Bitblaze环境搭建之TEMU/Tracecap的编译和安装

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/youkawa/article/details/23661637

编译和安装

按照官方手册和谷歌论坛上给出的补丁，分别在32和64位的ubuntu 12.04 LTS环境下完成了对TEMU的编译，以下是编译步骤：

# Things that require root access are preceded with "sudo".

# This script will build TEMU in a "$HOME/bitblaze" directory,
# assuming that temu-1.0.tar.gz is in /tmp.
cd ~
mkdir bitblaze
cd bitblaze

# TEMU is based on QEMU. It's useful to have a vanilla QEMU for testing
# and image development:
sudo apt-get install qemu
# Stuff needed to compile QEMU/TEMU:
sudo apt-get build-dep qemu

# The KQEMU accelerator is not required for TEMU to work, but it can
# be useful to run VMs faster when you aren't taking traces.
# 
# The following commands would build a kqemu module compatible with
# your system QEMU, but in Ubuntu 9.04 that would be too new to work
# with TEMU.
# sudo apt-get install kqemu-common kqemu-source
# sudo apt-get install module-assistant
# sudo module-assistant -t auto-install kqemu


# For the BFD library:
sudo apt-get install binutils-dev

wget  http://bitblaze.cs.berkeley.edu/release/temu-1.0/temu-1.0.tar.gz  
tar xvzf temu-1.0.tar.gz 
cd temu-1.0 
patch -p0 <../temu-release2009-gcc4. patch 
./configure --target-list=i386-softmmu --proj-name=sample_plugin --prefix=$(pwd)/install --disable-gcc-check 
make 

make install 

/*********************************************************************************************************

在make install这一步会报以下错误：
error("make[1]: no rule to make target install; make *** [install] 
error 2 "). 

这主要是因为在makefile文件中没有install相应的操作，这一错误可以忽略，或者添加空的install语句（即不做任何操作）

This "error" can be safely ignored: it just results because there's no 
"install" target in the Tracecap Makefile. Note it's our suggestion to 
just run TEMU from the build directory in any case. 

If the presence of the error still bothers you, you can make it go 
away by adding an empty "install" target to the Makefile, as in the 
appended patch. 

在makefile文件中添加install空操作：

/****************************************************************************************************************

--- tracecap/Makefile.orig         2013-03-27 09:34:51.810366503 -0500 
+++ tracecap/Makefile        2013- 03-27 09:35:30.863017131 -0500 

 clean: 
         rm -f *.o  *.so *.a *~ $(PLUGIN) ../shared/*.o ../shared/hooks/*.o *.d ../*.d ../shared/*d ../shared/*/*.d ini/main.ini 
  
+install: 
+        @# Unsupported, nothing to do. Just run from this directory. 
+ 
 # Include automatically generated dependency files 
 -include $(wildcard *.d ../*.d ../shared/*d ../shared/*/*.d) 

**********************************************************************************************************************/

Next, you can download the additional source-code release and merge 
its updated files (including Tracecap source) into your TEMU tree: 

cd .. 
wget  http://bitblaze.cs.berkeley.edu/release/additional/bitblaze-additional-2010-06.tar.gz  
tar xvzf bitblaze-additional-2010-06. tar.gz 
mv bitblaze bitblaze-additional-2010-06 
cd temu-1.0 
rsync -rav ../bitblaze-additional-2010- 06/temu/ . 

Tracecap further depends on two open-source libraries, Sleuthkit and 
llconf. For Sleuthkit, we download version 2.04 and apply a patch that 
comes with the additional source-code release. We also need to fix two 
more build problems that post-date that release, namely that Sleuthkit 
doesn't know that Linux 3.x is compatible with Linux 2.x, and a name 
conflict related to its endian.h header, which are handled by another 
attached patch: 

cd shared 
mv sleuthkit/sleuthkit-2.04.patch . 
rmdir sleuthkit 
# Download sleuthkit-2.04.tar.gz from 
#  http://sourceforge.net/projects/sleuthkit/files/sleuthkit/2.04/  
tar xvzf sleuthkit-2.04.tar.gz 
cd sleuthkit-2.04 
patch -p1 <../sleuthkit-2.04.patch 
patch -p0 <../../../sleuthkit-linux3. patch 

make 

/*********************************************************************************************

执行make后可能出现的错误：

afflib_i.h:60:26: fatal error: openssl/rand.h: No such file or directory
compilation terminated.
make: *** [aff_db.o] Error 1
make: *** [no-perl] Error 2

解决方法：

sudo apt-get install libssl-dev

***************************************************************************************************/

cd .. 

ln -s sleuthkit-2.04 sleuthkit 

Then llconf is a little bit easier, but you need to add the -fPIC 
option to enable linking it into Tracecap's shared library on 64-bit: 

wget  http://llconf.googlecode.com/files/llconf-0.4.6.tar.gz  
tar xvzf llconf-0.4.6.tar.gz 
cd llconf-0.4.6 
CFLAGS="-fPIC" ./configure --prefix=$(pwd)/install 
make 
make install 
cd .. 
ln -s llconf-0.4.6 llconf 
cd .. 

Then you can reconfigure TEMU and compile with Tracecap as the plugin: 

./configure --target-list=i386-softmmu --proj-name=tracecap --prefix=$(pwd)/install --disable-gcc-check 
make clean 
make 

使用（生成.trace文件的步骤）

（1）./tracecap/temu -monitor stdio /home/zqc/WM_OS/windows.img  //启动temu,载guest os
（2）load_plugin tracecap/tracecap.so   //加载tracecap插件
（3）enable_emulation  //允许模拟或者仿真
（4）guest_ps          //列出当前xp系统下的进程信息（如PID）
（5）trace PID "/home/zqc/foo.trace" //以PID的形式trace程(foo.exe)，后面跟trace结果存放路径和文件
（6）taint_sendkey 5 1001      //给guest os中的进程发送出入变量5
（7）taint_sendkey ret 1001    //给guest os中的进程发送回车键
（8）trace_stop             //结束trace
（9）unload_plugin          //卸载插件

参考资料：
http://bitblaze.cs.berkeley.edu/release/temu-1.0/howto.html
https://groups.google.com/forum/#!topic/bitblaze-users/QdoY9l8D-ho