[Vol-users] Integrating the libvmi with volatility problem

Xianchun Guan psyche19830113 at gmail.com
Thu Jun 11 19:46:43 CDT 2015


Hi guys,
  who can help me to solve Volatility issues for linux(the vm is
windows,it's works).as follow is the operation and running results.
volatility version:2.4
libvmi version:v0.12.0-rc2

*1.  kvm vm:*
*--download lime resource code*
  root at ubuntu-gxc:/opt# git clone https://github.com/504ensicsLabs/LiME.git
  root at ubuntu-gxc:/opt# cd LiME
  root at ubuntu-gxc:/opt/LiME# git tag
  v1.4
  root at ubuntu-gxc:/opt/LiME# git checkout -b  v1.4
  Switched to a new branch 'v1.4'
  root at ubuntu-gxc:/opt/LiME# cd src/
  root at ubuntu-gxc:/opt/LiME/src# make
make -C /lib/modules/2.6.32-21-generic/build M=/opt/LiME/src modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-21-generic'
  CC [M]  /opt/LiME/src/tcp.o
  CC [M]  /opt/LiME/src/disk.o
  CC [M]  /opt/LiME/src/main.o
  LD [M]  /opt/LiME/src/lime.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /opt/LiME/src/lime.mod.o
  LD [M]  /opt/LiME/src/lime.ko
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-21-generic'
strip --strip-unneeded lime.ko
mv lime.ko lime-2.6.32-21-generic.ko
 root at ubuntu-gxc:/opt/LiME/src# insmod lime-2.6.32-21-generic.ko
"path=/opt/ubuntu.lime format=lime"
 root at ubuntu-gxc:/opt/LiME/src# ls -alh /opt/ubuntu.lime
 -r--r--r-- 1 root root 1.0G 2015-06-05 14:24 /opt/ubuntu.lime

*--copy ubuntu.lime to kvm host*
  root at ubuntu-gxc:/opt/LiME/src# scp /opt/ubuntu.lime root at 172.19.106.245:
/mnt/sdb1/forensics/images/

*2. kvm Host:*
*--Making the profile*
   root at ubuntu:/mnt/sdb1/git/volatility/volatility# zip
volatility/plugins/overlays/linux/ubuntu1004.zip tools/linux/module.dwarf
../../../sysmaps/System.map-2.6.32-21-generic
    adding: tools/linux/module.dwarf (deflated 90%)
     adding: ../../../sysmaps/System.map-2.6.32-21-generic (deflated 74%)
*--using the profile*
   root at ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --info
|grep Linux
   Volatility Foundation Volatility Framework 2.4
   Linuxubuntu1004i386x86 - A Profile for Linux ubuntu1004i386 x86
   Linuxubuntu1004x86     - A Profile for Linux ubuntu1004 x86
   linux_banner               - Prints the Linux banner information
   linux_yarascan             - A shell in the Linux memory image
--using the plugin
root at ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --debug -f
/mnt/sdb1/forensics/images/ubuntu.lime --profile=Linuxubuntu1004x86
linux_pslist
Volatility Foundation Volatility Framework 2.4
DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found dwarf
file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found system
file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashHashTypes
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from
BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF32Modification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from ELFModification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from
LinuxTruecryptModification
DEBUG   : volatility.obj      : Applying modification from MachoModification
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from
LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from
LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found dwarf
file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found system
file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashHashTypes
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from
BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF32Modification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from ELFModification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from
LinuxTruecryptModification
DEBUG   : volatility.obj      : Applying modification from MachoModification
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from
LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from
LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
Offset     Name                 Pid             Uid             Gid    DTB
       Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.pyvmiaddressspace.PyVmiAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.utils    : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x7505790>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.utils    : Succeeded instantiating
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7505750>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.pyvmiaddressspace.PyVmiAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG   : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value
e82c4c4c
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 PyVmiAddressSpace: Location doesn't start with vmi://
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VMWareMetaAddressSpace: VMware metadata file is not available
 VirtualBoxCoreDumpElf64: ELF Header signature invalid QemuCoreDumpElf: ELF
Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile Linuxubuntu1004x86 selected
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 PyVmiAddressSpace: Must be first Address Space
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20150612/0e19da80/attachment-0001.html


More information about the Vol-users mailing list