Hi,I am trying to build a volatility 2.3p profile using a mac os host 10.8.5 and a 4.3 android goldfish guest custom kernel.edited my make file under tools/linux/ to: "obj-m += module.oKDIR := ~/goldfish-ksemulator/ CCPATH := ~/android-ndk/toolchains/arm-linux-androideabi-4.7/prebuilt/darwin-x86_64/bin/DWARFDUMP := /Users/Hanaysha/dwarf/dwarfdump/dwarfdump-include version.mkall: dwarfdwarf: module.c $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules$(DWARFDUMP) -di module.ko > module.dwarf "I am awarded with the follwing errors :"Hanayshas-MacBook-Pro:linux Hanaysha$ makemake -C ~/goldfish-ksemulator//lib/modules/12.5.0/build CONFIG_DEBUG_INFO=y M=/Users/Hanaysha/android-volatility/tools/linux modulesmake: *** /Users/Hanaysha/goldfish-ksemulator//lib/modules/12.5.0/build: No such file or directory. Stop.make: *** [dwarf] Error 2Hanayshas-MacBook-Pro:linux Hanaysha$ makemake ARCH=arm CROSS_COMPILE=~/android-ndk/toolchains/arm-linux-androideabi-4.7/prebuilt/darwin-x86_64/bin//arm-linux-androideabi- -C ~/goldfish-ksemulator/ CONFIG_DEBUG_INFO=y M=/Users/Hanaysha/android-volatility/tools/linux modulesBuilding modules, stage 2.MODPOST 1 modulesCC /Users/Hanaysha/android-volatility/tools/linux/module.mod.o/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:8:1: error: variable '__this_module' has initializer but incomplete type/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:9:2: error: unknown field 'name' specified in initializer/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:9:2: warning: excess elements in struct initializer [enabled by default]/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:9:2: warning: (near initialization for '__this_module') [enabled by default]/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:2: error: unknown field 'arch' specified in initializer/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:10: error: 'MODULE_ARCH_INIT' undeclared here (not in a function)/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:2: warning: excess elements in struct initializer [enabled by default]/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:2: warning: (near initialization for '__this_module') [enabled by default]make[2]: *** [/Users/Hanaysha/android-volatility/tools/linux/module.mod.o] Error 1make[1]: *** [modules] Error 2make: *** [dwarf] Error 2"Any ideas !? your help is appreciated
Hi guys,
I'm trying to find out the addresses of the memory pages of a target
process that are used as stack and heap on Linux.
(Precisely, I would like to have the output which can be seen in
/proc/<pid>/maps for a target process)
Unfortunately, the command linux_proc_maps is not working, I always get
a segmentation fault,
although I tried different kernels as well as Linux setups (Ubuntu) -
it's just not working.
Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps
command works?
Or give me a hint how I could figure out these addresses on another way?
Thank you!
Hi everyone,
I ran apihook command in Volatility with the very fast pyvmi address space.
However, I didn't see significant performance improvement in terms of the
total runtime as it still ran for 5 mins - 6 mins.
Although I have got profiling report of apihooks by cProfile and have been
aware that __read_bytes(), the acquisittion of memory content, just
consumed a very small part, which is 7 secs, of the total 5~6 mins, and
that the overhead may be categorized in apihook algorithm, memory
acquisition as well as Python runtime, I can hardly go further in figuring
out which part of the apihook cost the most.
I attach the profiling report here, and hope anyone help analysis.
Thank you so much.
Guanglin
We are working volatility. Firstly we installed python, then its
dependencies i.e. pycrpto, yara, distorm Min gw. After installing all this
to our system, out volatility 2.1 software is not working, or we are not
able to use it. Need help in this regard.
We wrote a blog post today that announced our first two trainings of 2014:
http://volatility-labs.blogspot.com/2013/09/2014-malware-and-memory-forensi…
We will be in San Diego, CA in January as well as London in June. Once
we confirm our other trainings that are currently in the works we will
post them as well. At least one of these trainings will be on the east
coast.
Also, as a reminder, we still have a few spots left in our November
training in Reston, so please contact us ASAP if you would like to
attend.
Thanks,
Andrew (@attrc)
Hi,
what's the preferred virtualization method to create memory dumps? Is it possible to acquire the guest memory without guest modifications? Linux and Windows guests are used.
Regards,
Chris
HaHa! Thanks Jesse!
Thank you for the hints - I'm just trying to get my head around walking
the VAD tree at the moment.
I'll be sure to ask you if I need some more assistance.
Hopefully down the line I'll write a mini-tutorial around this to share
with the list.
Adam
On 21/09/13 19:25, Jesse Kornblum wrote:
> Hi Adam,
>
> Two hints, in progressive levels of practicality:
>
> 1. I when I tried to do this, I ended up falling down in a Heap.
>
> 2. Memory allocated by a program is stored in the VADs.
>
> If you're stuck, write back and I'll show you exactly how to do it!
>
> Good luck,
--
Have you sent me your PGP Public Key yet?
Hi all,
I'm hoping for some suggestions around how to find the answer for
myself, rather than the actual answer.
I'm experimenting with notepad to try and learn more about Windows
memory management.
Currently I'm trying to see if I can reliably locate what has been typed
into a notepad window from a memory capture taken when the notepad
window was still open.
I can prove my text is present like so:
$ python vol.py -f ~/memtest/win7.raw --profile=Win7SP1x86 pslist | grep
notepad
Volatile Systems Volatility Framework 2.3_beta
0x84f08030 notepad.exe 292 1664 2 59
1 0 2013-08-28 20:50:36 UTC+0000
$ python vol.py -f ~/memtest/win7.raw --profile=Win7SP1x86 memdump
--dump-dir=~/memtest/ -p 292
Volatile Systems Volatility Framework 2.3_beta
************************************************************************
Writing notepad.exe [ 292] to 292.dmp
$ strings -e l ~/memtest/292.dmp | grep "i-typed-"
i-typed-this-into-notepad
(The "-e l" switch is because notepad stores its text in 16-bit
little-endian.)
Combining the output of memdump and memmap I can see where in physical
and virtual memory my string is located.
Of course this relies on me knowing the string ahead of time.
Do I need to go down the route of disassembling/debugging notepad.exe in
order to determine how/when it writes the contents to memory?
Or is there another approach that I simply haven't though of?
Comments greatly appreciated!
Thanks,
Adam
--
Have you sent me your PGP Public Key yet?
Hi people,
Currently I'm trying to use Volatility to analyze a memory image that i have acquired from my Samsung Galaxy Nexus using LiME. I saw somewhere on this forum(?) that the System.map file pulled out from /proc/kallsyms is unusable due to those lines that contain "[lime]" but can be addressed by removing those lines.
I managed to built the profile and verified it against the following command:
# python vol.py --info | grep ProfileVolatile Systems Volatility Framework 2.3_beta
Profiles
Linuxsamsungx86 - A Profile for Linux samsung x86
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x86 - A Profile for Windows 7 SP1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86
However, when i run the command:
#python vol.py --profile=Linuxsamsungx86 -f /root/majorProject/ram.lime linux_pslist
I get the following error:
Volatile Systems Volatility Framework 2.3_beta
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes
Offset Name Pid Uid Gid DTB Start Time
---------- -------------------- --------------- --------------- ------ ---------- ----------
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0x81ed
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Linuxsamsungx86 selected
IA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'int'
IA32PagedMemory - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'int'
FileAddressSpace: Must be first Address Space
ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'int'
It's the same regardless of the volatility plugin i'm using. Any idea where i'm wrong over here? Anyway attached is zip folder that contains the System.map file as well as my module.dwarf file. Any help or advise in this area would be greatly appreciated thank you very much :)
Oh yes, do let me know if there's any other information required that might help solve this issue, i'm quite desperate over here =P
