[Vol-users] Integrating the libvmi with volatility problem

Andrew Case atcuno at gmail.com
Tue Jun 30 10:35:19 CDT 2015


Just to make sure: Your module.dwarf came from the kernel headers
package of the same system you ran lime on right? I don't see where you
compiled module.dwarf

If so, and it still doesn't work, would it be possible to upload the
sample and profile you created?


Thanks,
Andrew (@attrc)

On 06/11/2015 07:46 PM, Xianchun Guan wrote:
> Hi guys,
>   who can help me to solve Volatility issues for linux(the vm is
> windows,it's works).as follow is the operation and running results.
> volatility version:2.4
> libvmi version:v0.12.0-rc2
> 
> *1.  kvm vm:*
> *--download lime resource code*
>   root at ubuntu-gxc:/opt# git clone https://github.com/504ensicsLabs/LiME.git
>   root at ubuntu-gxc:/opt# cd LiME
>   root at ubuntu-gxc:/opt/LiME# git tag
>   v1.4
>   root at ubuntu-gxc:/opt/LiME# git checkout -b  v1.4
>   Switched to a new branch 'v1.4'
>   root at ubuntu-gxc:/opt/LiME# cd src/
>   root at ubuntu-gxc:/opt/LiME/src# make
> make -C /lib/modules/2.6.32-21-generic/build M=/opt/LiME/src modules
> make[1]: Entering directory `/usr/src/linux-headers-2.6.32-21-generic'
>   CC [M]  /opt/LiME/src/tcp.o
>   CC [M]  /opt/LiME/src/disk.o
>   CC [M]  /opt/LiME/src/main.o
>   LD [M]  /opt/LiME/src/lime.o
>   Building modules, stage 2.
>   MODPOST 1 modules
>   CC      /opt/LiME/src/lime.mod.o
>   LD [M]  /opt/LiME/src/lime.ko
> make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-21-generic'
> strip --strip-unneeded lime.ko
> mv lime.ko lime-2.6.32-21-generic.ko
>  root at ubuntu-gxc:/opt/LiME/src# insmod lime-2.6.32-21-generic.ko
> "path=/opt/ubuntu.lime format=lime"
>  root at ubuntu-gxc:/opt/LiME/src# ls -alh /opt/ubuntu.lime 
>  -r--r--r-- 1 root root 1.0G 2015-06-05 14:24 /opt/ubuntu.lime
> 
> *--copy ubuntu.lime to kvm host*
>   root at ubuntu-gxc:/opt/LiME/src# scp /opt/ubuntu.lime
> root at 172.19.106.245:/mnt/sdb1/forensics/images/
>   
> *2. kvm Host:*
> *--Making the profile*
>    root at ubuntu:/mnt/sdb1/git/volatility/volatility# zip
> volatility/plugins/overlays/linux/ubuntu1004.zip
> tools/linux/module.dwarf ../../../sysmaps/System.map-2.6.32-21-generic 
>     adding: tools/linux/module.dwarf (deflated 90%)
>      adding: ../../../sysmaps/System.map-2.6.32-21-generic (deflated 74%)
> *--using the profile*
>    root at ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --info
> |grep Linux
>    Volatility Foundation Volatility Framework 2.4
>    Linuxubuntu1004i386x86 - A Profile for Linux ubuntu1004i386 x86
>    Linuxubuntu1004x86     - A Profile for Linux ubuntu1004 x86
>    linux_banner               - Prints the Linux banner information
>    linux_yarascan             - A shell in the Linux memory image
> --using the plugin
> root at ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --debug
> -f /mnt/sdb1/forensics/images/ubuntu.lime --profile=Linuxubuntu1004x86linux_pslist
> Volatility Foundation Volatility Framework 2.4
> DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found
> dwarf file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols
> DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found
> system file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols
> DEBUG   : volatility.obj      : Applying modification from BashHashTypes
> DEBUG   : volatility.obj      : Applying modification from BashTypes
> DEBUG   : volatility.obj      : Applying modification from
> BasicObjectClasses
> DEBUG   : volatility.obj      : Applying modification from ELF32Modification
> DEBUG   : volatility.obj      : Applying modification from ELF64Modification
> DEBUG   : volatility.obj      : Applying modification from ELFModification
> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
> DEBUG   : volatility.obj      : Applying modification from LimeTypes
> DEBUG   : volatility.obj      : Applying modification from
> LinuxTruecryptModification
> DEBUG   : volatility.obj      : Applying modification from MachoModification
> DEBUG   : volatility.obj      : Applying modification from MachoTypes
> DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
> DEBUG   : volatility.obj      : Applying modification from
> VMwareVTypesModification
> DEBUG   : volatility.obj      : Applying modification from
> VirtualBoxModification
> DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
> DEBUG   : volatility.obj      : Applying modification from
> LinuxKmemCacheOverlay
> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
> cache_chain not found in module kernel
> 
> DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
> DEBUG   : volatility.obj      : Applying modification from
> LinuxObjectClasses
> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
> DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found
> dwarf file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols
> DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found
> system file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols
> DEBUG   : volatility.obj      : Applying modification from BashHashTypes
> DEBUG   : volatility.obj      : Applying modification from BashTypes
> DEBUG   : volatility.obj      : Applying modification from
> BasicObjectClasses
> DEBUG   : volatility.obj      : Applying modification from ELF32Modification
> DEBUG   : volatility.obj      : Applying modification from ELF64Modification
> DEBUG   : volatility.obj      : Applying modification from ELFModification
> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
> DEBUG   : volatility.obj      : Applying modification from LimeTypes
> DEBUG   : volatility.obj      : Applying modification from
> LinuxTruecryptModification
> DEBUG   : volatility.obj      : Applying modification from MachoModification
> DEBUG   : volatility.obj      : Applying modification from MachoTypes
> DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
> DEBUG   : volatility.obj      : Applying modification from
> VMwareVTypesModification
> DEBUG   : volatility.obj      : Applying modification from
> VirtualBoxModification
> DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
> DEBUG   : volatility.obj      : Applying modification from
> LinuxKmemCacheOverlay
> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
> cache_chain not found in module kernel
> 
> DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
> DEBUG   : volatility.obj      : Applying modification from
> LinuxObjectClasses
> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
> Offset     Name                 Pid             Uid             Gid  
>  DTB        Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
> DEBUG   : volatility.utils    : Voting round
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.pyvmiaddressspace.PyVmiAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
> DEBUG   : volatility.utils    : Succeeded instantiating
> <volatility.plugins.addrspaces.standard.FileAddressSpace object at
> 0x7505790>
> DEBUG   : volatility.utils    : Voting round
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
> DEBUG   : volatility.utils    : Succeeded instantiating
> <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7505750>
> DEBUG   : volatility.utils    : Voting round
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.pyvmiaddressspace.PyVmiAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
> DEBUG   : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value
> e82c4c4c
> No suitable address space mapping found
> Tried to open image as:
>  MachOAddressSpace: mac: need base
>  LimeAddressSpace: lime: need base
>  WindowsHiberFileSpace32: No base Address Space
>  WindowsCrashDumpSpace64BitMap: No base Address Space
>  WindowsCrashDumpSpace64: No base Address Space
>  HPAKAddressSpace: No base Address Space
>  VMWareMetaAddressSpace: No base Address Space
>  VirtualBoxCoreDumpElf64: No base Address Space
>  QemuCoreDumpElf: No base Address Space
>  VMWareAddressSpace: No base Address Space
>  WindowsCrashDumpSpace32: No base Address Space
>  AMD64PagedMemory: No base Address Space
>  IA32PagedMemoryPae: No base Address Space
>  IA32PagedMemory: No base Address Space
>  PyVmiAddressSpace: Location doesn't start with vmi://
>  OSXPmemELF: No base Address Space
>  MachOAddressSpace: MachO Header signature invalid
>  MachOAddressSpace: MachO Header signature invalid
>  LimeAddressSpace: Invalid Lime header signature
>  WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>  WindowsCrashDumpSpace64BitMap: Header signature invalid
>  WindowsCrashDumpSpace64: Header signature invalid
>  HPAKAddressSpace: Invalid magic found
>  VMWareMetaAddressSpace: VMware metadata file is not available
>  VirtualBoxCoreDumpElf64: ELF Header signature invalid QemuCoreDumpElf:
> ELF Header signature invalid
>  VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
>  WindowsCrashDumpSpace32: Header signature invalid
>  AMD64PagedMemory: Incompatible profile Linuxubuntu1004x86 selected
>  IA32PagedMemoryPae: Failed valid Address Space check
>  IA32PagedMemory: Failed valid Address Space check
>  PyVmiAddressSpace: Must be first Address Space
>  OSXPmemELF: ELF Header signature invalid
>  FileAddressSpace: Must be first Address Space
>  ArmAddressSpace: Failed valid Address Space check
> 
> 
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 


More information about the Vol-users mailing list