- Vol-users - volatilityfoundation.org

Android Memory Forensics without System.map

by Quentin Chaki Cha

Hi guys, i'm working on a project to analyze memory dumps of Android devices with Volatility. But it seems that it isn't possible to do so if the source code does not provide me with the System.map file. I can't compile my own System.map file using commands like "make ARCH=arm CROSS_COMPILE=$CCOMPILER" (this would give me inaccurate addresses) nor can i use the /proc/kallsyms (this does not have symbols required for volatility to prepare) file from the Android device itself. I just wanna verify, is it actually still possible for me to use volatility to analyze this memory dump if the System.map file wasn't distributed with the headers/source? Thanks.

11 years, 8 months

2
1
0 0

KVM and Memory Dump

by chris-2012＠arcor.de

Dear all, sorry, I'm using webmail only and couldn't set an in reply-to header to my last message. Libvmi seems a bit complicated to install, at least compared to the vboxmanage debugvm command. Is libvmi required for KVM or is it possible to use virsh dump? Thank you in advance. - Chris

11 years, 8 months

2
1
0 0

Help building a volatility profile for android

by Tareq Hanaysha

Hi,I am trying to build a volatility 2.3p profile using a mac os host 10.8.5 and a 4.3 android goldfish guest custom kernel.edited my make file under tools/linux/ to: "obj-m += module.oKDIR := ~/goldfish-ksemulator/ CCPATH := ~/android-ndk/toolchains/arm-linux-androideabi-4.7/prebuilt/darwin-x86_64/bin/DWARFDUMP := /Users/Hanaysha/dwarf/dwarfdump/dwarfdump-include version.mkall: dwarfdwarf: module.c $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules$(DWARFDUMP) -di module.ko > module.dwarf "I am awarded with the follwing errors :"Hanayshas-MacBook-Pro:linux Hanaysha$ makemake -C ~/goldfish-ksemulator//lib/modules/12.5.0/build CONFIG_DEBUG_INFO=y M=/Users/Hanaysha/android-volatility/tools/linux modulesmake: *** /Users/Hanaysha/goldfish-ksemulator//lib/modules/12.5.0/build: No such file or directory. Stop.make: *** [dwarf] Error 2Hanayshas-MacBook-Pro:linux Hanaysha$ makemake ARCH=arm CROSS_COMPILE=~/android-ndk/toolchains/arm-linux-androideabi-4.7/prebuilt/darwin-x86_64/bin//arm-linux-androideabi- -C ~/goldfish-ksemulator/ CONFIG_DEBUG_INFO=y M=/Users/Hanaysha/android-volatility/tools/linux modulesBuilding modules, stage 2.MODPOST 1 modulesCC /Users/Hanaysha/android-volatility/tools/linux/module.mod.o/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:8:1: error: variable '__this_module' has initializer but incomplete type/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:9:2: error: unknown field 'name' specified in initializer/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:9:2: warning: excess elements in struct initializer [enabled by default]/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:9:2: warning: (near initialization for '__this_module') [enabled by default]/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:2: error: unknown field 'arch' specified in initializer/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:10: error: 'MODULE_ARCH_INIT' undeclared here (not in a function)/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:2: warning: excess elements in struct initializer [enabled by default]/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:2: warning: (near initialization for '__this_module') [enabled by default]make[2]: *** [/Users/Hanaysha/android-volatility/tools/linux/module.mod.o] Error 1make[1]: *** [modules] Error 2make: *** [dwarf] Error 2"Any ideas !? your help is appreciated

11 years, 8 months

2
1
0 0

stack & heap

by Sebastian Biedermann

Hi guys, I'm trying to find out the addresses of the memory pages of a target process that are used as stack and heap on Linux. (Precisely, I would like to have the output which can be seen in /proc/<pid>/maps for a target process) Unfortunately, the command linux_proc_maps is not working, I always get a segmentation fault, although I tried different kernels as well as Linux setups (Ubuntu) - it's just not working. Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps command works? Or give me a hint how I could figure out these addresses on another way? Thank you!

11 years, 8 months

3
5
0 0

Locating performance overhead of apihooks

by Guanglin Xu

Hi everyone, I ran apihook command in Volatility with the very fast pyvmi address space. However, I didn't see significant performance improvement in terms of the total runtime as it still ran for 5 mins - 6 mins. Although I have got profiling report of apihooks by cProfile and have been aware that __read_bytes(), the acquisittion of memory content, just consumed a very small part, which is 7 secs, of the total 5~6 mins, and that the overhead may be categorized in apihook algorithm, memory acquisition as well as Python runtime, I can hardly go further in figuring out which part of the apihook cost the most. I attach the profiling report here, and hope anyone help analysis. Thank you so much. Guanglin

11 years, 8 months

1
0
0 0

Volatility Installation

by Sajawal Ghani

We are working volatility. Firstly we installed python, then its dependencies i.e. pycrpto, yara, distorm Min gw. After installing all this to our system, out volatility 2.1 software is not working, or we are not able to use it. Need help in this regard.

11 years, 8 months

1
0
0 0

First two 2014 Volatility & Memory Forensics trainings announced

by Andrew Case

We wrote a blog post today that announced our first two trainings of 2014: http://volatility-labs.blogspot.com/2013/09/2014-malware-and-memory-forensi… We will be in San Diego, CA in January as well as London in June. Once we confirm our other trainings that are currently in the works we will post them as well. At least one of these trainings will be on the east coast. Also, as a reminder, we still have a few spots left in our November training in Reston, so please contact us ASAP if you would like to attend. Thanks, Andrew (@attrc)

11 years, 8 months

1
0
0 0

Linux Virtualization KVM or VirtualBox?

by chris-2012＠arcor.de

Hi, what's the preferred virtualization method to create memory dumps? Is it possible to acquire the guest memory without guest modifications? Linux and Windows guests are used. Regards, Chris

11 years, 9 months

4
3
0 0

Samsung Galaxy Nexus RAM Analysis Issue

by Quentin Chaki Cha

Hi People, so over here i have used LiME to extract RAM information out of my Samsung Galaxy Nexus, but I'm currently facing some issues in terms of analyzing as shown below: root@akicha-VirtualBox:~/majorProject/trunk# python vol.py -f /root/majorProject/Nexus.lime --profile LinuxNexusARM linux_pslist Volatile Systems Volatility Framework 2.3_beta Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- Regardless of the volatility plugin i use (linux_pslist, linux_lsof), im always getting empty data. I ran the same command with the -dd flag as shown below. Any advice/help in this area would be greatly appreciated thank you :) root@akicha-VirtualBox:~/majorProject/trunk# python vol.py -f /root/majorProject/Nexus.lime --profile LinuxNexusARM -dd linux_pslist Volatile Systems Volatility Framework 2.3_beta DEBUG : volatility.plugins.overlays.linux.linux: Nexus: Found dwarf file root/majorProject/omap/System.map with 453 symbols DEBUG : volatility.plugins.overlays.linux.linux: Nexus: Found system file root/majorProject/omap/System.map with 1 symbols DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x605bad0> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x2C800040, instantiating lime_header DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x605ba90> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware signature: 0x81ed DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxNexusARM selected DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Failed valid Address Space check DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Failed valid Address Space check DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x605be50> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000, instantiating HPAK_HEADER DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000, instantiating _VMWARE_HEADER DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware signature: - DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxNexusARM selected DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Can not stack over another paging address space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Can not stack over another paging address space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Can not stack over another paging address space DEBUG1 : volatility.obj : None object instantiated: Pointer next invalid

11 years, 9 months

2
2
0 0

Re: [Vol-users] Experimenting with notepad.exe

by Adam Bridge

HaHa! Thanks Jesse! Thank you for the hints - I'm just trying to get my head around walking the VAD tree at the moment. I'll be sure to ask you if I need some more assistance. Hopefully down the line I'll write a mini-tutorial around this to share with the list. Adam On 21/09/13 19:25, Jesse Kornblum wrote: > Hi Adam, > > Two hints, in progressive levels of practicality: > > 1. I when I tried to do this, I ended up falling down in a Heap. > > 2. Memory allocated by a program is stored in the VADs. > > If you're stuck, write back and I'll show you exactly how to do it! > > Good luck, -- Have you sent me your PGP Public Key yet?

11 years, 9 months

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users