

按照官方手册和谷歌论坛上给出的补丁,分别在32和64位的ubuntu 12.04 LTS环境下完成了对TEMU的编译,以下是编译步骤:

# Things that require root access are preceded with "sudo".

# This script will build TEMU in a "$HOME/bitblaze" directory,
# assuming that temu-1.0.tar.gz is in /tmp.
cd ~
mkdir bitblaze
cd bitblaze

# TEMU is based on QEMU. It's useful to have a vanilla QEMU for testing
# and image development:
sudo apt-get install qemu
# Stuff needed to compile QEMU/TEMU:
sudo apt-get build-dep qemu

# The KQEMU accelerator is not required for TEMU to work, but it can
# be useful to run VMs faster when you aren't taking traces.

# The following commands would build a kqemu module compatible with
# your system QEMU, but in Ubuntu 9.04 that would be too new to work
# with TEMU.
# sudo apt-get install kqemu-common kqemu-source
# sudo apt-get install module-assistant
# sudo module-assistant -t auto-install kqemu

# For the BFD library:
sudo apt-get install binutils-dev

tar xvzf temu-1.0.tar.gz 
cd temu-1.0 
patch -p0 <../temu-release2009-gcc4.patch 
./configure --target-list=i386-softmmu --proj-name=sample_plugin --prefix=$(pwd)/install --disable-gcc-check 

make install 


在make install这一步会报以下错误:
error("make[1]: no rule to make target install; make *** [install] 
error 2 "). 


This "error" can be safely ignored: it just results because there's no 
"install" target in the Tracecap Makefile. Note it's our suggestion to 
just run TEMU from the build directory in any case. 

If the presence of the error still bothers you, you can make it go 
away by adding an empty "install" target to the Makefile, as in the 
appended patch. 


--- tracecap/Makefile.orig        2013-03-27 09:34:51.810366503 -0500 
+++ tracecap/Makefile        2013-03-27 09:35:30.863017131 -0500 

         rm -f *.o  *.so *.a *~ $(PLUGIN) ../shared/*.o ../shared/hooks/*.o *.d ../*.d ../shared/*d ../shared/*/*.d ini/main.ini 
+        @# Unsupported, nothing to do. Just run from this directory. 

 # Include automatically generated dependency files 
 -include $(wildcard *.d ../*.d ../shared/*d ../shared/*/*.d) 


Next, you can download the additional source-code release and merge 
its updated files (including Tracecap source) into your TEMU tree: 

cd .. 
tar xvzf bitblaze-additional-2010-06.tar.gz 
mv bitblaze bitblaze-additional-2010-06 
cd temu-1.0 
rsync -rav ../bitblaze-additional-2010-06/temu/ . 

Tracecap further depends on two open-source libraries, Sleuthkit and 
llconf. For Sleuthkit, we download version 2.04 and apply a patch that 
comes with the additional source-code release. We also need to fix two 
more build problems that post-date that release, namely that Sleuthkit 
doesn't know that Linux 3.x is compatible with Linux 2.x, and a name 
conflict related to its endian.h header, which are handled by another 
attached patch: 

cd shared 
mv sleuthkit/sleuthkit-2.04.patch . 
rmdir sleuthkit 
# Download sleuthkit-2.04.tar.gz from 
tar xvzf sleuthkit-2.04.tar.gz 
cd sleuthkit-2.04 
patch -p1 <../sleuthkit-2.04.patch 
patch -p0 <../../../sleuthkit-linux3.patch 




afflib_i.h:60:26: fatal error: openssl/rand.h: No such file or directory
compilation terminated.
make: *** [aff_db.o] Error 1
make: *** [no-perl] Error 2


sudo apt-get install libssl-dev


cd .. 

ln -s sleuthkit-2.04 sleuthkit 

Then llconf is a little bit easier, but you need to add the -fPIC 
option to enable linking it into Tracecap's shared library on 64-bit: 

tar xvzf llconf-0.4.6.tar.gz 
cd llconf-0.4.6 
CFLAGS="-fPIC" ./configure --prefix=$(pwd)/install 
make install 
cd .. 
ln -s llconf-0.4.6 llconf 
cd .. 

Then you can reconfigure TEMU and compile with Tracecap as the plugin: 

./configure --target-list=i386-softmmu --proj-name=tracecap --prefix=$(pwd)/install --disable-gcc-check 
make clean 


(1)./tracecap/temu -monitor stdio /home/zqc/WM_OS/windows.img  //启动temu,载guest os
(2)load_plugin tracecap/   //加载tracecap插件
(3)enable_emulation  //允许模拟或者仿真
(4)guest_ps          //列出当前xp系统下的进程信息(如PID)
(5)trace PID "/home/zqc/foo.trace" //以PID的形式trace程(foo.exe),后面跟trace结果存放路径和文件
(6)taint_sendkey 5 1001      //给guest os中的进程发送出入变量5
(7)taint_sendkey ret 1001    //给guest os中的进程发送回车键
(8)trace_stop             //结束trace
(9)unload_plugin          //卸载插件

還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.