Re: [Vol-users] Virtual Machine - RedHat
9 Jul
2013
9 Jul
'13
4:51 p.m.
Hello,
You need to build a profile for the specific kernel you are running.
This wiki page walks through building a profile:
https://code.google.com/p/volatility/wiki/LinuxMemoryForensics
In general though you need to get a debug version of the kernel you
are running and then use dwarfdump to extract the information needed
by Volatility. You also need the System.map file, but that should be
placed in /boot by your distribution so it is not an issue to obtain.
Write back if you need any help with the process.
Thanks,
Andrew (@attrc)
On Tue, Jul 9, 2013 at 11:18 AM, Robert Miller
<robert.millerii(a)gmail.com> wrote:
Is there a Linux profile for RedHat for the latest
version of volatility? I
am attempting to run pslist against a VM running Redhat. However, I am
having no luck. I used imagecopy to convert a .vmss and a .vmsn file to a
memory dump file. Neither file works with pslist. I used the CentOS
profile and the results are below. If I don't specify a profile, you don't
see the "invalid pde_value" lines. Any ideas?
python vol.py --profile=LinuxCentOS63x64 -f
serverName_vmsn.raw
linux_pslist
Volatile Systems Volatility Framework 2.3_beta
*** Failed to import volatility.plugins.addrspaces.legacyintel
(AttributeError: 'module' object has no attribute
'AbstractWritablePagedMemory')
WARNING : volatility.obj : Overlay structure tty_struct not present in
vtypes
Offset Name Pid Uid Gid
DTB Start Time
------------------ -------------------- --------------- ---------------
------ ------------------ ----------
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value
65d70100
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value
65d70100
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value
65d70100
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxCentOS63x64 selected
IA32PagedMemory: Incompatible profile LinuxCentOS63x64 selected
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users