[Vol-users] Linux profile w/LiME not working

Brian Keefer chort at effu.se
Thu Jan 31 10:24:54 CST 2013


Hello, sending to list for archive(?) sake.

chort at hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime -dd linux_lsmod
Volatile Systems Volatility Framework 2.3_alpha
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: need base
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: need base
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemoryPae: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemory: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Module disabled
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Module disabled
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.plugins.overlays.linux.linux: CentOS_5.3: Found dwarf file System.map-2.6.18-128.el5 with 365 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: CentOS_5.3: Found system file System.map-2.6.18-128.el5 with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present in vtypes
DEBUG   : volatility.obj      : Applying modification from Linux64ObjectClasses
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x5c93d50>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 0x3FF8F860, instantiating lime_header
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x5c93d10>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: Failed valid Address Space check
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Module disabled
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Module disabled
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 AMD64PagedMemory: No base Address Space
 JKIA32PagedMemory: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
 WindowsCrashDumpSpace32: Header signature invalid
 JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
 AMD64PagedMemory: Failed valid Address Space check
 JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected

--
chort



On Jan 31, 2013, at 8:20 AM, Andrew Case wrote:

> Hey,
> 
> Can you run again with "-dd" added before linux_lsmod and send me the output?
> 
> The lack of cpuinfo_x86 does not change lsmod so do not worry about that part...
> 
> On Thu, Jan 31, 2013 at 1:18 AM, Brian Keefer <chort at effu.se> wrote:
>> I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error.
>> 
>> chort at hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod
>> Volatile Systems Volatility Framework 2.3_alpha
>> WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present in vtypes
>> No suitable address space mapping found
>> Tried to open image as:
>> MachOAddressSpace: mac: need base
>> LimeAddressSpace: lime: need base
>> WindowsHiberFileSpace32: No base Address Space
>> WindowsCrashDumpSpace64: No base Address Space
>> HPAKAddressSpace: No base Address Space
>> VirtualBoxCoreDumpElf64: No base Address Space
>> VMWareSnapshotFile: No base Address Space
>> WindowsCrashDumpSpace32: No base Address Space
>> JKIA32PagedMemoryPae: No base Address Space
>> AMD64PagedMemory: No base Address Space
>> JKIA32PagedMemory: No base Address Space
>> IA32PagedMemoryPae: Module disabled
>> IA32PagedMemory: Module disabled
>> MachOAddressSpace: MachO Header signature invalid
>> MachOAddressSpace: MachO Header signature invalid
>> LimeAddressSpace: Invalid Lime header signature
>> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>> WindowsCrashDumpSpace64: Header signature invalid
>> HPAKAddressSpace: Invalid magic found
>> VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
>> VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
>> WindowsCrashDumpSpace32: Header signature invalid
>> JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
>> AMD64PagedMemory: Failed valid Address Space check
>> JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
>> IA32PagedMemoryPae: Module disabled
>> IA32PagedMemory: Module disabled
>> FileAddressSpace: Must be first Address Space
>> ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected
>> 
>> On a hunch I checked the directory I built the profile in (copied headers & source from the target system):
>> chort at hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo *
>> System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo
>> System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open
>> System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq
>> System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq
>> System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq
>> System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op
>> System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations
>> System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq
>> System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq
>> System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq
>> 
>> 
>> Platform running Volatility (2.3_alpha, latest from svn):
>> Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>> 
>> Source of memory image:
>> Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
>> 
>> What am I missing?
>> 
>> 
>> --
>> chort
>> 
>> 
>> 
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users



More information about the Vol-users mailing list