linux_pslist returns "No suitable address space mapping found", just like
linux_netstat I tried before.
- Thomas
On 04.05.2016 16:40, Michael Ligh wrote:
> Also, imageinfo is a Windows-only plugin that accesses Windows-only data
> structures (thus the error when running on a Linux memory image). Try
> something like linux_pslist and see if that works on
> your sample.
>
> Cheers, MHL
>
> On 5/4/16 9:25 AM, Adam Pridgen wrote:
>> Thomas,
>>
>> Which profile are you using? You should create a profile for the Linux VM
>> you are trying to analyze. I have had to do this for several clean installs
>> of Ubuntu because of Linux kernel
>> versions.
>>
>> -- Adam
>>
>> On May 4, 2016 8:50 AM, "Thomas Hungenberg" <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> Hi,
>>
>> I was provided a suspend-to-disk snapshot image along with a copy of the
>> virtual harddisk file from a QEMU/KVM-based Linux server for analysis.
>>
>> Analysis of the harddisk is done. Now I'd like to dump running processes
>> etc. from the server's memory image.
>>
>> I loaded the snapshot into QEMU and used the QEMU monitor to dump a memory
>> image using the 'dump-guest-memory' command. So now I have this: memory.img:
>> ELF 64-bit LSB core file Intel 80386,
>> version 1 (SYSV), SVR4-style
>>
>> Then, I set up a fresh VM with Debian Linux in the same version the virtual
>> server was running. Next, I installed the kernel image and related files
>> extracted from the virtual harddisk on this
>> new VM to get a Linux system running exactly the same kernel version. On
>> this VM, I created a Volatility profile using the files provided in
>> /tools/linux/.
>>
>> Unfortunately, Volatility crashes when running imageinfo on the dumped
>> memory image file:
>> ========================================================================= $
>> python vol.py imageinfo -f
>> /path/to/memory.img Volatility Foundation Volatility Framework 2.5 INFO :
>> volatility.debug : Determining profile based on KDBG search... Suggested
>> Profile(s) : No suggestion (Instantiated
>> with Server_x64) AS Layer1 : QemuCoreDumpElf (Unnamed AS) AS Layer2 :
>> FileAddressSpace (/path/to/memory.img) PAE type : No PAE DTB : -0x1L
>> Traceback (most recent call last): File "vol.py", line
>> 192, in <module> main() File "vol.py", line 183, in main command.execute()
>> File "/opt/tools/volatility-master/volatility/commands.py", line 145, in
>> execute func(outfd, data) File
>> "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line 45, in
>> render_text for k, t, v in data: File
>> "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line 103, in
>> calculate kdbg = volmagic.KDBG.v() File
>> "/opt/tools/volatility-master/volatility/obj.py", line 748, in __getattr__
>> return self.m(attr) File "/opt/tools/volatility-master/volatility/obj.py",
>> line 730, in m raise AttributeError("Struct {0} has no member
>> {1}".format(self.obj_name, attr)) AttributeError: Struct VOLATILITY_MAGIC
>> has no member KDBG
>> =========================================================================
>>
>> When running other Volatility Plugins on the memory image with the created
>> profile, it says "No suitable address space mapping found":
>> ========================================================================= $
>> python vol.py linux_netstat -f /path/to/memory.img --profile=Server_x64
>> Volatility Foundation Volatility Framework
>> 2.5 No suitable address space mapping found Tried to open image as:
>> MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base
>> WindowsHiberFileSpace32: No base Address Space
>> WindowsCrashDumpSpace64BitMap: No base Address Space
>> WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base
>> Address Space VirtualBoxCoreDumpElf64: No base Address Space
>> VMWareMetaAddressSpace: No base Address Space QemuCoreDumpElf: No base
>> Address Space [...]
>> =========================================================================
>>
>> Any suggestions? What am I missing?
>>
>>
>> - Thomas
>>
>>
>> _______________________________________________ Vol-users mailing list
>> [email protected] <mailto:[email protected]>
>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>
>>
>>
>> _______________________________________________ Vol-users mailing list
>> [email protected]
>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>
>
>
>
> _______________________________________________ Vol-users mailing list
> [email protected]
> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>
_______________________________________________
Vol-users mailing list
[email protected]
http://lists.volatilesystems.com/mailman/listinfo/vol-users
