[Vol-users] Issue interfacing with pyvmiaddressspace

Michael Watson mrmrwat at gmail.com
Wed Jan 30 11:30:00 CST 2013


Hello,

I hope someone can help with this.
I am attempting to perform live memory analysis on linux virtual machines
using Xen, LibVMI and Volatility.
The command I am attempting to run is:
# python vol.py -l vmi://ubuntu-pvm-01 --profile=Linuxubuntux64 linux_psaux
I created the profile Linuxubuntux64 using the instructions on the
Volatility linux plugin page
I have included the pyvmiaddressspace.py file below:

# Volatility
#
# Copyright 2011 Sandia Corporation. Under the terms of Contract
# DE-AC04-94AL85000 with Sandia Corporation, the U.S. Government
# retains certain rights in this software.
#
# Authors:
# bdpayne at acm.org (Bryan D. Payne)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#

import volatility.addrspace as addrspace
import urllib
import pyvmi

#pylint: disable-msg=C0111

class PyVmiAddressSpace(addrspace.BaseAddressSpace):
    """
    This address space can be used in conjunction with LibVMI
    and the Python bindings for LibVMI.  The end result is that
    you can connect Volatility to view the memory of a running
    virtual machine from any virtualization platform that
    LibVMI supports.

    For this AS to be instantiated, we need the VM name to
    connect to.
    """

    print "pyvmiaddressspace loaded"

    order = 90
    def __init__(self, base, config, layered = False, **kwargs):
        print "__init__"
        addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
        self.as_assert(base == None or layered, "Must be first Address
Space")
        self.as_assert(config.LOCATION.startswith("vmi://"), "Location
doesn't start with vmi://")
        self.name = urllib.url2pathname(config.LOCATION[6:])
        self.vmi = pyvmi.init(self.name, "partial")
        self.as_assert(not self.vmi is None, "VM not found")
        self.dtb = self.get_cr3()

    def read(self, addr, length):
        print "read"
        return self.zread(addr, length)
    #    assert addr < self.vmi.get_memsize(), "addr too big"
    #
    #    end = addr+length
    #
    #    if end > self.vmi.get_memsize():
    #        memory = None
    #    else:
    #        try:
    #            memory = self.vmi.read_pa(addr, length)
    #        except:
    #            memory = None
    #
    #    return memory

    # account for holes in physical mem
    def zread(self, addr, length):
        print "zread"
        assert addr < self.vmi.get_memsize(), "addr too big"

        end = addr+length

        if end > self.vmi.get_memsize():
            memory = None
        else:
            memory = self.vmi.zread_pa(addr, length)
        assert memory != None, "memory is None"
        print memory
        return memory

    def is_valid_address(self, addr):
        print "is_valid_address"
        if addr == None:
            return False
        return 4096 < addr < self.vmi.get_memsize() - 1

    def write(self, addr, data):
        print "write"
        nbytes = self.vmi.write_pa(addr, data)
        if nbytes != len(data):
            return False
        return True

    def get_cr3(self):
        print "get_cr3"
        cr3 = self.vmi.get_vcpureg("cr3", 0);
        return cr3

    def get_available_addresses(self):
        print "get_available_addresses"
        yield (4096, self.vmi.get_memsize() - 1)
        return

I have added the print statements myself in order to help with debugging
and the output is as follows:

root at xenbox:~/downloads/volatility-2.2# python vol.py -l
vmi://ubuntu-pvm-01 --profile=Linuxubuntux64 linux_psaux
Volatile Systems Volatility Framework 2.2
pyvmiaddressspace loaded
Pid    Uid
Arguments
__init__
get_cr3
read
zread

read
zread
g�g�g02c�1c�c�
g�gP�         'pH�'�H�g -g�
     g-
read
zread
g�
read
zread
g@�
read
zread

read
zread
g�
read
zread
g@�
read
zread

__init__
read
zread
g-
read
zread
root at xenbox:~/downloads/volatility-2.2#

I added the print statements to see if the addressspace plugin was
obtaining any information at all, because without them the only output was:

Volatile Systems Volatility Framework 2.2
Pid    Uid    Arguments

I am only just getting to grips with using Volatility so any advice as to
how to debug this issue would be much appreciated.

Thanks,

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130130/c5bda7f8/attachment.html


More information about the Vol-users mailing list