Hi people,
Currently I'm trying to use Volatility to analyze a memory image that i have acquired
from my Samsung Galaxy Nexus using LiME. I saw somewhere on this forum(?) that the
System.map file pulled out from /proc/kallsyms is unusable due to those lines that contain
"[lime]" but can be addressed by removing those lines.
I managed to built the profile and verified it against the following command:
# python vol.py --info | grep ProfileVolatile Systems Volatility Framework 2.3_beta
Profiles
Linuxsamsungx86 - A Profile for Linux samsung x86
VistaSP0x64     - A Profile for Windows Vista SP0 x64
VistaSP0x86     - A Profile for Windows Vista SP0 x86
VistaSP1x64     - A Profile for Windows Vista SP1 x64
VistaSP1x86     - A Profile for Windows Vista SP1 x86
VistaSP2x64     - A Profile for Windows Vista SP2 x64
VistaSP2x86     - A Profile for Windows Vista SP2 x86
Win2003SP0x86   - A Profile for Windows 2003 SP0 x86
Win2003SP1x64   - A Profile for Windows 2003 SP1 x64
Win2003SP1x86   - A Profile for Windows 2003 SP1 x86
Win2003SP2x64   - A Profile for Windows 2003 SP2 x64
Win2003SP2x86   - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64   - A Profile for Windows 2008 SP1 x64
Win2008SP1x86   - A Profile for Windows 2008 SP1 x86
Win2008SP2x64   - A Profile for Windows 2008 SP2 x64
Win2008SP2x86   - A Profile for Windows 2008 SP2 x86
Win7SP0x64      - A Profile for Windows 7 SP0 x64
Win7SP0x86      - A Profile for Windows 7 SP0 x86
Win7SP1x64      - A Profile for Windows 7 SP1 x64
Win7SP1x86      - A Profile for Windows 7 SP1 x86
WinXPSP1x64     - A Profile for Windows XP SP1 x64
WinXPSP2x64     - A Profile for Windows XP SP2 x64
WinXPSP2x86     - A Profile for Windows XP SP2 x86
WinXPSP3x86     - A Profile for Windows XP SP3 x86
However, when i run the command:
#python vol.py --profile=Linuxsamsungx86 -f /root/majorProject/ram.lime linux_pslist
I get the following error:
Volatile Systems Volatility Framework 2.3_beta
WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present in vtypes
Offset     Name                 Pid             Uid             Gid    DTB        Start
Time
---------- -------------------- --------------- --------------- ------ ----------
----------
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0x81ed
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile Linuxsamsungx86 selected
 IA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and
'int'
 IA32PagedMemory - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and
'int'
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and
'int'
It's the same regardless of the volatility plugin i'm using. Any idea where
i'm wrong over here? Anyway attached is zip folder that contains the System.map file
as well as my module.dwarf file. Any help or advise in this area would be greatly
appreciated thank you very much :)
Oh yes, do let me know if there's any other information required that might help solve
this issue, i'm quite desperate over here =P