To answer my own question...
My profile build system is Debian based. Even though I've successfully created Fedora and CentOS profiles on it, I needed to move to a Fedora system which had the proper definition files in its compiler environment. That got rid of all the 'u32' errors. But because the compiler was gcc 5.1, I needed to create a compiler-gcc5.h file in the include/Linux folder of the kernel files. I just linked to the gcc4 file and everything compiled fine.
All the Linux Volatility commands appear to be working as expected.
Geoff
From: Torres, Geoff (Cyber Security)
Sent: Thursday, April 07, 2016 11:37 AM
To: 'vol-users(a)volatilityfoundation.org' <vol-users(a)volatilityfoundation.org>
Subject: Need a Redhat 7.1 profile
Hi,
I usually roll my own profiles but I'm having a big problem getting one created for RedHat 7.1 (Linux version 3.10.0-229.el17.x86_64).
I checked the github repository already and did a google search to no avail.
Does anyone have one already created?
Or can anyone help me figure out how to get around these compilation errors?
include/linux/thread_info.h:24:4: error unknown type name 'u32'
u32 __user *uaddr;
^
There are hundreds of them. As near as I've been able to determine, all the flags that would set it are 64 bit-centric so it never gets set.
I have the full make output and the kernel RPMs if needed. Oh, and this is the first time I'm creating a profile using Volatility 2.5, but I'm getting the same errors on 2.4 where I've been successful in the past.
Thanks,
Geoff
BTW - I'm a programmer by necessity, not profession. Feel free to point out the obvious.
We are very excited to announce that $999 in cash prizes was just added
to the 2016 plugin contest thanks to Airbnb!
The updated prize pools and full contest information can be found at the
following link:
http://volatility-labs.blogspot.com/2016/04/airbnb-donates-999-to-2016-vola…
--
Thanks,
Andrew (@attrc)
Gang,
I've googled it and saw some other discussion of the dreaded
ERROR : volatility.debug : Invalid profile <blah> selected
error. I'm trying to figure out what changed recently so that profiles
that used to work for me, no longer work. I just did a fresh Ubuntu
14.04.4 install and then installed volatility (and distorm3 via pip) from
github and I'm getting the error above. Note, this is the current release
version, though I also have the problem with the version from whatever
repo SIFT uses. The profile actually came from SecondLook and worked just
fine on a different Ubuntu system about 4 weeks ago, but today it fails
(on the system where it used to run), so I decided to try on this virgin
system and get the same error. I'm at a loss, since there are no other
debugging messages to help me out with what might be the problem. I can
provide the profile to anyone who needs it (and probably a memory image,
too, but that needs to be a little more tightly controlled) if that would
help.
--
Jim Clausing
GIAC GSE #26, CISSP
GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D
Ok, can you run:
vol.py --info | grep Linux
and see if the profile name shows up like you have it as --profile?
Thanks,
Andrew (@attrc)
On 04/07/2016 02:26 PM, Jim Clausing wrote:
> -dd doesn't give me anything more than that error.
>
> jac@ubuntu:~$ vol.py -dd --plugins=profiles
> --profile=Linux3_13_0_79_generic__123_Ubuntu_SMP_Fri_Feb_19_14_27_58_UTC_2016_x86_64
> -m XUbuntu\ 64-bit-Snapshot3.vmem linux_pslist
> Volatility Foundation Volatility Framework 2.5
> ERROR : volatility.debug : Invalid profile
> Linux3_13_0_79_generic__123_Ubuntu_SMP_Fri_Feb_19_14_27_58_UTC_2016_x86_64
> selected
>
> --
> Jim Clausing
> GIAC GSE #26, CISSP
> GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D
>
> On or about Thu, 7 Apr 2016, Andrew Case pontificated thusly:
>
>> Hey,
>>
>> Can you run volatility with -dd set and send the output? If I can't
>> figure out it from there I will take the memory sample and profile. Feel
>> free to send debug output offline.
>>
>> Thanks,
>> Andrew (@attrc)
>>
>> On 04/07/2016 12:27 PM, Jim Clausing wrote:
>>> Gang,
>>> I've googled it and saw some other discussion of the dreaded
>>>
>>> ERROR : volatility.debug : Invalid profile <blah> selected
>>>
>>> error. I'm trying to figure out what changed recently so that profiles
>>> that used to work for me, no longer work. I just did a fresh Ubuntu
>>> 14.04.4 install and then installed volatility (and distorm3 via pip)
>>> from github and I'm getting the error above. Note, this is the current
>>> release version, though I also have the problem with the version from
>>> whatever repo SIFT uses. The profile actually came from SecondLook and
>>> worked just fine on a different Ubuntu system about 4 weeks ago, but
>>> today it fails (on the system where it used to run), so I decided to try
>>> on this virgin system and get the same error. I'm at a loss, since
>>> there are no other debugging messages to help me out with what might be
>>> the problem. I can provide the profile to anyone who needs it (and
>>> probably a memory image, too, but that needs to be a little more tightly
>>> controlled) if that would help.
>>>
>>> --
>>> Jim Clausing
>>> GIAC GSE #26, CISSP
>>> GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>
>>
>
We are happy to announce that the 2016 Volatility Plugin Contest is now
live:
http://volatility-labs.blogspot.com/2016/04/the-2016-volatility-plugin-cont…
This contest is modeled after the annual IDA Pro one, and its purpose is
to encourage new research in the memory forensics field. Volatility is
one of the most popular tools in digital forensics, incident response,
and malware analysis, and by submitting to our contest your work will
immediately gain visibility through all of these communities.
Besides this recognition, we also award the top entries over $2,000 in
cash prizes, swag (stickers, t-shirts, etc.), and blog entries on our
Volatility Labs blog.
This contest is a great opportunity to explore the open source
Volatility Framework, add visibility to your career, and potentially
develop a master's thesis or PhD project.
--
Thanks,
Andrew (@attrc)
Sir,
I am doing my M.E in Cyber forensics and Information Security,
currently doing my project work on MAC RAM dump analysis. I am using
volafox-master for listing data from my dump collected from my lap. Can you
please help me how we can find the list of running process. Currently i've
found a symbol that volatility uses("_allproc") also ive found it from
symutils file.
But i don't know what to do with it.
Thanks
in advance, Razeem
Hello,
I am working on a homework assignment that involves IR on a Linux system.
We were only given some of the log files and a memory dump. None of the
profiles on Github work so I need to build a profile. Unfortunately, the
memory dump comes from a very old version of RedHat. It's RedHat 7.2
(Enigma) not RHEL7.
I found the Enigma ISOs, created a VM and downloaded the source, headers,
libdwarf, dwarfdump, etc, installed but when I run make from the
tools/linux folder, it doesn't create the module.ko file that dwarfdump
uses. I ran the make manually and it finishes without any errors but no
module.ko.
Any ideas what I might be doing wrong?
Thanks!
Carlos
Hi,
I'm trying to detect LKM rootkit (https://github.com/ivyl/rootkit) which
hides module and hooks fop.
I use CentOS 6.5 (2.6.32-431.el6.x86_64), LiME 1.7.2 and latest Volatility
git repo (52c9c40a273595ef0b088b75b396c3487cb1b27c) for both memory dump
and analyse.
Many plugin works fine, but it can't be detected by below plugin (same on
Volatility 2.4).
* linux_hidden_modules - nothing is detected
$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_hidden_modules
Volatility Foundation Volatility Framework 2.5
Offset (V) Name
------------------ ----
* linux_check_fops - outputs error (no verbose output on --debug option)
$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fops
Volatility Foundation Volatility Framework 2.5
ERROR : volatility.debug : You must specify something to do (try -h)
I would really appreciate any advice.
Regards,
Dear vol-users,
I'm trying to get data from a volatile registry key using the regapi /
rawreg classes in volatility.
The key I'm looking for is under HKCU\Software\Classes\, and is called CLSID
vol.py
--plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
-f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
"Software\\Classes\\CLSID"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
The requested key could not be found in the hive(s) searched
So I go up one level:
vol.py
--plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
-f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
"Software\\Classes"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \??\C:\Users\admin\ntuser.dat
Key name: Classes (V)
Last updated: 2015-04-11 18:04:18 UTC+0000
Subkeys:
Values:
REG_LINK SymbolicLinkValue : (V) \Registry
\User\S-1-5-21-978483858-511166411-2750856381-1000_Classes
----------------------------
Registry: \SystemRoot\System32\Config\DEFAULT
Key name: Classes (S)
Last updated: 2009-07-14 04:48:57 UTC+0000
Subkeys:
(S) Local Settings
Values:
How can I query this key and keep on drilling its subkeys ?
Also, my plugin is making extensive use of rawreg because I try to get each
individual NTUSER.dat hive, and I don't know which hive_name to pass on to
regapi. Should I use the full hive name, as in
self.hive_name(obj.Object("_CMHIVE",
vm = addr_space, offset = hive_offset)), or is there a better way of doing
it?
Any help is greatly appreciated. Have a great day!
--
Thomas Chopitea
Hello,
I am not sure why I am having trouble running vol against a Win7 memory image:
I ran the imageinfo plugin against the image and it suggests: Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64:
But when I select Win7S1x64 profile for other plugins I get following error:
Any suggestions on what I am missing? Thanks in advance.
