Chikimonki/vivisect-v2

# VIVISECT v2.0 **零预算 Linux 内核研究与运行时分析平台。** 通过驱动 CVE 的测试生成、实时交互、基于 Lua 的动态插桩、内存转储/脱壳、eBPF、UEFI/Zig 植入以及 C2 脚手架来探索内核复杂性。完全基于 WSL2 + Docker Desktop 构建。 ## 核心优势 Lua 运行时分析层（`vivisect.lua`、`run_all_validators.lua`、`memfd_exec.lua`、内存转储、追踪）是开发最完善的功能。它能够在运行时实时观察内核行为，而非静态猜测。 视频演示：https://youtu.be/hUZ9JTGYeQo ## 目录亮点 （参见 `Repo_Structure.txt`、`Final_Structure.txt`、`tree.txt`） - `kernel/` + `run_all_validators.lua` – 验证套件 - `vivisect.lua`、`*.lua` – 动态插桩与追踪 - `dumps/` – 实时内存捕获、OEP 转储、脱壳产物 - `ebpf_rootkit/`、`uefi_implant/`、`chapter2_implant.zig` – 多层植入 - `neural/`、`web/`、`c2/` – 辅助分析与基础设施 - `docker/`、`Dockerfile`、`deploy.sh` – 可复现环境 ## Docker 快速开始 ``` docker build -t vivisect:v2 . docker run --rm -it --privileged -v $(pwd):/vivisect vivisect:v2 # Inside: ./run_all_validators.lua 2>&1 | tee validator_run.log # 经验教训 – VIVISECT v2.0 **Author:** Chikimonki - An INTP systems explorer **Date:** April 2026 **Budget:** $0 ### 取得的成果 - End-to-end pipeline: CVE parsing → synthetic payload generation (1024-byte owner patterns) → live kernel service interaction (NFSd 2049, io_uring, futex) → runtime classification. - Strong runtime analysis capability via Lua scripting + targeted memory dumping (`live_dump.bin`, `oep_dump.bin`, `unpacked_fast.bin`) + tracing. - Broad surface coverage (kernel, eBPF rootkits, UEFI implants, Zig payloads, neural components, web dashboard) in a single coherent project. - Docker integration completed with zero cost using only open tools. ### 严酷的事实 The three "VULNERABLE" flags from the earlier run indicate the test harness successfully exercised code paths and received observable kernel responses. They do **not** constitute proof of reliable exploits against a modern hardened kernel. The gap between "triggered behavior" and "bypassing all mitigations + reliable primitive" remains large and requires deep, experience-based knowledge that cannot be fully automated or LLM-generated. ksmbd tests failing with "module not found" is purely environmental — Microsoft’s WSL kernel deliberately omits it. This is a meta-lesson: kernel `.config`, loaded modules, and build choices often dominate results more than validator logic. ### 关键 intellectual 见解 1. LLMs are excellent at maintaining momentum, generating scaffolding across languages (Lua, Zig, C, shell), and suggesting creative connections. They are poor substitutes for the tactile feedback of actually running code against a live kernel. 2. Runtime observation (your Lua + dump infrastructure) beats pure static analysis for learning. The `trace.txt`, `real_output.txt`, and binary dumps contain the real signal. 3. Scope breadth vs. depth trade-off is real. The project contains many valuable threads. Future iterations benefit from declaring a primary axis (e.g. "Runtime Kernel Analysis via Lua") and treating implants/C2/neural pieces as satellite experiments. 4. Linux kernel really does have Perl-like surprises ("more than one way to do it"). The validation suite exposed some of them in a controlled way. 5. Docker + privileged containers + volume mounts give excellent reproducibility for userspace tooling and tracing, even if the kernel itself is shared with WSL. ### 推荐的前进方向 - Capture fresh output from `./run_all_validators.lua` inside Docker. - Mine the resulting logs/dumps for deeper patterns. - Add Linux kernel selftests (`tools/testing/selftests`) and LKDTM (Linux Kernel Dump Test Module) for more principled testing than custom validators. - Consider moving heavier kernel work to a proper QEMU VM with vanilla mainline kernel for better debuggability. This project has permanently increased my intuition about kernel attack surfaces, dynamic instrumentation, and the difference between research harnesses and production exploits. That alone makes the $0 investment worthwhile. ```

标签：0day挖掘, C2框架, CISA项目, CSV导出, CVE分析, Docker容器, Docker镜像, Linux内核, Lua脚本, Neural Exploit, rizin, Rootkit, Ruby on Rails, SecList, UEFI固件, Web报告查看器, WSL2, Zeek, Zig语言, 云资产清单, 内存dump, 内存取证, 内存转储, 内核安全, 动态追踪, 命令与控制, 安全学习资源, 安全渗透, 提权, 攻击面发现, 漏洞利用生成, 红队攻击, 网络安全, 请求拦截, 运行时分析, 逆向工程, 隐形植入, 隐私保护, 零预算安全研究