Re: [Vol-users] Integrating the libvmi with volatility problem

30 Jun 2015


      Just to make sure: Your module.dwarf came from the kernel headers
package of the same system you ran lime on right? I don't see where you
compiled module.dwarf
If so, and it still doesn't work, would it be possible to upload the
sample and profile you created?
Thanks,
Andrew (@attrc)
On 06/11/2015 07:46 PM, Xianchun Guan wrote:
...
  Hi guys,
   who can help me to solve Volatility issues for linux(the vm is
 windows,it's works).as follow is the operation and running results.
 volatility version:2.4
 libvmi version:v0.12.0-rc2
 *1.  kvm vm:*
 *--download lime resource code*
   root@ubuntu-gxc:/opt# git clone https://github.com/504ensicsLabs/LiME.git
   root@ubuntu-gxc:/opt# cd LiME
   root@ubuntu-gxc:/opt/LiME# git tag
   v1.4
   root@ubuntu-gxc:/opt/LiME# git checkout -b  v1.4
   Switched to a new branch 'v1.4'
   root@ubuntu-gxc:/opt/LiME# cd src/
   root@ubuntu-gxc:/opt/LiME/src# make
 make -C /lib/modules/2.6.32-21-generic/build M=/opt/LiME/src modules
 make[1]: Entering directory `/usr/src/linux-headers-2.6.32-21-generic'
   CC [M]  /opt/LiME/src/tcp.o
   CC [M]  /opt/LiME/src/disk.o
   CC [M]  /opt/LiME/src/main.o
   LD [M]  /opt/LiME/src/lime.o
   Building modules, stage 2.
   MODPOST 1 modules
   CC      /opt/LiME/src/lime.mod.o
   LD [M]  /opt/LiME/src/lime.ko
 make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-21-generic'
 strip --strip-unneeded lime.ko
 mv lime.ko lime-2.6.32-21-generic.ko
  root@ubuntu-gxc:/opt/LiME/src# insmod lime-2.6.32-21-generic.ko
 "path=/opt/ubuntu.lime format=lime"
  root@ubuntu-gxc:/opt/LiME/src# ls -alh /opt/ubuntu.lime
  -r--r--r-- 1 root root 1.0G 2015-06-05 14:24 /opt/ubuntu.lime
 *--copy ubuntu.lime to kvm host*
   root@ubuntu-gxc:/opt/LiME/src# scp /opt/ubuntu.lime
 root@172.19.106.245:/mnt/sdb1/forensics/images/
 *2. kvm Host:*
 *--Making the profile*
    root@ubuntu:/mnt/sdb1/git/volatility/volatility# zip
 volatility/plugins/overlays/linux/ubuntu1004.zip
 tools/linux/module.dwarf ../../../sysmaps/System.map-2.6.32-21-generic
     adding: tools/linux/module.dwarf (deflated 90%)
      adding: ../../../sysmaps/System.map-2.6.32-21-generic (deflated 74%)
 *--using the profile*
    root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --info
 |grep Linux
    Volatility Foundation Volatility Framework 2.4
    Linuxubuntu1004i386x86 - A Profile for Linux ubuntu1004i386 x86
    Linuxubuntu1004x86     - A Profile for Linux ubuntu1004 x86
    linux_banner               - Prints the Linux banner information
    linux_yarascan             - A shell in the Linux memory image
 --using the plugin
 root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --debug
 -f /mnt/sdb1/forensics/images/ubuntu.lime --profile=Linuxubuntu1004x86linux_pslist
 Volatility Foundation Volatility Framework 2.4
 DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found
 dwarf file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols
 DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found
 system file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols
 DEBUG   : volatility.obj      : Applying modification from BashHashTypes
 DEBUG   : volatility.obj      : Applying modification from BashTypes
 DEBUG   : volatility.obj      : Applying modification from
 BasicObjectClasses
 DEBUG   : volatility.obj      : Applying modification from ELF32Modification
 DEBUG   : volatility.obj      : Applying modification from ELF64Modification
 DEBUG   : volatility.obj      : Applying modification from ELFModification
 DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
 DEBUG   : volatility.obj      : Applying modification from LimeTypes
 DEBUG   : volatility.obj      : Applying modification from
 LinuxTruecryptModification
 DEBUG   : volatility.obj      : Applying modification from MachoModification
 DEBUG   : volatility.obj      : Applying modification from MachoTypes
 DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
 DEBUG   : volatility.obj      : Applying modification from
 VMwareVTypesModification
 DEBUG   : volatility.obj      : Applying modification from
 VirtualBoxModification
 DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
 DEBUG   : volatility.obj      : Applying modification from
 LinuxKmemCacheOverlay
 DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
 cache_chain not found in module kernel
 DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
 DEBUG   : volatility.obj      : Applying modification from
 LinuxObjectClasses
 DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
 DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found
 dwarf file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols
 DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found
 system file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols
 DEBUG   : volatility.obj      : Applying modification from BashHashTypes
 DEBUG   : volatility.obj      : Applying modification from BashTypes
 DEBUG   : volatility.obj      : Applying modification from
 BasicObjectClasses
 DEBUG   : volatility.obj      : Applying modification from ELF32Modification
 DEBUG   : volatility.obj      : Applying modification from ELF64Modification
 DEBUG   : volatility.obj      : Applying modification from ELFModification
 DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
 DEBUG   : volatility.obj      : Applying modification from LimeTypes
 DEBUG   : volatility.obj      : Applying modification from
 LinuxTruecryptModification
 DEBUG   : volatility.obj      : Applying modification from MachoModification
 DEBUG   : volatility.obj      : Applying modification from MachoTypes
 DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
 DEBUG   : volatility.obj      : Applying modification from
 VMwareVTypesModification
 DEBUG   : volatility.obj      : Applying modification from
 VirtualBoxModification
 DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
 DEBUG   : volatility.obj      : Applying modification from
 LinuxKmemCacheOverlay
 DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
 cache_chain not found in module kernel
 DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
 DEBUG   : volatility.obj      : Applying modification from
 LinuxObjectClasses
 DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
 Offset     Name                 Pid             Uid             Gid
  DTB        Start Time
 ---------- -------------------- --------------- --------------- ------
 ---------- ----------
 DEBUG   : volatility.utils    : Voting round
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.pyvmiaddressspace.PyVmiAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
 DEBUG   : volatility.utils    : Succeeded instantiating
 <volatility.plugins.addrspaces.standard.FileAddressSpace object at
 0x7505790>
 DEBUG   : volatility.utils    : Voting round
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
 DEBUG   : volatility.utils    : Succeeded instantiating
 <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7505750>
 DEBUG   : volatility.utils    : Voting round
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.pyvmiaddressspace.PyVmiAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
 DEBUG   : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value
 e82c4c4c
 No suitable address space mapping found
 Tried to open image as:
  MachOAddressSpace: mac: need base
  LimeAddressSpace: lime: need base
  WindowsHiberFileSpace32: No base Address Space
  WindowsCrashDumpSpace64BitMap: No base Address Space
  WindowsCrashDumpSpace64: No base Address Space
  HPAKAddressSpace: No base Address Space
  VMWareMetaAddressSpace: No base Address Space
  VirtualBoxCoreDumpElf64: No base Address Space
  QemuCoreDumpElf: No base Address Space
  VMWareAddressSpace: No base Address Space
  WindowsCrashDumpSpace32: No base Address Space
  AMD64PagedMemory: No base Address Space
  IA32PagedMemoryPae: No base Address Space
  IA32PagedMemory: No base Address Space
  PyVmiAddressSpace: Location doesn't start with vmi://
  OSXPmemELF: No base Address Space
  MachOAddressSpace: MachO Header signature invalid
  MachOAddressSpace: MachO Header signature invalid
  LimeAddressSpace: Invalid Lime header signature
  WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
  WindowsCrashDumpSpace64BitMap: Header signature invalid
  WindowsCrashDumpSpace64: Header signature invalid
  HPAKAddressSpace: Invalid magic found
  VMWareMetaAddressSpace: VMware metadata file is not available
  VirtualBoxCoreDumpElf64: ELF Header signature invalid QemuCoreDumpElf:
 ELF Header signature invalid
  VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
  WindowsCrashDumpSpace32: Header signature invalid
  AMD64PagedMemory: Incompatible profile Linuxubuntu1004x86 selected
  IA32PagedMemoryPae: Failed valid Address Space check
  IA32PagedMemory: Failed valid Address Space check
  PyVmiAddressSpace: Must be first Address Space
  OSXPmemELF: ELF Header signature invalid
  FileAddressSpace: Must be first Address Space
  ArmAddressSpace: Failed valid Address Space check
 _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [Vol-users] Integrating the libvmi with volatility problem