[Vol-users] Linux profile w/LiME not working

Andrew Case atcuno at gmail.com
Thu Jan 31 10:20:37 CST 2013


Hey,

Can you run again with "-dd" added before linux_lsmod and send me the output?

The lack of cpuinfo_x86 does not change lsmod so do not worry about that part...

On Thu, Jan 31, 2013 at 1:18 AM, Brian Keefer <chort at effu.se> wrote:
> I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error.
>
> chort at hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod
> Volatile Systems Volatility Framework 2.3_alpha
> WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present in vtypes
> No suitable address space mapping found
> Tried to open image as:
>  MachOAddressSpace: mac: need base
>  LimeAddressSpace: lime: need base
>  WindowsHiberFileSpace32: No base Address Space
>  WindowsCrashDumpSpace64: No base Address Space
>  HPAKAddressSpace: No base Address Space
>  VirtualBoxCoreDumpElf64: No base Address Space
>  VMWareSnapshotFile: No base Address Space
>  WindowsCrashDumpSpace32: No base Address Space
>  JKIA32PagedMemoryPae: No base Address Space
>  AMD64PagedMemory: No base Address Space
>  JKIA32PagedMemory: No base Address Space
>  IA32PagedMemoryPae: Module disabled
>  IA32PagedMemory: Module disabled
>  MachOAddressSpace: MachO Header signature invalid
>  MachOAddressSpace: MachO Header signature invalid
>  LimeAddressSpace: Invalid Lime header signature
>  WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>  WindowsCrashDumpSpace64: Header signature invalid
>  HPAKAddressSpace: Invalid magic found
>  VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
>  VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
>  WindowsCrashDumpSpace32: Header signature invalid
>  JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
>  AMD64PagedMemory: Failed valid Address Space check
>  JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
>  IA32PagedMemoryPae: Module disabled
>  IA32PagedMemory: Module disabled
>  FileAddressSpace: Must be first Address Space
>  ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected
>
> On a hunch I checked the directory I built the profile in (copied headers & source from the target system):
> chort at hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo *
> System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo
> System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open
> System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq
> System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq
> System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq
> System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op
> System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations
> System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq
> System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq
> System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq
>
>
> Platform running Volatility (2.3_alpha, latest from svn):
> Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> Source of memory image:
> Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
>
> What am I missing?
>
>
> --
> chort
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


More information about the Vol-users mailing list