Re: [Vol-users] Virtual Machine - RedHat

Hello, You need to build a profile for the specific kernel you are running. This wiki page walks through building a profile: https://code.google.com/p/volatility/wiki/LinuxMemoryForensics In general though you need to get a debug version of the kernel you are running and then use dwarfdump to extract the information needed by Volatility. You also need the System.map file, but that should be placed in /boot by your distribution so it is not an issue to obtain. Write back if you need any help with the process. Thanks, Andrew (@attrc) On Tue, Jul 9, 2013 at 11:18 AM, Robert Miller <robert.millerii(a)gmail.com> wrote: > Is there a Linux profile for RedHat for the latest version of > volatility? I > am attempting to run pslist against a VM running Redhat. However, I am > having no luck. I used imagecopy to convert a .vmss and a .vmsn file to > a > memory dump file. Neither file works with pslist. I used the CentOS > profile and the results are below. If I don't specify a profile, you > don't > see the "invalid pde_value" lines. Any ideas? > >> python vol.py --profile=LinuxCentOS63x64 -f serverName_vmsn.raw >> linux_pslist > Volatile Systems Volatility Framework 2.3_beta > *** Failed to import volatility.plugins.addrspaces.legacyintel > (AttributeError: 'module' object has no attribute > 'AbstractWritablePagedMemory') > WARNING : volatility.obj : Overlay structure tty_struct not present > in > vtypes > Offset Name Pid Uid > Gid > DTB Start Time > ------------------ -------------------- --------------- --------------- > ------ ------------------ ---------- > WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value > 65d70100 > WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value > 65d70100 > WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value > 65d70100 > No suitable address space mapping found > Tried to open image as: > MachOAddressSpace: mac: need base > LimeAddressSpace: lime: need base > WindowsHiberFileSpace32: No base Address Space > WindowsCrashDumpSpace64: No base Address Space > HPAKAddressSpace: No base Address Space > VirtualBoxCoreDumpElf64: No base Address Space > VMWareSnapshotFile: No base Address Space > WindowsCrashDumpSpace32: No base Address Space > AMD64PagedMemory: No base Address Space > IA32PagedMemoryPae: No base Address Space > IA32PagedMemory: No base Address Space > MachOAddressSpace: MachO Header signature invalid > LimeAddressSpace: Invalid Lime header signature > WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile > WindowsCrashDumpSpace64: Header signature invalid > HPAKAddressSpace: Invalid magic found > VirtualBoxCoreDumpElf64: ELF64 Header signature invalid > VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53 > WindowsCrashDumpSpace32: Header signature invalid > AMD64PagedMemory: Failed valid Address Space check > IA32PagedMemoryPae: Incompatible profile LinuxCentOS63x64 selected > IA32PagedMemory: Incompatible profile LinuxCentOS63x64 selected > FileAddressSpace: Must be first Address Space > ArmAddressSpace: Failed valid Address Space check > > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >