneshot.timer   disabled        
  96     unbound-anchor.timer    enabled  active
  
  [97 rows x 3 columns]
  

• fork systemctl…

  strace -ff -o ../strace/sys.strace /usr/bin/python3.9 ./service.py
  

  bpftrace -e 'tracepoint:syscalls:sys_enter_execve { join(args->argv) }'
  systemctl list-unit-files | grep -vi "UNIT FILE" | grep -v stat
  

  fork 16561:
  execve("/usr/bin/systemctl", ["systemctl", "is-active", "unbound-anchor.timer"], 0x5580e9110fd0 /* 46 vars */) = 0
  ......
  

os_env

• ance

  #!/bin/python3.9
  
  import sys
  sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages']
  
  from ance.collector.env import EnvCollector
  
  ec = EnvCollector()
  arg = ec.collect()
  
  print(arg)
  

metadata 没有用到

• ance

  #!/bin/python3.9
  
  """
  __pyx_pw_4ance_9collector_6distro_11OSCollector_11_collect_metadata
  """
  
  import sys
  sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages']
  
  from ance.collector.distro import OSCollector
  
  oc = OSCollector()
  arg = oc.collect(())
  
  print(arg.metadata)
  

• strace

  openat(AT_FDCWD, "/etc/os-release", O_RDONLY|O_CLOEXEC) = 5
  

syscmd

• ance

  #!/bin/python3.9
  
  import sys
  sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages']
  
  # 
  # __pyx_pw_4ance_9collector_6syscmd_15SyscmdCollector
  # 
  
  from ance.collector.syscmd import SyscmdCollector
  
  oc = SyscmdCollector()
  arg = oc.collect()
  
  print(arg)
  

  myance/syscmd.py 
             path                cmd
  0      /usr/bin                  [
  1      /usr/bin               2to3
  2      /usr/bin           2to3-3.6
  3      /usr/bin           2to3-3.9
  4      /usr/bin          abicompat
  ...         ...                ...
  1438  /usr/sbin    xtables-monitor
  1439  /usr/sbin  xtables-nft-multi
  1440  /usr/sbin              zdump
  1441  /usr/sbin                zic
  1442  /usr/sbin            zramctl
  
  [1443 rows x 2 columns]
  

kernel abi

• ance

  #!/bin/python3.9
  
  import sys
  sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages']
  
  # 
  # __pyx_pw_4ance_7scanner_4kabi_11KabiScanner_3scan
  # 
  
  from ance.scanner.kabi import KabiScanner
  
  """
  ance 使用 __pyx_pw_4ance_5utils_7extract_1extract 解压
  """
  
  import gzip
  
  with gzip.open('/usr/lib/modules/5.10.134-13.an8.x86_64/symvers.gz', 'rb') as f_in:
      with open('/tmp/symvers', 'wb') as f_out:
          f_out.write(f_in.read())
  
  
  oc = KabiScanner()
  arg = oc.scan('/tmp/symvers', '5.10.134-13.an8.x86_64')
  
  print(arg)
  

kernel cmdline

• ance

  #!/bin/python3.9
  
  import sys
  sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages']
  
  # 
  # __pyx_pw_4ance_9collector_8kcmdline_17KcmdlineCollector_1__init__
  # __pyx_pw_4ance_9collector_8kcmdline_17KcmdlineCollector_3collect
  # 
  
  from ance.collector.kcmdline import KcmdlineCollector
  
  
  oc = KcmdlineCollector()
  arg = oc.collect('5.10.134-13.an8.x86_64')
  
  print(arg)
  
  

• strace

  execve("/bin/sh", ["/bin/sh", "-c", "cat /proc/cmdline"], 0x55dd3bc33200 /* 45 vars */) = 0
  

kernel config

• ance

  #!/bin/python3.9
  
  import sys
  sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages']
  
  """
  __pyx_pw_4ance_7scanner_7kconfig_14KconfigScanner_1__init__: __pyx_self = <cython_function_or_method at remote 0x7fffe3b24e10>
  __pyx_v_self = <KconfigScanner at remote 0x7fffe36f7130>
  
  
  __pyx_pw_4ance_7scanner_7kconfig_14KconfigScanner_3scan: __pyx_self = <cython_function_or_method at remote 0x7fffe3b24ee0>
  __pyx_args = (<KconfigScanner(result_dir='/tmp/ance/results', mount_dir='/mnt/ance', config=None) at remote 0x7fffe36f7130>, '/usr/lib/modules/5.10.134-13.an8.x86_64/config', '5.10.134-13.an8.x86_64')
  __pyx_kwds = 0x0
  """
  
  from ance.scanner.kconfig import KconfigScanner
  
  
  oc = KconfigScanner()
  arg = oc.scan('/usr/lib/modules/5.10.134-13.an8.x86_64/config', '5.10.134-13.an8.x86_64')
  
  print(arg)
  

  myance/kernel_config.py 
                kernel_version                       key                                             value
  0     5.10.134-13.an8.x86_64    config_cc_version_text  "gcc (GCC) 8.5.0 20210514 (Anolis 8.5.0-10.0.2)"
  1     5.10.134-13.an8.x86_64          config_cc_is_gcc                                                 y
  2     5.10.134-13.an8.x86_64        config_gcc_version                                             80500
  3     5.10.134-13.an8.x86_64         config_ld_version                                         230000000
  4     5.10.134-13.an8.x86_64      config_clang_version                                                 0
  ...                      ...                       ...                                               ...
  3904  5.10.134-13.an8.x86_64  config_atomic64_selftest                                                 y
  3905  5.10.134-13.an8.x86_64   config_async_raid6_test                                                 m
  3906  5.10.134-13.an8.x86_64       config_test_kstrtox                                                 y
  3907  5.10.134-13.an8.x86_64           config_test_bpf                                                 m
  3908  5.10.134-13.an8.x86_64     config_test_livepatch                                                 m
  
  [3909 rows x 3 columns]
  

• strace

  openat(AT_FDCWD, "/usr/lib/modules/5.10.134-13.an8.x86_64/config", O_RDONLY|O_CLOEXEC) = 3
  

kernel ko

• ance

  #!/bin/python3.9
  
  import sys
  sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages']
  
  """
  __pyx_pw_4ance_7scanner_6kolist_13KolistScanner_1__init__: __pyx_self = <cython_function_or_method at remote 0x7fffe3afd040>
  __pyx_v_self = <KolistScanner at remote 0x7fffe3683bb0>
  
  
  __pyx_pw_4ance_7scanner_6kolist_13KolistScanner_3scan: __pyx_self = <cython_function_or_method at remote 0x7fffe3afd110>
  __pyx_args = (<KolistScanner(result_dir='/tmp/ance/results', mount_dir='/mnt/ance', config=None) at remote 0x7fffe3683bb0>, ['/usr/lib/modules/5.10.134-13.an8.x86_64/modules.builtin', '/usr/lib/modules/5.10.134-13.an8.x86_64/modules.order'], '5.10.134-13.an8.x86_64')
  __pyx_kwds = 0x0
  """
  
  from ance.scanner.kolist import KolistScanner
  
  
  oc = KolistScanner()
  arg = oc.scan(['/usr/lib/modules/5.10.134-13.an8.x86_64/modules.builtin', '/usr/lib/modules/5.10.134-13.an8.x86_64/modules.order'], '5.10.134-13.an8.x86_64')
  
  print(arg)
  
  

  /root/ance/gdb/trace-ance.py 
                kernel_version            ko_name   source                                   ko_path
  0     5.10.134-13.an8.x86_64      amd-uncore.ko  builtin  kernel/arch/x86/events/amd/amd-uncore.ko
  1     5.10.134-13.an8.x86_64             msr.ko  builtin             kernel/arch/x86/kernel/msr.ko
  2     5.10.134-13.an8.x86_64           cpuid.ko  builtin           kernel/arch/x86/kernel/cpuid.ko
  3     5.10.134-13.an8.x86_64     glue_helper.ko  builtin     kernel/arch/x86/crypto/glue_helper.ko
  4     5.10.134-13.an8.x86_64     aesni-intel.ko  builtin     kernel/arch/x86/crypto/aesni-intel.ko
  ...                      ...                ...      ...                                       ...
  2254  5.10.134-13.an8.x86_64         hv_sock.ko    order           kernel/net/vmw_vsock/hv_sock.ko
  2255  5.10.134-13.an8.x86_64  vsock_loopback.ko    order    kernel/net/vmw_vsock/vsock_loopback.ko
  2256  5.10.134-13.an8.x86_64         hookers.ko    order             kernel/net/hookers/hookers.ko
  2257  5.10.134-13.an8.x86_64       irqbypass.ko    order              kernel/virt/lib/irqbypass.ko
  2258  5.10.134-13.an8.x86_64        oprofile.ko    order      kernel/arch/x86/oprofile/oprofile.ko
  
  [2259 rows x 4 columns]
  

• strace

  openat(AT_FDCWD, "/usr/lib/modules/5.10.134-13.an8.x86_64/modules.order", O_RDONLY|O_CLOEXEC) = 3
  openat(AT_FDCWD, "/usr/lib/modules/5.10.134-13.an8.x86_64/modules.builtin", O_RDONLY|O_CLOEXEC) = 3
  

kernel params

• ance

  #!/bin/python3.9
  
  import sys
  sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages']
  
  """
  2023-11-01 10:35:59,045 [INFO]: collecting kernel(5.10.134-13.an8.x86_64) kparams
  __pyx_pw_4ance_9collector_7kparams_16KparamsCollector_1__init__: __pyx_self = <cython_function_or_method at remote 0x7fffe374be10>
  __pyx_v_self = <KparamsCollector at remote 0x7fffe36f5070>
  
  
  __pyx_pw_4ance_9collector_7kparams_16KparamsCollector_3collect: __pyx_self = <cython_function_or_method at remote 0x7fffe374bee0>
  __pyx_args = (<KparamsCollector(config={'exclude_keys': ['fs.inode-nr', 'fs.dentry-state', 'fs.file-nr', 'fs.inode-state', 'kernel.sched_domain.cpu', 'kernel.ns_last_pid', 'kernel.random.entropy_avail', 'kernel.random.uuid']}) at remote 0x7fffe36f5070>, '5.10.134-13.an8.x86_64')
  __pyx_kwds = 0x0
  
  """
  
  from ance.collector.kparams import KparamsCollector
  
  
  oc = KparamsCollector()
  arg = oc.collect('5.10.134-13.an8.x86_64')
  
  print(arg)
  
  

  myance/kernel_params.py 
                kernel_version                          key    value
  0     5.10.134-13.an8.x86_64              abi.vsyscall32         1
  1     5.10.134-13.an8.x86_64         crypto.fips_enabled         0
  2     5.10.134-13.an8.x86_64       debug.exception-trace         1
  3     5.10.134-13.an8.x86_64  debug.kprobes-optimization         1
  4     5.10.134-13.an8.x86_64         dev.cdrom.autoclose         1
  ...                      ...                          ...      ...
  1069  5.10.134-13.an8.x86_64      vm.user_reserve_kbytes    131072
  1070  5.10.134-13.an8.x86_64       vm.vfs_cache_pressure       100
  1071  5.10.134-13.an8.x86_64   vm.watermark_boost_factor     15000
  1072  5.10.134-13.an8.x86_64   vm.watermark_scale_factor        10
  1073  5.10.134-13.an8.x86_64        vm.zone_reclaim_mode         0
  
  [1003 rows x 3 columns]
  

• strace

  execve("/bin/sh", ["/bin/sh", "-c", "sysctl -a --ignore 2>/dev/null"], 0x55c1db1af2d0 /* 46 vars */) = 0
  

syscall

• ance

  #!/bin/python3.9
  
  import sys
  sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages']
  
  """
  2023-11-01 10:50:06,068 [INFO]: collecting kernel(5.10.134-13.an8.x86_64) ksyscall
  __pyx_pw_4ance_9collector_8ksyscall_17KsyscallCollector_1__init__: __pyx_self = <cython_function_or_method at remote 0x7fffe32a1040>
  __pyx_v_self = <KsyscallCollector at remote 0x7fffe36e4340>
  
  
  __pyx_pw_4ance_9collector_8ksyscall_17KsyscallCollector_3collect: __pyx_self = <cython_function_or_method at remote 0x7fffe32a1110>
  __pyx_args = (<KsyscallCollector(config=None) at remote 0x7fffe36e4340>, '5.10.134-13.an8.x86_64')
  __pyx_kwds = 0x0
  """
  
  from ance.collector.ksyscall import KsyscallCollector
  
  
  oc = KsyscallCollector()
  arg = oc.collect('5.10.134-13.an8.x86_64')
  
  print(arg)
  
  

  myance/kernel_syscall.py 
               kernel_version number                    name
  0    5.10.134-13.an8.x86_64      0                    read
  1    5.10.134-13.an8.x86_64      1                   write
  2    5.10.134-13.an8.x86_64      2                    open
  3    5.10.134-13.an8.x86_64      3                   close
  4    5.10.134-13.an8.x86_64      4                    stat
  ..                      ...    ...                     ...
  356  5.10.134-13.an8.x86_64    445       landlock_add_rule
  357  5.10.134-13.an8.x86_64    446  landlock_restrict_self
  358  5.10.134-13.an8.x86_64    447            memfd_secret
  359  5.10.134-13.an8.x86_64    448        process_mrelease
  360  5.10.134-13.an8.x86_64    449             futex_waitv
  
  [361 rows x 3 columns]
  

• strace

  execve("/bin/sh", ["/bin/sh", "-c", "ausyscall --dump | awk 'NR == 1 "...], 0x5559b4c0b2d0 /* 46 vars */) = 0
  

abi

• ance

  #!/bin/python3.9
  
  import sys
  sys.path = ['', '/usr/local/.pyenv/versions/3.9.14/lib/python39.zip', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/lib-dynload', '/usr/local/.pyenv/versions/3.9.14/lib/python3.9/site-packages']
  
  # 
  # __pyx_pw_4ance_7scanner_4kabi_11KabiScanner_3scan
  # 
  
  from ance.scanner.abi import ABIScanner
  
  """
  ance 使用 __pyx_pw_4ance_5utils_7extract_1extract 解压
  """
  
  oc = ABIScanner()
  
  arg = oc.scan('/usr/bin/ld')
  
  arg.to_csv('./csv')
  
  

• strace

  execve("/bin/sh", ["/bin/sh", "-c", "timeout 5s abidw --drop-undefine"...], 0x55e42cf04dc0 /* 45 vars */) = 0
  

https://github.com/iqiyi/xHook/blob/master/docs/overview/android_plt_hook_overview.zh-CN.md

存在的问题

• env
  • env 来自于fork执行env，这样会导致env的环境变量依然继承于ance的python环境，和直接获取os.environ没什么区别
    • 直接使用python的os.environ更简单
  • env的结果没有处理正确，对于env中的多行信息，处理错误
    • 例:env处理结果中出现了一个}的环境变量，其实这个符号是上个函数的结束花括号罢了
    • 可以使用 env -0，使用\0分割env的返回消息
• syscmd
  • 貌似扫描的目录是固定的，如/usr/bin``````/usr/sbin/
    • 应该使用环境变量中PATH提供的路径