Thomas, Which profile are you using? You should create a profile for the Linux VM you are trying to analyze. I have had to do this for several clean installs of Ubuntu because of Linux kernel versions.
-- Adam On May 4, 2016 8:50 AM, "Thomas Hungenberg" <[email protected]> wrote: > Hi, > > I was provided a suspend-to-disk snapshot image along with a copy of the > virtual harddisk file from a QEMU/KVM-based Linux server for analysis. > > Analysis of the harddisk is done. Now I'd like to dump running processes > etc. > from the server's memory image. > > I loaded the snapshot into QEMU and used the QEMU monitor to dump a memory > image > using the 'dump-guest-memory' command. > So now I have this: > memory.img: ELF 64-bit LSB core file Intel 80386, version 1 (SYSV), > SVR4-style > > Then, I set up a fresh VM with Debian Linux in the same version the virtual > server was running. Next, I installed the kernel image and related files > extracted from the virtual harddisk on this new VM to get a Linux system > running exactly the same kernel version. On this VM, I created a Volatility > profile using the files provided in /tools/linux/. > > Unfortunately, Volatility crashes when running imageinfo on the dumped > memory image file: > ========================================================================= > $ python vol.py imageinfo -f /path/to/memory.img > Volatility Foundation Volatility Framework 2.5 > INFO : volatility.debug : Determining profile based on KDBG search... > Suggested Profile(s) : No suggestion (Instantiated with > Server_x64) > AS Layer1 : QemuCoreDumpElf (Unnamed AS) > AS Layer2 : FileAddressSpace (/path/to/memory.img) > PAE type : No PAE > DTB : -0x1L > Traceback (most recent call last): > File "vol.py", line 192, in <module> > main() > File "vol.py", line 183, in main > command.execute() > File "/opt/tools/volatility-master/volatility/commands.py", line 145, in > execute > func(outfd, data) > File "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", > line 45, in render_text > for k, t, v in data: > File "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", > line 103, in calculate > kdbg = volmagic.KDBG.v() > File "/opt/tools/volatility-master/volatility/obj.py", line 748, in > __getattr__ > return self.m(attr) > File "/opt/tools/volatility-master/volatility/obj.py", line 730, in m > raise AttributeError("Struct {0} has no member > {1}".format(self.obj_name, attr)) > AttributeError: Struct VOLATILITY_MAGIC has no member KDBG > ========================================================================= > > When running other Volatility Plugins on the memory image with the created > profile, > it says "No suitable address space mapping found": > ========================================================================= > $ python vol.py linux_netstat -f /path/to/memory.img --profile=Server_x64 > Volatility Foundation Volatility Framework 2.5 > No suitable address space mapping found > Tried to open image as: > MachOAddressSpace: mac: need base > LimeAddressSpace: lime: need base > WindowsHiberFileSpace32: No base Address Space > WindowsCrashDumpSpace64BitMap: No base Address Space > WindowsCrashDumpSpace64: No base Address Space > HPAKAddressSpace: No base Address Space > VirtualBoxCoreDumpElf64: No base Address Space > VMWareMetaAddressSpace: No base Address Space > QemuCoreDumpElf: No base Address Space > [...] > ========================================================================= > > Any suggestions? > What am I missing? > > > - Thomas > > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users >
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
