CN107621971B - A kind of virutal machine memory evidence collecting method towards XenServer platforms - Google Patents

A kind of virutal machine memory evidence collecting method towards XenServer platforms Download PDF

Info

Publication number
CN107621971B
CN107621971B CN201710966659.6A CN201710966659A CN107621971B CN 107621971 B CN107621971 B CN 107621971B CN 201710966659 A CN201710966659 A CN 201710966659A CN 107621971 B CN107621971 B CN 107621971B
Authority
CN
China
Prior art keywords
address
denoted
physical address
host
virtual machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710966659.6A
Other languages
Chinese (zh)
Other versions
CN107621971A (en
Inventor
张淑慧
王连海
刘广起
杨淑棉
徐淑奖
韩晓晖
邹丰义
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Computer Science Center National Super Computing Center in Jinan
Original Assignee
Shandong Computer Science Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Computer Science Center filed Critical Shandong Computer Science Center
Priority to CN201710966659.6A priority Critical patent/CN107621971B/en
Publication of CN107621971A publication Critical patent/CN107621971A/en
Application granted granted Critical
Publication of CN107621971B publication Critical patent/CN107621971B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses the virutal machine memory evidence collecting methods towards XenServer platforms, including:The physical memory information for obtaining host saves as memory mirror file;Obtain the Kernel Symbol Table file in host;Obtain the physical address of vmcoreinfo_xen contents;The content that vmcoreinfo_xen is obtained according to physical address, parses the virtual address domain_list and pgd_l4 of interior nuclear symbol;The virtual address of pgd_l4 is converted into physical address;Obtain structure address;The corresponding structure of virtual machine is obtained according to the relationship between structure;Realize the address conversion of virtual machine physical address;After getting virtual machine physical memory content, the judgement of VME operating system version is carried out;After VME operating system determines, physical memory analysis is carried out using corresponding memory analysis method according to the difference of VME operating system version.

Description

A kind of virutal machine memory evidence collecting method towards XenServer platforms
Technical field
The present invention relates to a kind of virutal machine memory evidence collecting methods towards XenServer platforms.
Background technology
Relative to evidence obtaining of the tradition based on file system, memory evidence obtaining research is started late, and it is famous to start from summer in 2005 DFRWS (Digital Forensic Research Workshop, digital evidence obtaining research work group) initiate be directed to The memory forensics analysis challenge match of Windows systems, to encourage the research of memory forensics analysis and related forensic tools to develop. DFRWS has initiated the memory forensics analysis challenge match for linux system in 2008 again.Later, almost annual DFRWS is big There can be the discussion subject under discussion of memory forensics analysis.In addition, famous hacker's conference (Black Hat, Def Con, ShmooCon etc.) It also began to hold memory forensics analysis symposium from 2006.
Industrial quarters and government department's focus attentions equally on memory forensics analysis research.The RCFL of Federal Bureau of Investigations FBI subordinate (Regional Computer Forensics Laboratory) memory evidence obtaining research since 2006.It is 2012, beautiful Ministry of National Defence of state Advanced Research Projects Agency DARPA has initiated the memory forensics analysis special seminar to hiding Malware.State of the U.S. Native Ministry of State Security DHS studies for that should carry out the evidence obtaining of Malware memory to the network crime.At the same time, associated internal memory evidence obtaining work Tool in succession occur, such as WinEn, HBGary company of Guidance companies FastDump, Mantech exploitation MDD, The Nigilant32 etc. of Agile Consulting exploitations.
It can be seen that in terms of to the acquisition of the physical memory of host and analysis, there is more research, also achieved Certain achievement can obtain a large amount of online data of host by obtaining and analyzing the physical memory of host.
Currently, virtualization technology has widely incorporated our life, and there are huge market prospects.Virtualization Technology changes system software and the tightly coupled mode of bottom software, can configure more flexiblely and management computing system, drop Low hardware cost.But also some opportunities and challenges are brought to evidence obtaining personnel:On the one hand, virtualization technology is as a kind of new Technology can bring new change to computer forensics, push and promote the development of Technology of Evidence Extract of Computer itself;On the other hand, Relevant virtual machine product is likely to become the target of tool or attack that offender utilizes, and suspect can utilize void Quasi- machine executes their activity.How to carry out evidence obtaining to virtual machine is a completely new and important problem.
Currently, with virtual machine be collect evidence object Technology of Evidence Extract of Computer mostly with empty to the correlation in host file system Quasi- machine file (referring mainly to configuration file and storage file) is analysed in depth.With the virtual machine under VMware Workstation For, the file on " virtual disk " of virtual machine be stored in it is one or more with " vmdk " be suffix name file in, with " vmem " is that the file of suffix name then saves all data in virtual machine physical memory, configuration information be then stored in " vmx " is in the file of suffix.As Zhong Lin, Xu Rong life propose the method collected evidence to virtual machine file.Mariano Graziano has been put forward for the first time a kind of method detecting virtual machine in host physical memory in virtual machine, the party in 2013 Method carries out physics by searching for VMCS structures in host physical memory, then in conjunction with volatility tools to virtual machine Memory analysis, detailed process are as follows:
1) memory scans
VMCS structures contain a key assignments more than 140, and size about 4k, structure and its value are by CPU models, virtual chemical industry The factors such as tool influence, and wherein first four byte is VMCS version signs, and the corresponding version number of different processor models is different, connects It is that VMX exits reason indicator to get off, and general value is 0.A variable is contained in VMCS data area is VmcsLinkPointerCheck, the value of this variable are traditionally arranged to be two continuous 0xffffffff, but this variable position It is not fixed.The value of the CR4 control registers of host is stored in host status field, wherein the 13rd indicates whether out Virtual extended is opened.VMCS structures are scanned in host physical memory based on features above.
2) VMCS structures confirm
The value of HOST_CR3, the i.e. value of the CR3 registers of host, CR3 are parsed from the VMCS structures scanned Register saves the page directory information of system process, and when disabling physical address is expanded, preservation is system process page directory Base address.The address that page directory is found according to the value of CR3, is then looked for down successively, is found page table according to page directory, is found with this Physical address.
According to this thought, the VMCS structures address scanned is the physical address of VMCS, then being answered in the page that CR3 is directed toward This contains VMCS physical address.It is whether effective that this VMCS structure is verified according to the method.
3) virtual machine is examined oneself
The base address of EPT page tables is got from VMCS structures, EPT page table structures are by PML4table (page map Level 4table), PDPT (page-directory-pointer table), PD (page-directory) and PT (page Table) totally 4 grades of page tables are constituted.Every page table size 4KB, shares 512 page table entries, and each page table entry occupies 8 bytes.It is logical Simulation EPT address conversions are crossed, PML4, PDPT, PD and PT table needed in all address conversions is traversed.
4) volatility tools are combined to carry out virtual machine physical memory analysis
Above-mentioned technology is embodied as a volatility plug-in unit, when analysis, according to the order line that volatility is provided, The analytic function that volatility is capable of providing is realized after designated virtual machine operating system version.
In the actual physical memory analytic process to virtual machine, it has been found that there are one for the above this analysis method Fixed limitation, is mainly manifested in the following aspects:
(1) host that CPU is 32 by certain model and the operating system installed, the virtualization supported are adapted to Tool includes HyperDbg, KVM, Xen, VirtualBox and VMware Workstation.By test, the method can be with Detect the void installed in the host that CPU is Intel (R) Core (TM) i5-2500, operating system is 32 fedora 18 Quasi- machine, but be Intel (R) Xeon (R) CPU E5-2620 for CPU, the host that operating system is 64 fedora 16 The virtual machine wherein installed can not be detected;
(2) after detecting virtual machine, in conjunction with volatility can only analysis operation system be 32-bit Windows system void Quasi- machine physical memory;
(3) in analysis, operation is more complicated, needs additional virtual machine operating system version information side that can carry out.
In addition, when analyzing Xen and XenServer, it is found that memory mapping is complex in such systems, address turns The problem of changing faces the challenge:
(1) Xen heaps occupy the leading space of machine physical address space, so the partial linear address of host and right There are one fixed difference DIRECTMAP_VIRT_START for the machine physical address answered;
(2) there are one the page tables of oneself by Xen/XenServer, it is the virtual address of Xen/XenServer to physically The mapping of location.
(3) also there are one the page tables of oneself for guest virtual machine, by shadow page table (shadow page table), or Hardware memory virtualization mechanism EPT (for Intel)/NPT (for AMD) etc. carries out address conversion.
These address translation problems bring difficulty to the memory analysis under Xen/XenServer.
Invention content
The present invention is in order to overcome limitation existing for above-mentioned technology, it is proposed that a kind of towards the virtual of XenServer platforms Machine memory evidence collecting method.
Virutal machine memory evidence collecting method towards XenServer platforms, including:
Step (1):The physical memory information for obtaining host saves as memory mirror file;
Step (2):Obtain the Kernel Symbol Table file in host;The Kernel Symbol Table file, including: The value of vmcoreinfo_data and the value of paddr_vmcoreinfo_xen;
Step (3):Vmcoreinfo_data contents are searched for from memory mirror file;It will be in vmcoreinfo_data The address of appearance and the value of the vmcoreinfo_data obtained in step (2) are compared, and get the difference of the two values, i.e., For the value of DIRECTMAP_VIRT_START;
Step (4):Search obtains the value of paddr_vmcoreinfo_xen in interior nuclear symbol list file, by paddr_ The value of vmcoreinfo_xen and the value of DIRECTMAP_VIRT_START carry out doing difference operation, obtain paddr_ The physical address of vmcoreinfo_xen refers to according to the physical address of paddr_vmcoreinfo_xen in memory image file To value get the physical address of vmcoreinfo_xen contents;
Step (5):The content of vmcoreinfo_xen is obtained according to the physical address of vmcoreinfo_xen contents, therefrom Parse the virtual address domain_list and pgd_l4 of interior nuclear symbol;Wherein, domain_list is directed toward corresponding to virtual machine Domain structures;Pgd_l4 is directed toward the page directory base address that each virtual address needs in conversion domain structures;
Step (6):The virtual address of pgd_l4 is converted into physical address, checks the physical memory distribution in host, The memory address section where Hypervisor codes and data is found, the virtual address and memory address section of pgd_l4 is compared, takes 24 of memory address section and 24 or more numerical value is combined with the positions 0-23 of pgd_l4 virtual addresses, be combined into one it is new Address, the as physical address of pgd_l4;
Step (7):Address conversion is carried out to domain_list according to pgd_l4 physical address, domain_list is obtained and refers to Domain structures address is corresponded to content;
Step (8):According between domain, vcpu, ach_vcpu, hvm_vcpu, arch_vmx_struct structure Relationship obtains the corresponding vmcs_struct structures of virtual machine;
Step (9):Ept pointers and guest cr3 are obtained from vmcs_struct structures;Realize virtual machine physically The address conversion of location;
Step (10):After getting virtual machine physical memory content, the judgement of VME operating system version is carried out;Virtually After machine operating system determines, carried out in physics using corresponding memory analysis method according to the difference of VME operating system version Deposit analysis.
The step (1) obtains tool by hardware physical memory and obtains whole physical memories letter of the host since 0 Breath.
The Kernel Symbol Table file of the step (2) includes:/ proc/kallsyms files or/boot/ System.map files.
The step of step (3) is:
Step (301):Search for " OSRELEASE=", if the content searched include " SYMBOL (_ stext)=" or " SYMBOL (swapper_pg_dir) " content, and contain " xen " character string in the version information of operating system, then illustrate to search for The content arrived is the content of vmcoreinfo_data, and the address of the content of vmcoreinfo_data is obtained in step (2) The vmcoreinfo_data values got are compared, and the difference of the two values, as DIRECTMAP_VIRT_START are got Value.
The step (7):Under big page mode, 0 to 20 is denoted as Offset;21 to 29 of address to be transformed are denoted as Directory, 30 to 38 are denoted as Directory Ptr, and 39 to 47 are denoted as PML4, and 48 to 63 are denoted as Sing Extended;
Under big page mode, address conversion is carried out by the following method:
12 to 51 of pgd_l4 registers, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, The first address is obtained, the first address is obtained and is denoted as B1 in the corresponding content of physical memory mirror image;
12 to 51 of B1, low 12 are taken to be taken as 0, the numerical value phase it being multiplied by with Directory Ptr after 8 Add, obtain the second address, obtains the second address and be denoted as B2 in the corresponding content of physical memory mirror image;
12 to 51 of B2, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains To third address, obtains third address and be denoted as B3 in the corresponding content of physical memory mirror image;
It takes 21 to 51 of B3, low 21 to be taken as 0, it is added with Offset, obtained data are virtually Location is converted into the numerical value after physical address.
The step (7):Under small page mode, 0 to 11 be denoted as Offset, 12 to 20 be denoted as Table, ground to be transformed 21 to 29 of location are denoted as Directory, and 30 to 38 are denoted as Directory Ptr, and 39 to 47 are denoted as PML4,48 to 63 It is denoted as Sing Extended;
Address conversion is carried out under small page mode by the following method:
12 to 51 of pgd_l4 registers, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, The 4th address is obtained, the 4th address is obtained and is denoted as A1 in the corresponding content of physical memory mirror image;
12 to 51 of A1, low 12 are taken to be taken as 0, the numerical value phase it being multiplied by with Directory Ptr after 8 Add, obtain the 5th address, obtains the 5th address and be denoted as A2 in the corresponding content of physical memory mirror image;
12 to 51 of A2, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains To the 6th address, obtains the 6th address and be denoted as A3 in the corresponding content of physical memory mirror image;
12 to 51 of A3, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Table is added, and obtains Seven addresses obtain the 7th address and are denoted as A4 in the corresponding content of physical memory mirror image;
It takes 12 to 51 of A4, low 12 to be taken as 0, it is added with Offset, obtained data are virtual Address is converted into the numerical value after physical address.
The step of step (8) includes:
Step (801):It is physical address by domain structure address conversions, obtains in domain structures and be directed toward vcpu Structure pointer;
Step (802):Vcpu structures address is obtained according to vcpu structure pointers, direction is included in vcpu structures The chain table pointer " struct vcpu*next_in_list " of next vcpu structures is obtained and is all being transported according to chained list The corresponding vcpu structures of capable virtual machine;The acquisition vcpu structures include arch_vcpu structure contents;
Step (803):Obtain the hvm_vcpu structure contents for including in arch_vcpu structures;
Step (804):Obtain the arch_vmx_struct structure contents for including in hvm_vcpu structures;
Step (805):Obtain the direction vmcs_struct structures vmcs for including in arch_vmx_struct structures Pointer, this pointer are directed toward vmcs_struct structures.
The address converting step of the realization virtual machine physical address of the step (9) is:
According to ept pointers realize virtual machine physical address to host physical address address conversion,
According to ept pointers and guest cr3 realize virtual machine virtual address to host physical address address conversion.
According to the address conversion of ept pointers realization virtual machine physical address to host physical address in the step (9):
Under big page mode, 0 to 20 is denoted as Offset;21 to 29 of virtual machine physical address to be transformed are denoted as Directory, 30 to 38 be denoted as Directory Ptr, 39 to 47 be denoted as PML4,48 to 63 be denoted as Sing Extended,
Under big page mode, address conversion is carried out by the following method:
12 to 51 of ept pointers, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains 8th address obtains the 8th address and is denoted as B1' in the corresponding content of physical memory mirror image;
12 to 51 of B1', low 12 are taken to be taken as 0, the numerical value phase it being multiplied by with Directory Ptr after 8 Add, obtain the 9th address, obtains the 9th address and be denoted as B2' in the corresponding content of physical memory mirror image;
12 to 51 of B2', low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains To the tenth address, obtains the tenth address and be denoted as B3' in the corresponding content of physical memory mirror image;
It takes 21 to 51 of B3', low 21 to be taken as 0, it is added with Offset, obtained data are virtual Address is converted into the numerical value after physical address;
According to the address conversion of ept pointers realization virtual machine physical address to host physical address in the step (9):
Under small page mode, 0 to 11 be denoted as Offset, 12 to 20 be denoted as Table, virtual machine physical address to be transformed 21 to 29 be denoted as Directory, 30 to 38 be denoted as Directory Ptr, 39 to 47 be denoted as PML4,48 to 63 note For Sing Extended,
Under small page mode, address conversion is carried out by the following method:
12 to 51 of ept pointers, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains 11st address obtains the 11st address and is denoted as A1' in the corresponding content of physical memory mirror image;
12 to 51 of A1', low 12 are taken to be taken as 0, the numerical value phase it being multiplied by with Directory Ptr after 8 Add, obtain the tenth double-address, obtains the tenth double-address and be denoted as A2' in the corresponding content of physical memory mirror image;
12 to 51 of A2', low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains To the 13rd address, obtains the 13rd address and be denoted as A3' in the corresponding content of physical memory mirror image;
12 to 51 of A3', low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Table is added, and obtains 14 addresses obtain the 14th address and are denoted as A4' in the corresponding content of physical memory mirror image;
It takes 12 to 51 of A4', low 12 to be taken as 0, it is added with Offset, obtained data are virtual Address is converted into the numerical value after physical address.
The step (9) realizes virtual machine virtual address to host physical address according to ept pointers and guest cr3 Address conversion:
Under small page mode, 0 to 11 of the virtual address of virtual machine to be transformed be denoted as Offset, 12 to 20 be denoted as Table, 21 to 29 are denoted as Directory, and 30 to 38 are denoted as Directory Ptr, and 39 to 47 are denoted as PML4, and 48 to 63 Position is denoted as Sing Extended;
The value of the CR3 registers of virtual machine is converted according to the method for virtual machine physical address translations host physical address As the physical address of host, it is denoted as H1;The value of the CR3 registers by virtual machine is according to virtual machine physical address translations The specific method that the method for host physical address transforms into the physical address of host realizes virtual machine with according to ept pointers The address conversion method of physical address to host physical address is the same, and ept pointers are only replaced with virtual machine The value of CR3 registers;
Take H112 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains the 15th Address obtains the 15th address and is denoted as H in the corresponding content of physical memory mirror image2
By H2Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, H is denoted as3;It is described by H2Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with H2Value;
Take H312 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Directory Ptr is added, The 16th address is obtained, the 16th address is obtained and is denoted as H in the corresponding content of physical memory mirror image4
By H4Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, H is denoted as5;It is described by H4Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with H4Value;
Take H512 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains 17th address obtains the 17th address and is denoted as H in the corresponding content of physical memory mirror image6
By H6Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, H is denoted as7;It is described by H6Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with H6Value;
Take H712 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Table is added, and obtains the tenth Eight addresses obtain eighteenthly location and are denoted as H in the corresponding content of physical memory mirror image8
By H8Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, H is denoted as9;It is described by H8Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with H8Value;
Take H912 to 51, low 12 be taken as 0, it is added with Offset, obtained data are virtual machine Virtual address be converted into the numerical value after the physical address of host.
The step (9) realizes virtual machine virtual address to host physical address according to ept pointers and guest cr3 Address conversion:
Under big page mode, 0 to 20 of the virtual address of virtual machine to be transformed is denoted as Offset;Virtual machine to be transformed 21 to 29 of physical address be denoted as Directory, 30 to 38 be denoted as Directory Ptr, 39 to 47 be denoted as PML4,48 Sing Extended are denoted as to 63,
The value of the CR3 registers of virtual machine is converted according to the method for virtual machine physical address translations host physical address As the physical address of host, it is denoted as G1;The value of the CR3 registers by virtual machine is according to virtual machine physical address translations The specific method that the method for host physical address transforms into the physical address of host realizes virtual machine with according to ept pointers The address conversion method of physical address to host physical address is the same, and ept pointers are only replaced with virtual machine The value of CR3 registers;
Take G112 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains the 19th Address obtains the 19th address and is denoted as G in the corresponding content of physical memory mirror image2
By G2Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, G is denoted as3;It is described by G2Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with G2Value;
Take G312 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Directory Ptr is added, The 20th address is obtained, the 20th address is obtained and is denoted as G in the corresponding content of physical memory mirror image4
By G4Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, G is denoted as5;It is described by G4Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with G4Value;
Take G512 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains 21st address obtains the 21st address and is denoted as G in the corresponding content of physical memory mirror image6
By G6Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, G is denoted as7;It is described by G6Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with G6Value;
Take G612 to 51, low 12 be taken as 0, it is added with Offset, obtained data are virtual machine Virtual address be converted into the numerical value after the physical address of host.
The step of step (10) is:
Step (1001):For Windows systems, it whether there is KPCR structures in memory by judging, then parse The KPCR got gets system version details and interior nuclear symbol;
Step (1002):For linux system, sentenced by way of searching for vmcoreinfo_data contents It is disconnected;When system starts, crash_save_vmcoreinfo_init () kernel function is initialized vmcoreinfo_data The content in region carries out the positioning in the regions vmcoreinfo_data according to feature.
Compared with prior art, the beneficial effects of the invention are as follows:
What 1, the present invention described is by analyzing host towards the virutal machine memory evidence collecting method under XenServer platforms Physical memory therefrom detects the virtual machine being currently running, and therefrom obtains and analyze virutal machine memory information, this evidence obtaining mode Without loading any software and hardware in virtual machine, any Agent is not run, is not influenced virtual machine operating status, is got Memory information is truer, will not be changed by malicious code.
2, the present invention is by analyzing host physical memory, can automatic decision host version information, in conjunction with mutually inside the Pass Nuclear symbol table and inner core body can quickly detect the virtual machine being currently running, without carrying out feature to entire physical memory Value retrieval, relatively reliable and colleges and universities.
3, KVM, Xen etc. are supported mostly by analyzing the method that host physical memory analyzes virtual machine operating status at present Virtualized environment not yet finds to support the evidence obtaining to virtual machine physical memory under XenServer platforms.
4, the present invention tries out in extensive range, the void suitable for the host of the mainstreams CPU models such as Intel Core, Xeon Quasi- machine memory evidence obtaining, the VME operating system version of support also more extensively, for 32 and 64 Windows XP, Windows Vista, 7 Windows and 8 systems of Windows can carry out memory acquisition and analysis.
Description of the drawings
The accompanying drawings which form a part of this application are used for providing further understanding of the present application, and the application's shows Meaning property embodiment and its explanation do not constitute the improper restriction to the application for explaining the application.
Fig. 1 is VMX operation mode figures;
Fig. 2 is the structural relations figures such as domain, vcpu;
Fig. 3 is vmcoreinfo_data content schematic diagrames;
Fig. 4 is vmcoreinfo_xen content schematic diagrames;
Fig. 5 is host physical memory spatial distribution schematic diagram;
Fig. 6 is address conversion schematic diagram under big page mode;
Fig. 7 is address conversion schematic diagram under small page mode;
Fig. 8 is VCPU structure content schematic diagrames;
Fig. 9 is vmcs_struct structure content schematic diagrames;
Figure 10 be small page mode under virtual machine virtual address to physical address address conversion schematic diagram.
Specific implementation mode
It is noted that following detailed description is all illustrative, it is intended to provide further instruction to the application.Unless another It indicates, all technical and scientific terms that the present invention uses have logical with the application person of an ordinary skill in the technical field The identical meanings understood.
The concept and technical term being related to include mainly virtual machine, XenServer, VMCS and EPT.
Virtual machine (Virtual Machine, VM), which refers to that simulated on a hardware platform multiple are independent, have been had Whole hardware system function, operate in virtual hardware system in a completely isolated environment, on each virtual hardware system Different operating system, i.e. client operating system (Guest OS) can be run.These client operating systems pass through virtual machine Monitor (Virtual Machine Monitor, VMM) accesses actual physical resource.Domain, Chinese are construed to domain; Vcpu, Chinese are construed to virtual processor;
In the present invention, for the convenience of description, physical host is referred to as host, the physical address of host is referred to as The virtual address of HPA (Host PhysicalAddress), host are referred to as HVA (Host VirtualAddress), virtually The physical address of machine is referred to as GPA (Guest PhysicalAddress), and the virtual address of virtual machine is referred to as GVA (Guest VirtualAddress).The physical address of virtual machine is still a virtual address, and the physical address of host is only really Machine address.
XenServer is a server virtualization system that Si Jie companies (Citrix) release, with conventional virtual machine class It is not necessarily to the support of the primary operating system of bottom unlike software, that is to say, that XenServer inherently has operation system The function of system can be mounted directly and be booted up and run on the server.The current latest editions of XenServer are 7.2, are stablized Property is higher, and good support is both provided to Windows and Linux.XenServer itself is without graphical interfaces, for convenience Windows user uses, and Citrix provides XenCenter by patterned control interface, and user can be very intuitive The work of management and monitoring XenServer servers.
In order to preferably support to virtualize, VT-x extends traditional x86 processor architectures, introduces two kinds of operation moulds Formula:VMX root operation (root virtualization operations) and VMX non-root operation (non-virtualized operation), system Referred to as VMX operation modes.In order to establish the framework of this two operation modes, VT-x devises VMCS (Virtual-Machine Control Structure) virtual machine control data structure, one virtual cpu (VCPU) of each VMCS correspondences is (such as Fig. 1 institutes Show).VMCS structures include three component parts, and VMCS version signs (Revision Identifier), VMX exit reason and refer to Show device (VMX-abort indicator) and VMCS data area.Include Guest-State Area in VMCS data area Six logic regions such as (client state area) and Host-State Area (host state area), to preserve virtual machine with And the various state parameters of host, when VMEntry (processor control enters VMX non-root state from VMX root states), processor shape State is saved in VMCS (Host states), while client state is packed into from VMCS.It is (non-from VMX as VMExit on the contrary Root state enters VMX roots state), processor state is saved in VMCS (client state), and Host states then from It is packed into VMCS.In KVM virtualization environment, VMCS structures are to be present in system kernel generation in the form of " struct vmcs " In code, and under XenServer virtualized environments, this structure is present in system in the form of " struct vmcs_struct " In kernel code.
EPT (Extended Page Table) is a kind of Intel increased hardware auxiliary memories in VT-x technical foundation Virtualization technology.It is compared with shadow page table technology, shadow page table technology is that each page table of virtual machine safeguards " a shadow page Table ", and the mapping relations after synthesis are written in " shadow ", the page table content of virtual machine remains unchanged, and host is by shadow Page table gives memory management module and carries out address conversion.And EPT mechanism is by hardware supported internal memory virtualization technology, it can be Increase an EPT page table in original page table, the physical address of virtual machine can be directly translated as by host by this page table The physical address of machine, to reduce the cost that entire internal memory virtualization is paid.The base address of EPT page tables is by VMCS structures In " VM-Execution " control domain Extended page table pointer fields it is specified.
Analytical procedure is described in detail by taking XenServer4.1.2 as an example:
1, the acquisition that host physical memory is carried out using hardware tools uses " cat/proc/ by remote terminal software Iomem " orders the memory mapping for checking host, physical memory size is got, according to memory address acquiring size to host Machine whole physical memory information, saves as memory mirror file.
2, the Kernel Symbol Table file in host, i.e. ,/proc/kallsyms files or/boot/ are obtained System.map files.The value of nuclear symbol vmcoreinfo_data and paddr_vmcoreinfo_xen in therefrom obtaining:
3, the search that vmcoreinfo_data contents are carried out in memory image file, scans for according to following characteristics:
1. with " OSRELEASE=" for starting content;
2. behind OSRELEASE with information be operating system version information, " xen " character is contained in version information String;
3. the content searched includes the letters such as " SYMBOL (_ stext)=", " SYMBOL (swapper_pg_dir) " Breath.
As shown in figure 3, the content that the content that explanation searches is vmcoreinfo_data, by this address (0xCE672400) is carried out with the vmcoreinfo_data values (0xc0672400) in second step in interior nuclear symbol list file Comparison, the difference for getting the two values are the value of DIRECTMAP_VIRT_START, as 0xE000000.
4, the value and the 3rd step of the paddr_vmcoreinfo_xen (0xc075d4a4) got according to the 2nd step is got DIRECTMAP_VIRT_START value (0xE000000), with calculating the machine physical of paddr_vmcoreinfo_xen Location is 0xce75d4a4, according to the content obtaining of this address direction to the address of vmcoreinfo_xen
5, the address got according to the 4th step obtains the content (as shown in Figure 4) of vmcoreinfo_xen, therefrom parses Go out the virtual address of nuclear symbol in domain_list, pgd_l4, frame_table, dom_xen etc.:
Wherein domain_list is directed toward the domain structures corresponding to virtual machine, and pgd_l4 is directed toward in conversion domain The page directory base address that each virtual address needs.
6, it in order to be physical address by the address conversion of pgd_l4, checks the physical memory distribution in host, finds Memory address section (as shown in Figure 5) where Hypervisor codes and data is:
cf100000-cf2eb37f:Hypervisor code and data
It can be seen that the position of Hypervisor codes and data all on 0xcf100000, compare the virtual of pgd_l4 Address takes the numerical value (cf000000) on 24 and 24 of address field, in conjunction with the positions 0-23 of pgd_l4 virtual addresses (2a60f0) is combined into a new address, the physical address 0xcf2a60f0 of as pgd_l4.
7, address conversion, address conversion method such as Fig. 6 and 7 institutes are carried out to domain_list according to pgd_l4 physical address Show, Fig. 6 is address conversion method under big page mode, and Fig. 7 is address conversion method under small page mode, obtains domain_list and refers to Domain structures address 0xffff83012b9fe000 is corresponded to content.
Fig. 6 and Fig. 7 address conversion explanations:
As shown in fig. 6, under big page mode, 0 to 20 is denoted as Offset;21 to 29 of address to be transformed are denoted as Directory, 30 to 38 are denoted as Directory Ptr, and 39 to 47 are denoted as PML4, and 48 to 63 are denoted as Sing Extended;
As shown in fig. 6, under big page mode, address conversion is carried out by the following method:
12 to 51 of pgd_l4 registers, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, The first address is obtained, the first address is obtained and is denoted as B1 in the corresponding content of physical memory mirror image;
12 to 51 of B1, low 12 are taken to be taken as 0, the numerical value phase it being multiplied by with Directory Ptr after 8 Add, obtain the second address, obtains the second address and be denoted as B2 in the corresponding content of physical memory mirror image;
12 to 51 of B2, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains To third address, obtains third address and be denoted as B3 in the corresponding content of physical memory mirror image;
It takes 21 to 51 of B3, low 21 to be taken as 0, it is added with Offset, obtained data are virtually Location is converted into the numerical value after physical address.
As shown in fig. 7, under small page mode, 0 to 11 be denoted as Offset, 12 to 20 be denoted as Table, address to be transformed 21 to 29 be denoted as Directory, 30 to 38 are denoted as Directory Ptr, and 39 to 47 are denoted as PML4,48 to 63 notes For Sing Extended;
As shown in fig. 7, address conversion is carried out under small page mode by the following method:
12 to 51 of pgd_l4 registers, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, The 4th address is obtained, the 4th address is obtained and is denoted as A1 in the corresponding content of physical memory mirror image;
12 to 51 of A1, low 12 are taken to be taken as 0, the numerical value phase it being multiplied by with Directory Ptr after 8 Add, obtain the 5th address, obtains the 5th address and be denoted as A2 in the corresponding content of physical memory mirror image;
12 to 51 of A2, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains To the 6th address, obtains the 6th address and be denoted as A3 in the corresponding content of physical memory mirror image;
12 to 51 of A3, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Table is added, and obtains Seven addresses obtain the 7th address and are denoted as A4 in the corresponding content of physical memory mirror image;
It takes 12 to 51 of A4, low 12 to be taken as 0, it is added with Offset, obtained data are virtual Address is converted into the numerical value after physical address.
8, as shown in Fig. 2, according to the relationship analysis between each structure and obtaining the corresponding vmcs_struct knots of virtual machine Structure body:
(801):First, it is physical address 0x 12b9fe000 by domain structure address conversions, obtains domain knots Vcpu structure pointers are directed toward in structure body;
(802):Secondly, vcpu structures address 0xffff8300cf770000 is obtained according to structure pointer and carries out ground Location is converted to and structure physical address is 0xcf770000, (as shown in Figure 8) next comprising being directed toward in vcpu structures The chain table pointer " structvcpu*next_in_list " of a vcpu structures can be obtained and all transported according to this chained list The corresponding vcpu structures of capable virtual machine.In addition, obtaining the arch_vcpu structure contents that vcpu structures include;
(803):Obtain the hvm_vcpu structure contents for including in arch_vcpu structures;
(804):Obtain the arch_vmx_struct structure contents for including in hvm_vcpu structures;
(805):The direction vmcs_struct structure vmcs pointers for including in arch_vmx_struct structures are obtained, This pointer is directed toward vmcs_struct structure virtual address 0xffff83010134f000, and vmcs_ is obtained after address conversion Struct structure physical address 0x10134f000.
9, acquisition ept pointers (0x1013fa01e) (as shown in Figure 9), guest cr3 from vmcs_struct structures The information such as (0x39000) and host cr3 (0x12ef4e000).
Realize virtual machine physical address to the address conversion of host physical address, address conversion method according to ept pointers It is similar with the address conversion in the 7th step, page directory base address pgd_l4 is changed to the value of ept pointers:
According to the address conversion method of ept pointers realization virtual machine physical address to host physical address:
As shown in fig. 6, under big page mode, 0 to 20 is denoted as Offset;The 21 to 29 of virtual machine physical address to be transformed Position be denoted as Directory, 30 to 38 be denoted as Directory Ptr, 39 to 47 be denoted as PML4,48 to 63 be denoted as Sing Extended,
Under big page mode, address conversion is carried out by the following method:
12 to 51 of ept pointers, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains 8th address obtains the 8th address and is denoted as B1' in the corresponding content of physical memory mirror image;
12 to 51 of B1', low 12 are taken to be taken as 0, the numerical value phase it being multiplied by with Directory Ptr after 8 Add, obtain the 9th address, obtains the 9th address and be denoted as B2' in the corresponding content of physical memory mirror image;
12 to 51 of B2', low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains To the tenth address, obtains the tenth address and be denoted as B3' in the corresponding content of physical memory mirror image;
It takes 21 to 51 of B3', low 21 to be taken as 0, it is added with Offset, obtained data are virtual Address is converted into the numerical value after physical address;
As shown in fig. 7, under small page mode, 0 to 11 be denoted as Offset, 12 to 20 be denoted as Table, to be transformed is virtual 21 to 29 of machine physical address be denoted as Directory, 30 to 38 be denoted as Directory Ptr, 39 to 47 be denoted as PML4, 48 to 63 are denoted as Sing Extended,
Under small page mode, address conversion is carried out by the following method:
12 to 51 of ept pointers, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains 11st address obtains the 11st address and is denoted as A1' in the corresponding content of physical memory mirror image;
12 to 51 of A1', low 12 are taken to be taken as 0, the numerical value phase it being multiplied by with Directory Ptr after 8 Add, obtain the tenth double-address, obtains the tenth double-address and be denoted as A2' in the corresponding content of physical memory mirror image;
12 to 51 of A2', low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains To the 13rd address, obtains the 13rd address and be denoted as A3' in the corresponding content of physical memory mirror image;
12 to 51 of A3', low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Table is added, and obtains 14 addresses obtain the 14th address and are denoted as A4' in the corresponding content of physical memory mirror image;
It takes 12 to 51 of A4', low 12 to be taken as 0, it is added with Offset, obtained data are virtual Address is converted into the numerical value after physical address;
According to ept pointers and guest cr3 realize virtual machine virtual address to host physical address address conversion, it is small Address conversion under page mode is as shown in Figure 10.
Under small page mode, the address conversion method (Figure 10) of virtual machine virtual address to host physical address:
0 to 11 of the virtual address of virtual machine to be transformed be denoted as Offset, 12 to 20 be denoted as Table, 21 to 29 Position is denoted as Directory, and 30 to 38 are denoted as Directory Ptr, and 39 to 47 are denoted as PML4, and 48 to 63 are denoted as Sing Extended;
The value of the CR3 registers of virtual machine is converted according to the method for virtual machine physical address translations host physical address As the physical address of host, it is denoted as H1;The value of the CR3 registers by virtual machine is according to virtual machine physical address translations The specific method that the method for host physical address transforms into the physical address of host realizes virtual machine with according to ept pointers The address conversion method of physical address to host physical address is the same, and ept pointers are only replaced with virtual machine The value of CR3 registers;
Take H112 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains the 15th Address obtains the 15th address and is denoted as H in the corresponding content of physical memory mirror image2
By H2Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, H is denoted as3;It is described by H2Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with H2Value;
Take H312 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Directory Ptr is added, The 16th address is obtained, the 16th address is obtained and is denoted as H in the corresponding content of physical memory mirror image4
By H4Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, H is denoted as5;It is described by H4Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with H4Value;
Take H512 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains 17th address obtains the 17th address and is denoted as H in the corresponding content of physical memory mirror image6
By H6Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, H is denoted as7;It is described by H6Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with H6Value;
Take H712 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Table is added, and obtains the tenth Eight addresses obtain eighteenthly location and are denoted as H in the corresponding content of physical memory mirror image8
By H8Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, H is denoted as9;It is described by H8Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with H8Value;
Take H912 to 51, low 12 be taken as 0, it is added with Offset, obtained data are virtual machine Virtual address be converted into the numerical value after the physical address of host.
Under big page mode, address conversion method of the virtual machine virtual address to host physical address:
0 to 20 of the virtual address of virtual machine to be transformed is denoted as Offset;Virtual machine physical address to be transformed 21 to 29 be denoted as Directory, 30 to 38 be denoted as Directory Ptr, 39 to 47 be denoted as PML4,48 to 63 be denoted as Sing Extended,
The value of the CR3 registers of virtual machine is converted according to the method for virtual machine physical address translations host physical address As the physical address of host, it is denoted as G1;The value of the CR3 registers by virtual machine is according to virtual machine physical address translations The specific method that the method for host physical address transforms into the physical address of host realizes virtual machine with according to ept pointers The address conversion method of physical address to host physical address is the same, and ept pointers are only replaced with virtual machine The value of CR3 registers;
Take G112 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains the 19th Address obtains the 19th address and is denoted as G in the corresponding content of physical memory mirror image2
By G2Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, G is denoted as3;It is described by G2Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with G2Value;
Take G312 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Directory Ptr is added, The 20th address is obtained, the 20th address is obtained and is denoted as G in the corresponding content of physical memory mirror image4
By G4Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, G is denoted as5;It is described by G4Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with G4Value;
Take G512 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains 21st address obtains the 21st address and is denoted as G in the corresponding content of physical memory mirror image6
By G6Value the object of host is transformed into according to the method for virtual machine physical address translations host physical address Address is managed, G is denoted as7;It is described by G6Value transform into place according to the method for virtual machine physical address translations host physical address The specific method of the physical address of host realizes virtual machine physical address to the address of host physical address with according to ept pointers Conversion method is the same, and ept pointers are only replaced with G6Value;
Take G612 to 51, low 12 be taken as 0, it is added with Offset, obtained data are virtual machine Virtual address be converted into the numerical value after the physical address of host.
10, after getting virtual machine physical memory content, the judgement of VME operating system version is carried out:
(1001):For Windows systems, it whether there is KPCR structures in memory by judging, then parsing obtains To KPCR get system version details and interior nuclear symbol.
(1002):For linux system, judged by way of searching for vmcoreinfo_data contents. When system starts, crash_save_vmcoreinfo_init () kernel function is initialized the regions vmcoreinfo_data Content carries out the positioning in the regions vmcoreinfo_data according to feature.
11, after VME operating system determines, physics is carried out using corresponding memory analysis method according to the difference of version Memory analysis.
The foregoing is merely the preferred embodiments of the application, are not intended to limit this application, for the skill of this field For art personnel, the application can have various modifications and variations.Within the spirit and principles of this application, any made by repair Change, equivalent replacement, improvement etc., should be included within the protection domain of the application.

Claims (10)

1. the virutal machine memory evidence collecting method towards XenServer platforms, characterized in that including:
Step (1):The physical memory information for obtaining host saves as memory mirror file;
Step (2):Obtain the Kernel Symbol Table file in host;The Kernel Symbol Table file, including:vmcoreinfo_ The value of data and the value of paddr_vmcoreinfo_xen;
Step (3):Vmcoreinfo_data contents are searched for from memory mirror file;By the content of vmcoreinfo_data Address and the value of the vmcoreinfo_data obtained in step (2) are compared, and get the difference of the two values, as The value of DIRECTMAP_VIRT_START;
Step (4):Search obtains the value of paddr_vmcoreinfo_xen in interior nuclear symbol list file, by paddr_ The value of vmcoreinfo_xen and the value of DIRECTMAP_VIRT_START carry out doing difference operation, obtain paddr_ The physical address of vmcoreinfo_xen refers to according to the physical address of paddr_vmcoreinfo_xen in memory image file To value get the physical address of vmcoreinfo_xen contents;
Step (5):The content that vmcoreinfo_xen is obtained according to the physical address of vmcoreinfo_xen contents, therefrom parses Go out the virtual address domain_list and pgd_l4 of interior nuclear symbol;Wherein, domain_list is directed toward corresponding to virtual machine Domain structures;Pgd_l4 is directed toward the page directory base address that each virtual address needs in conversion domain structures;
Step (6):The virtual address of pgd_l4 is converted into physical address, the physical memory distribution in host is checked, finds Memory address section where Hypervisor codes and data compares the virtual address and memory address section of pgd_l4, takes memory 24 of address field and 24 or more numerical value combines with the positions 0-23 of pgd_l4 virtual addresses, is combined into a new address, The as physical address of pgd_l4;
Step (7):Address conversion is carried out to domain_list according to pgd_l4 physical address, is obtained in domain_list directions Hold the address of corresponding domain structures;
Step (8):According to the relationship between domain, vcpu, ach_vcpu, hvm_vcpu, arch_vmx_struct structure To obtain the corresponding vmcs_struct structures of virtual machine;
Step (9):Ept pointers and guest cr3 are obtained from vmcs_struct structures;Realize virtual machine physical address Address conversion;
Step (10):After getting virtual machine physical memory content, the judgement of VME operating system version is carried out;Virtual machine is grasped After making the version determination of system, physics is carried out using corresponding memory analysis method according to the difference of VME operating system version Memory analysis.
2. the virutal machine memory evidence collecting method towards XenServer platforms as described in claim 1, characterized in that
The Kernel Symbol Table file of the step (2) includes:/ proc/kallsyms files or/boot/System.map texts Part.
3. the virutal machine memory evidence collecting method towards XenServer platforms as described in claim 1, characterized in that
The step of step (3) is:
Step (301):Search for " OSRELEASE=", if the content searched include " SYMBOL (_ stext)=" or " SYMBOL (swapper_pg_dir) " content, and contain " xen " character string in the version information of operating system, then illustrate to search for The content arrived is the content of vmcoreinfo_data, and the address of the content of vmcoreinfo_data is obtained in step (2) The vmcoreinfo_data values got are compared, and the difference of the two values, as DIRECTMAP_VIRT_START are got Value.
4. the virutal machine memory evidence collecting method towards XenServer platforms as described in claim 1, characterized in that
The step (7):Under big page mode, 0 to 20 is denoted as Offset;21 to 29 of address to be transformed are denoted as Directory, 30 to 38 are denoted as Directory Ptr, and 39 to 47 are denoted as PML4, and 48 to 63 are denoted as Sing Extended;
Under big page mode, address conversion is carried out by the following method:
12 to 51 of pgd_l4 registers, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains First address obtains the first address and is denoted as B1 in the corresponding content of physical memory mirror image;
12 to 51 of B1, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory Ptr is added, and obtains To the second address, obtains the second address and be denoted as B2 in the corresponding content of physical memory mirror image;
12 to 51 of B2, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains Three addresses obtain third address and are denoted as B3 in the corresponding content of physical memory mirror image;
It takes 21 to 51 of B3, low 21 to be taken as 0, it is added with Offset, obtained data convert for virtual address For the numerical value after physical address.
5. the virutal machine memory evidence collecting method towards XenServer platforms as described in claim 1, characterized in that
The step (7):Under small page mode, 0 to 11 be denoted as Offset, 12 to 20 be denoted as Table, address to be transformed 21 to 29 are denoted as Directory, and 30 to 38 are denoted as Directory Ptr, and 39 to 47 are denoted as PML4, and 48 to 63 are denoted as Sing Extended;
Address conversion is carried out under small page mode by the following method:
12 to 51 of pgd_l4 registers, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains 4th address obtains the 4th address and is denoted as A1 in the corresponding content of physical memory mirror image;
12 to 51 of A1, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory Ptr is added, and obtains To the 5th address, obtains the 5th address and be denoted as A2 in the corresponding content of physical memory mirror image;
12 to 51 of A2, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains Six addresses obtain the 6th address and are denoted as A3 in the corresponding content of physical memory mirror image;
12 to 51 of A3, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Table is added, and obtains the 7th ground Location obtains the 7th address and is denoted as A4 in the corresponding content of physical memory mirror image;
It takes 12 to 51 of A4, low 12 to be taken as 0, it is added with Offset, obtained data are that virtual address turns Turn to the numerical value after physical address.
6. the virutal machine memory evidence collecting method towards XenServer platforms as described in claim 1, characterized in that
The step of step (8) includes:
Step (801):It is physical address by domain structure address conversions, obtains and be directed toward vcpu structures in domain structures Body pointer;
Step (802):Vcpu structures address is obtained according to vcpu structure pointers, it is next comprising being directed toward in vcpu structures The chain table pointer " struct vcpu*next_in_list " of a vcpu structures is obtained and to be all currently running according to chained list The corresponding vcpu structures of virtual machine;The acquisition vcpu structures include arch_vcpu structure contents;
Step (803):Obtain the hvm_vcpu structure contents for including in arch_vcpu structures;
Step (804):Obtain the arch_vmx_struct structure contents for including in hvm_vcpu structures;
Step (805):The direction vmcs_struct structure vmcs pointers for including in arch_vmx_struct structures are obtained, This pointer is directed toward vmcs_struct structures.
7. the virutal machine memory evidence collecting method towards XenServer platforms as described in claim 1, characterized in that
The address converting step of the realization virtual machine physical address of the step (9) is:
According to ept pointers realize virtual machine physical address to host physical address address conversion,
According to ept pointers and guest cr3 realize virtual machine virtual address to host physical address address conversion;
According to the address conversion of ept pointers realization virtual machine physical address to host physical address in the step (9):
Under big page mode, 0 to 20 is denoted as Offset;21 to 29 of virtual machine physical address to be transformed are denoted as Directory, 30 to 38 be denoted as Directory Ptr, 39 to 47 be denoted as PML4,48 to 63 be denoted as Sing Extended,
Under big page mode, address conversion is carried out by the following method:
12 to 51 of ept pointers, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains the 8th Address obtains the 8th address and is denoted as B1' in the corresponding content of physical memory mirror image;
12 to 51 of B1', low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory Ptr is added, and obtains To the 9th address, obtains the 9th address and be denoted as B2' in the corresponding content of physical memory mirror image;
12 to 51 of B2', low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains Ten addresses obtain the tenth address and are denoted as B3' in the corresponding content of physical memory mirror image;
It takes 21 to 51 of B3', low 21 to be taken as 0, it is added with Offset, obtained data are that virtual address turns Turn to the numerical value after physical address.
8. the virutal machine memory evidence collecting method towards XenServer platforms as described in claim 1, characterized in that
According to the address conversion of ept pointers realization virtual machine physical address to host physical address in the step (9):
Under small page mode, 0 to 11 be denoted as Offset, 12 to 20 be denoted as Table, the 21 of virtual machine physical address to be transformed To 29 be denoted as Directory, 30 to 38 be denoted as Directory Ptr, 39 to 47 be denoted as PML4,48 to 63 be denoted as Sing Extended,
Under small page mode, address conversion is carried out by the following method:
12 to 51 of ept pointers, low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains the tenth One address obtains the 11st address and is denoted as A1' in the corresponding content of physical memory mirror image;
12 to 51 of A1', low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory Ptr is added, and obtains To the tenth double-address, obtains the tenth double-address and be denoted as A2' in the corresponding content of physical memory mirror image;
12 to 51 of A2', low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains 13 addresses obtain the 13rd address and are denoted as A3' in the corresponding content of physical memory mirror image;
12 to 51 of A3', low 12 are taken to be taken as 0, it is multiplied by the numerical value after 8 with Table is added, and obtains the 14th Address obtains the 14th address and is denoted as A4' in the corresponding content of physical memory mirror image;
It takes 12 to 51 of A4', low 12 to be taken as 0, it is added with Offset, obtained data are that virtual address turns Turn to the numerical value after physical address.
9. the virutal machine memory evidence collecting method towards XenServer platforms as described in claim 1, characterized in that
The step (9) realizes virtual machine virtual address to the address of host physical address according to ept pointers and guest cr3 Conversion:
Under small page mode, 0 to 11 of the virtual address of virtual machine to be transformed be denoted as Offset, 12 to 20 be denoted as Table, 21 to 29 are denoted as Directory, and 30 to 38 are denoted as Directory Ptr, and 39 to 47 are denoted as PML4, and 48 to 63 are denoted as Sing Extended;
The value of the CR3 registers of virtual machine is transformed into according to the method for virtual machine physical address translations host physical address The physical address of host, is denoted as H1;The value of the CR3 registers by virtual machine is according to virtual machine physical address translations host The specific method that the method for machine physical address transforms into the physical address of host realizes virtual machine physics with according to ept pointers The address conversion method of address to host physical address is the same, and the CR3 that ept pointers are only replaced with to virtual machine is posted The value of storage;
Take H112 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with PML4 is added, and obtains the 15th address, It obtains the 15th address and is denoted as H in the corresponding content of physical memory mirror image2
By H2Value transform into host physically according to the method for virtual machine physical address translations host physical address Location is denoted as H3;It is described by H2Value transform into host according to the method for virtual machine physical address translations host physical address Physical address specific method with according to ept pointers realize virtual machine physical address to host physical address address conversion Method is the same, and ept pointers are only replaced with H2Value;
Take H312 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Directory Ptr is added, and obtains 16 addresses obtain the 16th address and are denoted as H in the corresponding content of physical memory mirror image4
By H4Value transform into host physically according to the method for virtual machine physical address translations host physical address Location is denoted as H5;It is described by H4Value transform into host according to the method for virtual machine physical address translations host physical address Physical address specific method with according to ept pointers realize virtual machine physical address to host physical address address conversion Method is the same, and ept pointers are only replaced with H4Value;
Take H512 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Directory is added, and obtains the 17th Address obtains the 17th address and is denoted as H in the corresponding content of physical memory mirror image6
By H6Value transform into host physically according to the method for virtual machine physical address translations host physical address Location is denoted as H7;It is described by H6Value transform into host according to the method for virtual machine physical address translations host physical address Physical address specific method with according to ept pointers realize virtual machine physical address to host physical address address conversion Method is the same, and ept pointers are only replaced with H6Value;
Take H712 to 51, low 11 be taken as 0, it is multiplied by the numerical value after 8 with Table is added, and obtains eighteenthly Location obtains eighteenthly location and is denoted as H in the corresponding content of physical memory mirror image8
By H8Value transform into host physically according to the method for virtual machine physical address translations host physical address Location is denoted as H9;It is described by H8Value transform into host according to the method for virtual machine physical address translations host physical address Physical address specific method with according to ept pointers realize virtual machine physical address to host physical address address conversion Method is the same, and ept pointers are only replaced with H8Value;
Take H912 to 51, low 12 be taken as 0, it is added with Offset, obtained data are the virtual of virtual machine Address is converted into the numerical value after the physical address of host.
10. the virutal machine memory evidence collecting method towards XenServer platforms as described in claim 1, characterized in that
The step of step (10) is:
Step (1001):For Windows systems, it whether there is KPCR structures in memory by judging, then parsing obtains To KPCR get system version details and interior nuclear symbol;
Step (1002):For linux system, judged by way of searching for vmcoreinfo_data contents; When system starts, crash_save_vmcoreinfo_init () kernel function is initialized the regions vmcoreinfo_data Content carries out the positioning in the regions vmcoreinfo_data according to feature.
CN201710966659.6A 2017-10-17 2017-10-17 A kind of virutal machine memory evidence collecting method towards XenServer platforms Active CN107621971B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710966659.6A CN107621971B (en) 2017-10-17 2017-10-17 A kind of virutal machine memory evidence collecting method towards XenServer platforms

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710966659.6A CN107621971B (en) 2017-10-17 2017-10-17 A kind of virutal machine memory evidence collecting method towards XenServer platforms

Publications (2)

Publication Number Publication Date
CN107621971A CN107621971A (en) 2018-01-23
CN107621971B true CN107621971B (en) 2018-08-21

Family

ID=61092573

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710966659.6A Active CN107621971B (en) 2017-10-17 2017-10-17 A kind of virutal machine memory evidence collecting method towards XenServer platforms

Country Status (1)

Country Link
CN (1) CN107621971B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108628663B (en) * 2018-05-11 2021-08-10 浙江大学 KVM system supporting novel large-page frame
CN109597675B (en) * 2018-10-25 2020-12-22 中国科学院信息工程研究所 Method and system for detecting malicious software behaviors of virtual machine
CN110012013A (en) * 2019-04-04 2019-07-12 电子科技大学成都学院 A kind of virtual platform threat behavior analysis method and system based on KNN
CN111026554B (en) * 2019-12-17 2023-05-02 山东省计算中心(国家超级计算济南中心) XenServer system physical memory analysis method and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8196205B2 (en) * 2006-01-23 2012-06-05 University Of Washington Through Its Center For Commercialization Detection of spyware threats within virtual machine
CN104182269B (en) * 2014-08-12 2017-04-26 山东省计算中心(国家超级计算济南中心) Physical memory forensic method for KVM (Kernel-based Virtual Machine)
CN105160001B (en) * 2015-09-09 2017-03-08 山东省计算中心(国家超级计算济南中心) A kind of linux system physical memory image file analysis method

Also Published As

Publication number Publication date
CN107621971A (en) 2018-01-23

Similar Documents

Publication Publication Date Title
CN107621971B (en) A kind of virutal machine memory evidence collecting method towards XenServer platforms
Okolica et al. Windows operating systems agnostic memory analysis
Payne Simplifying virtual machine introspection using LibVMI.
US7428626B2 (en) Method and system for a second level address translation in a virtual machine environment
Ligh et al. The art of memory forensics: detecting malware and threats in windows, linux, and Mac memory
Payne et al. Secure and flexible monitoring of virtual machines
CN104182269B (en) Physical memory forensic method for KVM (Kernel-based Virtual Machine)
US8661181B2 (en) Memory protection unit in a virtual processing environment
US8301864B2 (en) Apparatus and method for executing rapid memory management unit emulation and full-system simulator
CN105393229B (en) Page fault injection in virtual machine
CN103065084B (en) In the windows hidden process detection method that external machine of virtual machine is carried out
Gandhi Efficient memory virtualization
US20110113180A1 (en) Virtual system and method of analyzing operation of virtual system
US11354047B2 (en) Memory protection in virtualized computer systems using shadow page tables
CN113806006A (en) Method and device for processing exception or interrupt under heterogeneous instruction set architecture
Skarlatos et al. Babelfish: Fusing address translations for containers
Wang et al. Introspection-based memory pruning for live VM migration
Case et al. Memory analysis of macos page queues
CN107391234B (en) VMI-based file system fine-grained monitoring method
Inoue et al. Automatically bridging the semantic gap using C interpreter
Kloster et al. Determining the use of interdomain shareable pages using kernel introspection
Luţaş et al. Proposed processor extensions for significant speedup of hypervisor memory introspection
Hay Forensic memory analysis for Apple OS X
Utomo et al. Detecting hang on the virtual machine using LibVMI
EP4060531B1 (en) Method for monitoring program code execution behavior, and computer device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20210716

Address after: 250000 1701, 17th floor, First Avenue, 15982 Jingshi Road, Lixia District, Jinan City, Shandong Province

Patentee after: Shandong Zhuozheng Information Technology Co.,Ltd.

Address before: 250014 No. 19, East shouxueyuan Road, Jingshi Road, Lixia District, Jinan City, Shandong Province

Patentee before: SHANDONG COMPUTER SCIENCE CENTER(NATIONAL SUPERCOMPUTER CENTER IN JINAN)

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230904

Address after: 250014 Ji'nan, Shandong Province, No. 19, Xueyuan Road ten East Road.

Patentee after: SHANDONG COMPUTER SCIENCE CENTER(NATIONAL SUPERCOMPUTER CENTER IN JINAN)

Address before: 250000 1701, 17th floor, First Avenue, 15982 Jingshi Road, Lixia District, Jinan City, Shandong Province

Patentee before: Shandong Zhuozheng Information Technology Co.,Ltd.

TR01 Transfer of patent right