Zj_W1nd's BLOG

基于qemu和ubuntu-base的kdump分析环境

linux kernel kdump
2025/03/21

OS比赛的环境搭建折磨了我两天,因此有必要在这里记录下全过程,以后自己想用什么系统也会方便一点。而且网上的blog对于坑是只字不提啊我日。

目前能够完美运行kdump的环境,基于:

1
2
3
4
5
QEMU emulator version 9.2.2
Kernel: 6.13.7-arch1-1
虚拟机主内核: linux-6.13.7(compiled from src)
虚拟机副内核: linux-5.4.10
根文件系统: UbuntuBase20.04

1. Kernel

主内核,即启动加载的内核

要想运行qemu-system, 首先当然需要一个自定义的内核。对于需要调试的内核,我们待会要用到核心转储文件和带有调试信息的无压缩内核,因此,从官网下载源码后,要打开这些编译选项。

1
2
3
4
5
6
7
8
9
10
11
CONFIG_KEXEC=y
CONFIG_SYSFS=y

CONFIG_CRASH_DUMP=y
CONFIG_PROC_VMCORE=y
CONFIG_RELOCATABLE=y

CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_INFO_REDUCED=n
CONFIG_DEBUG_INFO_DWARF4=y
CONFIG_DEBUG_FS=y # idk这个随便开的

这些选项是从各种网站博客之类收集来的,我使用的build脚本是在pwncollege提供的脚本基础上做的修改,我也同样建议你在各种地方使用这个脚本来构建和启动内核。最终的build脚本在这里

需要注意的是…

首先,crash工具的本质是一个gdb的套壳。我的arch pacman安装的最新crash里面的gdb版本也才到7.4,所以它不支持dwarf5格式的调试信息,需要改成dwarf4,否则会报错。

其次,对于宿主机来说,如果你想编译一个比较低版本的内核,需要注意自己的gcc版本。我开始在试图编译一个ubuntu20.04的5.4.1内核的时候,会一直报错说UAF的检查不过。这种情况,你有两种选择,一是用docker(也可以试试包管理器但是有点搞)安装一个低版本的gcc环境,推荐gcc8。docker pull就可以。这之后在docker里面去编译内核。(我忘记是-v映射还是docker内clone的源码了)

二是抛弃低版本的内核,使用高版本内核,使用和你的宿主机一致的内核版本最好。当然,可能会有的问题我们后面再说。

2. 文件镜像

参考 https://www.cnblogs.com/wsg1100/p/13127636.html#23

由于kdump相关的工具链在ubuntu的仓库中很全而且可以apt一键安装,因此我建议基于ubuntu-base去构建rootfs。

这里我用的是ubuntu20.04的ubuntu-base。首先从官网或者镜像站下载ubuntu-base的tar包,接着首先创建一个空的镜像,我使用的是qemu-img:

1
qemu-img create -f raw rootfs.img 4G

当然也可以用dd

1
2
# 这是10G!
dd if=/dev/zero of=ubuntu_base.img bs=1G count=10

写好后用mkfs.ext4对它进行初始化。

⚠️注意!mkfs工具和内核的版本是相关的。对于新的内核其能够支持更新的ext4特性,但是这样创建的镜像会导致低版本的内核无法挂载rootfs,只能在initramfs里。这一问题我排查了很长时间才发现。如果你的宿主机内核比较新,为了避免相关情况,可以使用低版本ubuntu的docker内提供的mkfs
可以尝试使用tune2fs -l your.img | grep Features来查看相关的特性。如果你在切换内核时无法进入根文件系统并且日志中提到ext4的问题,试着用低版本的mkfs重新创建镜像。

对于报错不支持特性的代码,可以在这里查看。按理说,tune2fs -O 参数可以用^feature关闭特性,但是我自己尝试的时候并不能生效。

然后,mount上这个文件(我的系统不需要额外参数,直接sudo mount img dir就可以),将ubuntubase解压进文件夹。

接着,如果你是ubuntu系统,就可以将你自己的镜像源,dns等拷进去。但是从0开始总是好的。

相关的配置

apt source位于/etc/apt/sources.list. 在你的宿主机上改掉它,换源就不赘述了。接着是dns,这个文件则是/etc/resolv.conf,可以拷贝你主机的文件过去,也可以直接写入nameserver 8.8.8.8或114。

然后chroot进去用apt开始装东西,虚拟文件系统包括/dev, /proc这些可以不挂载,用处不大。apt warning不用管,都是日志没位置输出之类的。目前,我们的base里没有公钥,所以换源后执行update如果说没有gpg什么的,这样跑:

1
apt-get udpate --allow-insecure-repositories

然后直接aptinstall相应的东西,提示无认证的时候选y不要默认N直接装就行了。

下面apt要装的东西很重要,少了的话后面会很痛苦。

首先配置这些:

1
2
3
4
apt install locales language-pack-en-base
echo "LANG=en_US.UTF-8" > /etc/locale.conf
echo "test" > /etc/hostname
apt-get install bash-completion

/etc/hosts:

1
2
3
127.0.0.1 localhost
127.0.0.1 test
127.0.1.1 test.localdomain test

然后是

1
apt install init vim -y

一定要安装init包!一定要安装init包!一定要安装init包!不然你的电脑会没有reboot和shutdown命令,只能qemu关闭,kdump无法自动触发重启。

在这里可选安装/boot下的内核和initrd,如果你有自己的第二内核可以自己copy进去提供给kexec,我是使用的现成的内核和initrd。

1
2
apt install linux-image-kvm
# (不一定是这个,可以搜索安装当前base版本或更低版本的内核和header)

最后安装kdump,可以参考更详细的doc

1
2
3
apt install linux-crashdump kexec-tools crash
# linux-crashdump: 全套,按理说装这一个就可以,包含kdump-tools,kexec-tools
# crash: 分析工具,我建议宿主机装

安装过程中会问配置,自己选即可。

这是我的base系统最终apt list --installed的结果,供参考:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
adduser/focal,now 3.118ubuntu2 all [installed]
alsa-topology-conf/focal,now 1.2.2-1 all [installed,automatic]
alsa-ucm-conf/focal-updates,now 1.2.2-1ubuntu0.13 all [installed,automatic]
apport-symptoms/focal,now 0.23 all [installed,automatic]
apport/focal-updates,now 2.20.11-0ubuntu27.27 all [installed,automatic]
apt/focal-updates,now 2.0.10 amd64 [installed]
base-files/focal-updates,now 11ubuntu5.8 amd64 [installed]
base-passwd/focal,now 3.5.47 amd64 [installed]
bash-completion/focal,now 1:2.10-1ubuntu1 all [installed]
bash/focal-updates,focal-security,now 5.0-6ubuntu1.2 amd64 [installed]
binutils-common/focal-updates,focal-security,now 2.34-6ubuntu1.10 amd64 [installed,automatic]
binutils-x86-64-linux-gnu/focal-updates,focal-security,now 2.34-6ubuntu1.10 amd64 [installed,automatic]
binutils/focal-updates,focal-security,now 2.34-6ubuntu1.10 amd64 [installed,automatic]
bsdmainutils/focal,now 11.1.2ubuntu3 amd64 [installed,automatic]
bsdutils/focal-updates,focal-security,now 1:2.34-0.1ubuntu9.6 amd64 [installed]
busybox-initramfs/focal-updates,focal-security,now 1:1.30.1-4ubuntu6.5 amd64 [installed,automatic]
bzip2/focal,now 1.0.8-2 amd64 [installed]
ca-certificates/focal-updates,focal-security,now 20240203~20.04.1 all [installed,automatic]
coreutils/focal,now 8.30-3ubuntu2 amd64 [installed]
cpio/focal-updates,focal-security,now 2.13+dfsg-2ubuntu0.4 amd64 [installed,automatic]
crash/focal-updates,now 7.2.8-1ubuntu1.20.04.1 amd64 [installed,automatic]
dash/focal,now 0.5.10.2-6 amd64 [installed]
dbus/focal-updates,focal-security,now 1.12.16-2ubuntu2.3 amd64 [installed,automatic]
debconf/focal,now 1.5.73 all [installed]
debianutils/focal,now 4.9.1 amd64 [installed]
diffutils/focal,now 1:3.7-3 amd64 [installed]
distro-info-data/focal-updates,now 0.43ubuntu1.17 all [installed,automatic]
dmsetup/focal,now 2:1.02.167-1ubuntu1 amd64 [installed,automatic]
dpkg/focal-updates,focal-security,now 1.19.7ubuntu3.2 amd64 [installed]
e2fsprogs/focal-updates,now 1.45.5-2ubuntu1.2 amd64 [installed]
fdisk/focal-updates,focal-security,now 2.34-0.1ubuntu9.6 amd64 [installed]
file/focal,now 1:5.38-4 amd64 [installed,automatic]
findutils/focal,now 4.7.0-1ubuntu1 amd64 [installed]
gcc-10-base/focal-updates,focal-security,now 10.5.0-1ubuntu1~20.04 amd64 [installed]
gettext-base/focal,now 0.19.8.1-10build1 amd64 [installed,automatic]
gir1.2-glib-2.0/focal-updates,now 1.64.1-1~ubuntu20.04.1 amd64 [installed,automatic]
gpgv/focal-updates,focal-security,now 2.2.19-3ubuntu2.2 amd64 [installed]
grep/focal,now 3.4-1 amd64 [installed]
grub-common/focal-updates,now 2.04-1ubuntu26.17 amd64 [installed,automatic]
grub-gfxpayload-lists/focal,now 0.7 amd64 [installed,automatic]
grub-pc-bin/focal-updates,now 2.04-1ubuntu26.17 amd64 [installed,automatic]
grub-pc/focal-updates,now 2.04-1ubuntu26.17 amd64 [installed,automatic]
grub2-common/focal-updates,now 2.04-1ubuntu26.17 amd64 [installed,automatic]
gzip/focal-updates,focal-security,now 1.10-0ubuntu4.1 amd64 [installed]
hostname/focal,now 3.23 amd64 [installed]
init-system-helpers/focal,now 1.57 all [installed]
init/focal,now 1.57 amd64 [installed]
initramfs-tools-bin/focal-updates,now 0.136ubuntu6.7 amd64 [installed,automatic]
initramfs-tools-core/focal-updates,now 0.136ubuntu6.7 all [installed,automatic]
initramfs-tools/focal-updates,now 0.136ubuntu6.7 all [installed,automatic]
iputils-ping/focal-updates,now 3:20190709-3ubuntu1 amd64 [installed]
iso-codes/focal,now 4.4-1 all [installed,automatic]
kdump-tools/focal-updates,now 1:1.6.7-1ubuntu2.5 amd64 [installed]
kexec-tools/focal-updates,now 1:2.0.18-1ubuntu1.1 amd64 [installed]
klibc-utils/focal-updates,focal-security,now 2.0.7-1ubuntu5.2 amd64 [installed,automatic]
kmod/focal-updates,now 27-1ubuntu2.1 amd64 [installed,automatic]
libacl1/focal,now 2.2.53-6 amd64 [installed]
libapparmor1/focal-updates,focal-security,now 2.13.3-7ubuntu5.4 amd64 [installed,automatic]
libapt-pkg6.0/focal-updates,now 2.0.10 amd64 [installed]
libargon2-1/focal,now 0~20171227-0.2 amd64 [installed,automatic]
libasound2-data/focal-updates,now 1.2.2-2.1ubuntu2.5 all [installed,automatic]
libasound2/focal-updates,now 1.2.2-2.1ubuntu2.5 amd64 [installed,automatic]
libattr1/focal,now 1:2.4.48-5 amd64 [installed]
libaudit-common/focal,now 1:2.8.5-2ubuntu6 all [installed]
libaudit1/focal,now 1:2.8.5-2ubuntu6 amd64 [installed]
libbinutils/focal-updates,focal-security,now 2.34-6ubuntu1.10 amd64 [installed,automatic]
libblkid1/focal-updates,focal-security,now 2.34-0.1ubuntu9.6 amd64 [installed]
libbsd0/focal,now 0.10.0-1 amd64 [installed,automatic]
libbz2-1.0/focal,now 1.0.8-2 amd64 [installed]
libc-bin/focal-updates,focal-security,now 2.31-0ubuntu9.17 amd64 [installed]
libc6/focal-updates,focal-security,now 2.31-0ubuntu9.17 amd64 [installed]
libcanberra0/focal,now 0.30-7ubuntu1 amd64 [installed,automatic]
libcap-ng0/focal,now 0.7.9-2.1build1 amd64 [installed]
libcap2-bin/focal-updates,focal-security,now 1:2.32-1ubuntu0.2 amd64 [installed,automatic]
libcap2/focal-updates,focal-security,now 1:2.32-1ubuntu0.2 amd64 [installed,automatic]
libcom-err2/focal-updates,now 1.45.5-2ubuntu1.2 amd64 [installed]
libcrypt1/focal,now 1:4.4.10-10ubuntu4 amd64 [installed]
libcryptsetup12/focal-updates,focal-security,now 2:2.2.2-3ubuntu2.4 amd64 [installed,automatic]
libctf-nobfd0/focal-updates,focal-security,now 2.34-6ubuntu1.10 amd64 [installed,automatic]
libctf0/focal-updates,focal-security,now 2.34-6ubuntu1.10 amd64 [installed,automatic]
libdb5.3/focal,now 5.3.28+dfsg1-0.6ubuntu2 amd64 [installed]
libdbus-1-3/focal-updates,focal-security,now 1.12.16-2ubuntu2.3 amd64 [installed,automatic]
libdebconfclient0/focal,now 0.251ubuntu1 amd64 [installed]
libdevmapper1.02.1/focal,now 2:1.02.167-1ubuntu1 amd64 [installed,automatic]
libdw1/focal-updates,focal-security,now 0.176-1.1ubuntu0.1 amd64 [installed,automatic]
libefiboot1/focal-updates,now 37-2ubuntu2.2 amd64 [installed,automatic]
libefivar1/focal-updates,now 37-2ubuntu2.2 amd64 [installed,automatic]
libelf1/focal-updates,focal-security,now 0.176-1.1ubuntu0.1 amd64 [installed,automatic]
libexpat1/focal-updates,focal-security,now 2.2.9-1ubuntu0.8 amd64 [installed,automatic]
libext2fs2/focal-updates,now 1.45.5-2ubuntu1.2 amd64 [installed]
libfdisk1/focal-updates,focal-security,now 2.34-0.1ubuntu9.6 amd64 [installed]
libffi7/focal,now 3.3-4 amd64 [installed]
libfreetype6/focal-updates,focal-security,now 2.10.1-2ubuntu0.4 amd64 [installed,automatic]
libfuse2/focal,now 2.9.9-3 amd64 [installed,automatic]
libgcc-s1/focal-updates,focal-security,now 10.5.0-1ubuntu1~20.04 amd64 [installed]
libgcrypt20/focal-updates,focal-security,now 1.8.5-5ubuntu1.1 amd64 [installed]
libgdbm-compat4/focal,now 1.18.1-5 amd64 [installed,automatic]
libgdbm6/focal,now 1.18.1-5 amd64 [installed,automatic]
libgirepository-1.0-1/focal-updates,now 1.64.1-1~ubuntu20.04.1 amd64 [installed,automatic]
libglib2.0-0/focal-updates,focal-security,now 2.64.6-1~ubuntu20.04.8 amd64 [installed,automatic]
libglib2.0-data/focal-updates,focal-security,now 2.64.6-1~ubuntu20.04.8 all [installed,automatic]
libgmp10/focal-updates,focal-security,now 2:6.2.0+dfsg-4ubuntu0.1 amd64 [installed]
libgnutls30/focal-updates,focal-security,now 3.6.13-2ubuntu1.12 amd64 [installed]
libgpg-error0/focal,now 1.37-1 amd64 [installed]
libgpm2/focal,now 1.20.7-5 amd64 [installed,automatic]
libhogweed5/focal-updates,focal-security,now 3.5.1+really3.5.1-2ubuntu0.2 amd64 [installed]
libicu66/focal-updates,focal-security,now 66.1-2ubuntu2.1 amd64 [installed,automatic]
libidn2-0/focal,now 2.2.0-2 amd64 [installed]
libip4tc2/focal-updates,now 1.8.4-3ubuntu2.1 amd64 [installed,automatic]
libjson-c4/focal-updates,focal-security,now 0.13.1+dfsg-7ubuntu0.3 amd64 [installed,automatic]
libklibc/focal-updates,focal-security,now 2.0.7-1ubuntu5.2 amd64 [installed,automatic]
libkmod2/focal-updates,now 27-1ubuntu2.1 amd64 [installed,automatic]
libltdl7/focal,now 2.4.6-14 amd64 [installed,automatic]
liblz4-1/focal-updates,focal-security,now 1.9.2-2ubuntu0.20.04.1 amd64 [installed]
liblzma5/focal-updates,focal-security,now 5.2.4-1ubuntu1.1 amd64 [installed]
liblzo2-2/focal,now 2.10-2 amd64 [installed,automatic]
libmagic-mgc/focal,now 1:5.38-4 amd64 [installed,automatic]
libmagic1/focal,now 1:5.38-4 amd64 [installed,automatic]
libmount1/focal-updates,focal-security,now 2.34-0.1ubuntu9.6 amd64 [installed]
libmpdec2/focal,now 2.4.2-3 amd64 [installed,automatic]
libncurses6/focal-updates,focal-security,now 6.2-0ubuntu2.1 amd64 [installed]
libncursesw6/focal-updates,focal-security,now 6.2-0ubuntu2.1 amd64 [installed]
libnettle7/focal-updates,focal-security,now 3.5.1+really3.5.1-2ubuntu0.2 amd64 [installed]
libnss-systemd/focal-updates,now 245.4-4ubuntu3.24 amd64 [installed,automatic]
libogg0/focal,now 1.3.4-0ubuntu1 amd64 [installed,automatic]
libp11-kit0/focal-updates,focal-security,now 0.23.20-1ubuntu0.1 amd64 [installed]
libpam-cap/focal-updates,focal-security,now 1:2.32-1ubuntu0.2 amd64 [installed,automatic]
libpam-modules-bin/focal-updates,focal-security,now 1.3.1-5ubuntu4.7 amd64 [installed]
libpam-modules/focal-updates,focal-security,now 1.3.1-5ubuntu4.7 amd64 [installed]
libpam-runtime/focal-updates,focal-security,now 1.3.1-5ubuntu4.7 all [installed]
libpam-systemd/focal-updates,now 245.4-4ubuntu3.24 amd64 [installed,automatic]
libpam0g/focal-updates,focal-security,now 1.3.1-5ubuntu4.7 amd64 [installed]
libpcre2-8-0/focal-updates,focal-security,now 10.34-7ubuntu0.1 amd64 [installed]
libpcre3/focal-updates,focal-security,now 2:8.39-12ubuntu0.1 amd64 [installed]
libperl5.30/focal-updates,focal-security,now 5.30.0-9ubuntu0.5 amd64 [installed,automatic]
libpng16-16/focal,now 1.6.37-2 amd64 [installed,automatic]
libprocps8/focal-updates,focal-security,now 2:3.3.16-1ubuntu2.4 amd64 [installed]
libpython3-stdlib/focal,now 3.8.2-0ubuntu2 amd64 [installed,automatic]
libpython3.8-minimal/focal-updates,focal-security,now 3.8.10-0ubuntu1~20.04.17 amd64 [installed,automatic]
libpython3.8-stdlib/focal-updates,focal-security,now 3.8.10-0ubuntu1~20.04.17 amd64 [installed,automatic]
libpython3.8/focal-updates,focal-security,now 3.8.10-0ubuntu1~20.04.17 amd64 [installed,automatic]
libreadline8/focal,now 8.0-4 amd64 [installed,automatic]
libseccomp2/focal-updates,focal-security,now 2.5.1-1ubuntu1~20.04.2 amd64 [installed]
libselinux1/focal,now 3.0-1build2 amd64 [installed]
libsemanage-common/focal,now 3.0-1build2 all [installed]
libsemanage1/focal,now 3.0-1build2 amd64 [installed]
libsepol1/focal-updates,focal-security,now 3.0-1ubuntu0.1 amd64 [installed]
libsmartcols1/focal-updates,focal-security,now 2.34-0.1ubuntu9.6 amd64 [installed]
libsnappy1v5/focal,now 1.1.8-1build1 amd64 [installed,automatic]
libsqlite3-0/focal-updates,focal-security,now 3.31.1-4ubuntu0.6 amd64 [installed,automatic]
libss2/focal-updates,now 1.45.5-2ubuntu1.2 amd64 [installed]
libssl1.1/focal-updates,focal-security,now 1.1.1f-1ubuntu2.24 amd64 [installed,automatic]
libstdc++6/focal-updates,focal-security,now 10.5.0-1ubuntu1~20.04 amd64 [installed]
libsystemd0/focal-updates,now 245.4-4ubuntu3.24 amd64 [installed]
libtasn1-6/focal-updates,focal-security,now 4.16.0-2ubuntu0.1 amd64 [installed]
libtdb1/focal-updates,focal-security,now 1.4.5-0ubuntu0.20.04.1 amd64 [installed,automatic]
libtinfo6/focal-updates,focal-security,now 6.2-0ubuntu2.1 amd64 [installed]
libudev1/focal-updates,now 245.4-4ubuntu3.24 amd64 [installed]
libunistring2/focal,now 0.9.10-2 amd64 [installed]
libuuid1/focal-updates,focal-security,now 2.34-0.1ubuntu9.6 amd64 [installed]
libvorbis0a/focal,now 1.3.6-2ubuntu1 amd64 [installed,automatic]
libvorbisfile3/focal,now 1.3.6-2ubuntu1 amd64 [installed,automatic]
libxml2/focal-updates,focal-security,now 2.9.10+dfsg-5ubuntu0.20.04.9 amd64 [installed,automatic]
libzstd1/focal-updates,focal-security,now 1.4.4+dfsg-3ubuntu0.1 amd64 [installed]
linux-base/focal-updates,now 4.5ubuntu3.7 all [installed,automatic]
linux-crashdump/focal-updates,focal-security,now 5.4.0.208.204 amd64 [installed]
linux-image-5.4.0-1127-kvm/focal-updates,focal-security,now 5.4.0-1127.136 amd64 [installed,automatic]
linux-modules-5.4.0-1127-kvm/focal-updates,focal-security,now 5.4.0-1127.136 amd64 [installed,automatic]
locales/focal-updates,focal-security,now 2.31-0ubuntu9.17 all [installed]
login/focal-updates,focal-security,now 1:4.8.1-1ubuntu5.20.04.5 amd64 [installed]
logsave/focal-updates,now 1.45.5-2ubuntu1.2 amd64 [installed]
lsb-base/focal,now 11.1.0ubuntu2 all [installed]
lsb-release/focal,now 11.1.0ubuntu2 all [installed,automatic]
lz4/focal-updates,focal-security,now 1.9.2-2ubuntu0.20.04.1 amd64 [installed,automatic]
makedumpfile/focal-updates,now 1:1.6.7-1ubuntu2.5 amd64 [installed,automatic]
mawk/focal,now 1.3.4.20200120-2 amd64 [installed]
mime-support/focal,now 3.64ubuntu1 all [installed,automatic]
mount/focal-updates,focal-security,now 2.34-0.1ubuntu9.6 amd64 [installed]
ncurses-base/focal-updates,focal-security,now 6.2-0ubuntu2.1 all [installed]
ncurses-bin/focal-updates,focal-security,now 6.2-0ubuntu2.1 amd64 [installed]
netbase/focal,now 6.1 all [installed,automatic]
networkd-dispatcher/focal-updates,focal-security,now 2.1-2~ubuntu20.04.3 all [installed,automatic]
openssl/focal-updates,focal-security,now 1.1.1f-1ubuntu2.24 amd64 [installed,automatic]
os-prober/focal,now 1.74ubuntu2 amd64 [installed,automatic]
passwd/focal-updates,focal-security,now 1:4.8.1-1ubuntu5.20.04.5 amd64 [installed]
perl-base/focal-updates,focal-security,now 5.30.0-9ubuntu0.5 amd64 [installed]
perl-modules-5.30/focal-updates,focal-security,now 5.30.0-9ubuntu0.5 all [installed,automatic]
perl/focal-updates,focal-security,now 5.30.0-9ubuntu0.5 amd64 [installed,automatic]
procps/focal-updates,focal-security,now 2:3.3.16-1ubuntu2.4 amd64 [installed]
python-apt-common/focal-updates,now 2.0.1ubuntu0.20.04.1 all [installed,automatic]
python3-apport/focal-updates,now 2.20.11-0ubuntu27.27 all [installed,automatic]
python3-apt/focal-updates,now 2.0.1ubuntu0.20.04.1 amd64 [installed,automatic]
python3-blinker/focal,now 1.4+dfsg1-0.3ubuntu1 all [installed,automatic]
python3-certifi/focal,now 2019.11.28-1 all [installed,automatic]
python3-cffi-backend/focal,now 1.14.0-1build1 amd64 [installed,automatic]
python3-chardet/focal,now 3.0.4-4build1 all [installed,automatic]
python3-cryptography/focal-updates,focal-security,now 2.8-3ubuntu0.3 amd64 [installed,automatic]
python3-dbus/focal,now 1.2.16-1build1 amd64 [installed,automatic]
python3-distro/focal,now 1.4.0-1 all [installed,automatic]
python3-entrypoints/focal,now 0.3-2ubuntu1 all [installed,automatic]
python3-gi/focal,now 3.36.0-1 amd64 [installed,automatic]
python3-httplib2/focal,now 0.14.0-1ubuntu1 all [installed,automatic]
python3-idna/focal-updates,focal-security,now 2.8-1ubuntu0.1 all [installed,automatic]
python3-jwt/focal-updates,focal-security,now 1.7.1-2ubuntu2.1 all [installed,automatic]
python3-keyring/focal,now 18.0.1-2ubuntu1 all [installed,automatic]
python3-launchpadlib/focal,now 1.10.13-1 all [installed,automatic]
python3-lazr.restfulclient/focal,now 0.14.2-2build1 all [installed,automatic]
python3-lazr.uri/focal,now 1.0.3-4build1 all [installed,automatic]
python3-minimal/focal,now 3.8.2-0ubuntu2 amd64 [installed,automatic]
python3-oauthlib/focal,now 3.1.0-1ubuntu2 all [installed,automatic]
python3-pkg-resources/focal-updates,focal-security,now 45.2.0-1ubuntu0.2 all [installed,automatic]
python3-problem-report/focal-updates,now 2.20.11-0ubuntu27.27 all [installed,automatic]
python3-requests-unixsocket/focal,now 0.2.0-2 all [installed,automatic]
python3-requests/focal-updates,focal-security,now 2.22.0-2ubuntu1.1 all [installed,automatic]
python3-secretstorage/focal,now 2.3.1-2ubuntu1 all [installed,automatic]
python3-simplejson/focal,now 3.16.0-2ubuntu2 amd64 [installed,automatic]
python3-six/focal,now 1.14.0-2 all [installed,automatic]
python3-systemd/focal,now 234-3build2 amd64 [installed,automatic]
python3-urllib3/focal-updates,focal-security,now 1.25.8-2ubuntu0.4 all [installed,automatic]
python3-wadllib/focal,now 1.3.3-3build1 all [installed,automatic]
python3.8-minimal/focal-updates,focal-security,now 3.8.10-0ubuntu1~20.04.17 amd64 [installed,automatic]
python3.8/focal-updates,focal-security,now 3.8.10-0ubuntu1~20.04.17 amd64 [installed,automatic]
python3/focal,now 3.8.2-0ubuntu2 amd64 [installed,automatic]
readline-common/focal,now 8.0-4 all [installed,automatic]
sed/focal,now 4.7-1 amd64 [installed]
sensible-utils/focal,now 0.0.12+nmu1 all [installed]
shared-mime-info/focal,now 1.15-1 amd64 [installed,automatic]
sound-theme-freedesktop/focal,now 0.8-2ubuntu1 all [installed,automatic]
systemd-sysv/focal-updates,now 245.4-4ubuntu3.24 amd64 [installed,automatic]
systemd-timesyncd/focal-updates,now 245.4-4ubuntu3.24 amd64 [installed,automatic]
systemd/focal-updates,now 245.4-4ubuntu3.24 amd64 [installed]
sysvinit-utils/focal,now 2.96-2.1ubuntu1 amd64 [installed]
tar/focal-updates,focal-security,now 1.30+dfsg-7ubuntu0.20.04.4 amd64 [installed]
tzdata/focal-updates,focal-security,now 2024b-0ubuntu0.20.04.1 all [installed,automatic]
ubuntu-keyring/focal-updates,now 2020.02.11.4 all [installed]
ucf/focal,now 3.0038+nmu1 all [installed,automatic]
udev/focal-updates,now 245.4-4ubuntu3.24 amd64 [installed,automatic]
util-linux/focal-updates,focal-security,now 2.34-0.1ubuntu9.6 amd64 [installed]
vim-common/focal-updates,focal-security,now 2:8.1.2269-1ubuntu5.31 all [installed,automatic]
vim-runtime/focal-updates,focal-security,now 2:8.1.2269-1ubuntu5.31 all [installed,automatic]
vim/focal-updates,focal-security,now 2:8.1.2269-1ubuntu5.31 amd64 [installed]
xdg-user-dirs/focal,now 0.17-2ubuntu1 amd64 [installed,automatic]
xxd/focal-updates,focal-security,now 2:8.1.2269-1ubuntu5.31 amd64 [installed,automatic]
xz-utils/focal-updates,focal-security,now 5.2.4-1ubuntu1.1 amd64 [installed,automatic]
zlib1g/focal-updates,focal-security,now 1:1.2.11.dfsg-2ubuntu1.5 amd64 [installed]

3. kdump

umount后qemu启动进去。我的qemu的启动脚本如下:

1
2
3
4
5
6
7
8
9
10
qemu-system-x86_64 -m 1G\
	-append "nokaslr console=ttyS0 root=/dev/sda earlyprintk=serial rw loglevel=8 crashkernel=256M" \
	-kernel linux-6.13.7/arch/x86/boot/bzImage \
    -drive file=newrootfs.img,format=raw \
	-nographic \
    -smp 1 \
    -enable-kvm \
    -netdev user,id=mynic0 -device e1000,netdev=mynic0,mac=52:54:98:76:54:32 \
    -pidfile vm.pid \
    2>&1 | tee vm.log

其中,kexec要想运行,内核参数需要传入crashkernel。同时要提供rw参数让系统能够写入镜像。如果一切顺利,你这时会在systemd的启动日志中看到kdump相关的输出,当然这里我们还没有配置所以应该是失败。

kdump默认会从/var/lib/kdump目录下面查找initrd和vmlinuz符号链接,我们用qemu起的内核当然是没有的。其配置文件位于/etc/default/kdump-tools,只需要编辑这个文件修改路径即可。刚刚chroot的时候copy内核vmlinuz和initrd进去,并在配置文件中指明他们的路径。你也可以配置自己的makedumpfile和kexec参数。

kdump提供了命令kdump-config,用status或者show可以看到一些信息。如果是ready to kdump,那么就可以尝试用echo c > /proc/sysrq-trigger触发内核崩溃了。在我用的ubuntubase上这个默认是开启的,如果没有开启可以自行查找开启方法,写一个1就行。一切顺利的话,kdump会自动触发内核重启,并在/var/crash下留下一个以时间命名的文件夹,里面包含有dmesg和压缩后的内核的内存转储(默认是只保留内核空间正在使用的页框)。然后用crash选定带调试信息的内核(也就是qemu启动参数指定的内核,选根目录的vmlinux),就可以查看转储分析了。

总结

这次从0开始,相当于是借助qemu从0搭了个linux机器。中间遇到各种各样的问题,包括systemd的服务报错,机器关不了,崩溃了不重启,停在initramfs进不去,vmcore有了分析不了一直报错等等…留个归档

CATALOG
  1. 1. 1. Kernel
    1. 1.1. 主内核,即启动加载的内核
    2. 1.2. 需要注意的是…
  2. 2. 2. 文件镜像
    1. 2.1. 相关的配置
  3. 3. 3. kdump
  4. 4. 总结
Total : 66
2025
2024
2023
awdp pwn wp 算法 linux Android 逆向 awd php chop heap CSAPP Lab Develop go rust basic Windows CVE protobuf FSOP kernel llvm Rust vm shellcode sandbox Others 前端 IDA 编译 ROP web hvv kdump fuzz fuzzing
pwn linux CSAPP Reverse Develop pwn others Web kernel Exploits Exploit