Okay, is there anyway you can run the source version? The latest Volatility should support the profile you are trying.
Thanks, Andrew (@attrc) On 06/03/2016 09:38 AM, Rob Hunter wrote: > Hi Andrew, > > This is the output I get . > regards, > Rob > > ./volatility_2.5_mac --plugins=./mac -f ../ram.dump mac_get_profile -d > Volatility Foundation Volatility Framework 2.5 > DEBUG : volatility.debug : Applying modification from > BasicObjectClasses > DEBUG : volatility.debug : Applying modification from BigPageTableMagic > DEBUG : volatility.debug : Applying modification from > ControlAreaModification > DEBUG : volatility.debug : Applying modification from ELF32Modification > DEBUG : volatility.debug : Applying modification from ELF64Modification > DEBUG : volatility.debug : Applying modification from ELFModification > DEBUG : volatility.debug : Applying modification from > EditBoxObjectClasses > DEBUG : volatility.debug : Applying modification from EditBoxVTypes > DEBUG : volatility.debug : Applying modification from HPAKVTypes > DEBUG : volatility.debug : Applying modification from > HandleTableEntryPreWin8 > DEBUG : volatility.debug : Applying modification from IEHistoryVTypes > DEBUG : volatility.debug : Applying modification from LimeTypes > DEBUG : volatility.debug : Applying modification from MachoModification > DEBUG : volatility.debug : Applying modification from MachoTypes > DEBUG : volatility.debug : Applying modification from MbrObjectTypes > DEBUG : volatility.debug : Applying modification from > PoolTagModification > DEBUG : volatility.debug : Applying modification from > PoolTrackTagOverlay > DEBUG : volatility.debug : Applying modification from > SSLKeyModification > DEBUG : volatility.debug : Applying modification from > UnloadedDriverVTypes > DEBUG : volatility.debug : Applying modification from > VMwareVTypesModification > DEBUG : volatility.debug : Applying modification from > VirtualBoxModification > DEBUG : volatility.debug : Applying modification from Win32KGahtiVType > DEBUG : volatility.debug : Applying modification from Win32Kx86VTypes > DEBUG : volatility.debug : Applying modification from > WinSyscallsAttribute > DEBUG : volatility.debug : Applying modification from > WinXP2003AddressObject > DEBUG : volatility.debug : Applying modification from WinXPSyscalls > DEBUG : volatility.debug : Applying modification from > XP2003x86BaseVTypes > DEBUG : volatility.debug : Applying modification from > XP2003x86TimerVType > DEBUG : volatility.debug : Applying modification from WindowsVTypes > DEBUG : volatility.debug : Applying modification from > AtomTablex86Overlay > DEBUG : volatility.debug : Applying modification from EVTObjectTypes > DEBUG : volatility.debug : Applying modification from > ObjectTypeKeyModification > DEBUG : volatility.debug : Applying modification from > ProcessAuditVTypes > DEBUG : volatility.debug : Applying modification from WindowsOverlay > DEBUG : volatility.debug : Applying modification from CallbackMods > DEBUG : volatility.debug : Applying modification from MalwarePspCid > DEBUG : volatility.debug : Applying modification from MalwareWSPVTypes > DEBUG : volatility.debug : Applying modification from TimerVTypes > DEBUG : volatility.debug : Applying modification from TokenXP2003 > DEBUG : volatility.debug : Applying modification from UserAssistVTypes > DEBUG : volatility.debug : Applying modification from > VadFlagsModification > DEBUG : volatility.debug : Applying modification from > VadTagModification > DEBUG : volatility.debug : Applying modification from WinAllTime > DEBUG : volatility.debug : Applying modification from > WinPEObjectClasses > DEBUG : volatility.debug : Applying modification from WinPEVTypes > DEBUG : volatility.debug : Applying modification from WinXPTrim > DEBUG : volatility.debug : Applying modification from WinXPx86Vad > DEBUG : volatility.debug : Applying modification from > WindowsObjectClasses > DEBUG : volatility.debug : Applying modification from XPOverlay > DEBUG : volatility.debug : Applying modification from > XPx86SessionOverlay > DEBUG : volatility.debug : Applying modification from AuditpolTypesXP > DEBUG : volatility.debug : Applying modification from > CmdHistoryObjectClasses > DEBUG : volatility.debug : Applying modification from > CmdHistoryVTypesx86 > DEBUG : volatility.debug : Applying modification from > CrashInfoModification > DEBUG : volatility.debug : Applying modification from > DumpFilesVTypesx86 > DEBUG : volatility.debug : Applying modification from HeapModification > DEBUG : volatility.debug : Applying modification from KDBGObjectClass > DEBUG : volatility.debug : Applying modification from > KPCRProfileModification > DEBUG : volatility.debug : Applying modification from MFTTYPES > DEBUG : volatility.debug : Applying modification from MalwareDrivers > DEBUG : volatility.debug : Applying modification from MalwareIDTGDTx86 > DEBUG : volatility.debug : Applying modification from MalwareKthread > DEBUG : volatility.debug : Applying modification from ServiceBase > DEBUG : volatility.debug : Applying modification from ShellBagsTypesXP > DEBUG : volatility.debug : Applying modification from > ShimCacheTypesXPx86 > DEBUG : volatility.debug : Applying modification from Win32KCoreClasses > DEBUG : volatility.debug : Applying modification from > XPHeapModification > Profile Shift Address > -------------------------------------------------- ------------- > DEBUG : volatility.debug : Voting round > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.standard.FileAddressSpace'> > DEBUG : volatility.debug : Succeeded instantiating > <volatility.plugins.addrspaces.standard.FileAddressSpace object at > 0x1179d3910> > DEBUG : volatility.debug : Voting round > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.standard.FileAddressSpace'> > DEBUG : volatility.debug : Trying <class > 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> > ERROR : volatility.debug : Unable to find an OS X profile for the > given memory sample. > > > >> On 03 Jun 2016, at 16:30, Andrew Case <[email protected] >> <mailto:[email protected]>> wrote: >> >> As a quick check, can you verify that mac_get_profile matches the one >> you are using? Don't specify --profile when running it. >> >> Thanks, >> Andrew (@attrc) >> >> On 06/03/2016 03:09 AM, Rob Hunter wrote: >>> Hello list, >>> >>> I’m trying to use Volatility on an OSX memory dump. I was unable to >>> download mac memory reader as the site is offline. I’ve used osxpmem >>> from recall. >>> >>> The commands I used to perform the dump were: >>> >>> sudo kextutil MacPmem.kext >>> sudo ./osxpmem --format elf -o ./ram.dump >>> >>> I then moved ram.dump into my volatility directory >>> >>> To check my downloaded profile is included I’ve run the command >>> ./volatility_2.5_mac --plugins=./mac —imageinfo >>> and then I ran >>> >>> ./volatility_2.5_mac --plugins=./mac >>> --profile=MacElCapitan_10_11_4_15E65x64 -f ../ram.dump mac_pslist >>> >>> and got >>> >>> Volatility Foundation Volatility Framework 2.5 >>> Offset Name Pid Uid Gid PGID >>> Bits DTB Start Time >>> ------------------ -------------------- -------- -------- -------- >>> -------- ------------ ------------------ ---------- >>> No suitable address space mapping found >>> Tried to open image as: >>> MachOAddressSpace: mac: need base >>> LimeAddressSpace: lime: need base >>> WindowsHiberFileSpace32: No base Address Space >>> WindowsCrashDumpSpace64BitMap: No base Address Space >>> VMWareMetaAddressSpace: No base Address Space >>> WindowsCrashDumpSpace64: No base Address Space >>> HPAKAddressSpace: No base Address Space >>> VirtualBoxCoreDumpElf64: No base Address Space >>> QemuCoreDumpElf: No base Address Space >>> VMWareAddressSpace: No base Address Space >>> WindowsCrashDumpSpace32: No base Address Space >>> AMD64PagedMemory: No base Address Space >>> IA32PagedMemoryPae: No base Address Space >>> IA32PagedMemory: No base Address Space >>> OSXPmemELF: No base Address Space >>> MachOAddressSpace: MachO Header signature invalid >>> LimeAddressSpace: Invalid Lime header signature >>> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile >>> WindowsCrashDumpSpace64BitMap: Header signature invalid >>> VMWareMetaAddressSpace: VMware metadata file is not available >>> WindowsCrashDumpSpace64: Header signature invalid >>> HPAKAddressSpace: Invalid magic found >>> VirtualBoxCoreDumpElf64: ELF Header signature invalid >>> QemuCoreDumpElf: ELF Header signature invalid >>> VMWareAddressSpace: Invalid VMware signature: 0x4034b50 >>> WindowsCrashDumpSpace32: Header signature invalid >>> AMD64PagedMemory: Failed valid Address Space check >>> IA32PagedMemoryPae: Failed valid Address Space check >>> IA32PagedMemory: Failed valid Address Space check >>> OSXPmemELF: ELF Header signature invalid >>> FileAddressSpace: Must be first Address Space >>> ArmAddressSpace: Failed valid Address Space check >>> >>> >>> Apparently my OSXPmemElf signature is invalid. What can I do to dump >>> memory with a valid signature? Or does my problem lie elsewhere? >>> >>> Regards, >>> Rob >>> >>> >>> _______________________________________________ >>> Vol-users mailing list >>> [email protected] <mailto:[email protected]> >>> http://lists.volatilesystems.com/mailman/listinfo/vol-users >>> > _______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
