volatilityfoundation / profiles Goto Github PK
View Code? Open in Web Editor NEWVolatility profiles for Linux and Mac OS X
profiles's People
Contributors
Stargazers
Watchers
Forkers
jahil lupiotte synack33 buffstop tedwardia lu-chi eopdyke sukelluskello winsun torinpascal cerebralmischief karimodm vladi12 drewet sempersecurus faisalhasan williamshowalter rahulpathakgit 4p3p gitcollect ichinose julianvolodia wroersma tribalchicken marcurdy mutedmouse chansonzhang jbeley cybershieldconsulting deorbit glassdfir yanggongwang cyberdocfr cpuu lexcia lananhbk168 idkwim vsantola struttz ajmartel ygemici monokle developerbart jblancov zearioch kutadgu-tim beyondcy slz0907 naveen12 sodd gitlabsyncint blschatz jipegit chaturaphut clausing avgirl siliconblade n4rr34n6 edmpl tpalmer kirualawliet hacker-one netredo kuustudio mmg1 zyq3lyj rv0p111 c2501902968 bat-serjo dfir-alvin seth1002 page2me heisenberk mbr001 nixu-corp nankeen ribt 5l1v3r1 marildodevops xzvb12 qy201706 mr-chenliang l0j1k ezaspy xiumulty aaaaaaa-ops jcamor icqw j4ns-r fxbayuanggara harrim4n sergiofont ythie busindre plue0709 p001water molombitoh1ck3r pmhex ksanadf sansureprofiles's Issues
How to select a linux profile that matches the all of linux profiles?
hi to all,
i downloaded all profile of Linux and mac. my question is that How to select a Linux profile that matches to all of Linux profiles?
thanks a lot.
linux_find_file error
I am new to Volatility and am trying to recover a file from a Lime memory snapshot using volatility. I successfully linux_enumerate_files and linux_find_file -F, but when I try to use linux_find_file -i with the inode address, I get a Python error on 2.5 or physical address err on 2.4. I am not really python literate and cannot decide if this is the result of a code error or if it could result from my memroy file. Аny help or a bug fix if it is a bug, would be appreciated.
The details:
Linux kernel 3.9.9 SMP.
Memory snapshot taken with current Lime built on the target machine.
Have tried with Volatility 2.4, 2.5 and from git clone.
All three return the same for...
python ./vol.py -f /mnt/sdata/robert/mem.lime --profile=LinuxSlack-3_9_9x86 linux_find_file -F /home/sarah/graphics/lamp_WIP.xcf
Volatility Foundation Volatility Framework 2.5
*** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash)
... ...
*** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash)
Inode Number Inode File Path
35391964 0xee98ab48 /home/sarah/graphics/lamp_WIP.xcf
But when I try to extract and save the file, with 2.4 I get this...
python ./vol.py -f /mnt/sdata/robert/mem.lime --profile=LinuxSlack-3_9_9-profilex86 linux_find_file -i 0xee98ab48 -O new.xcf
Volatility Foundation Volatility Framework 2.4
*** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash)
... ...
ERROR : volatility.plugins.overlays.linux.linux: phys_addr_of_page: Unable to determine physical address of page. NUMA is not supported at this time.
And with 2.5 and git clone I get this...
python ./vol.py -f /mnt/sdata/robert/mem.lime --profile=LinuxSlack-3_9_9x86 linux_find_file -i 0xee98ab48 -O new.xcf
Volatility Foundation Volatility Framework 2.5
... ...
WARNING : volatility.debug : Cant find object radix_tree_node in profile <volatility.plugins.overlays.linux.linux.LinuxSlack-3_9_9x86 object at 0xbfcbf6c>?
Traceback (most recent call last):
File "./vol.py", line 192, in <module>
main()
File "./vol.py", line 183, in main
command.execute()
File "/home/robert/lime/volatility-git/volatility/volatility/plugins/linux/common.py", line 63, in execute
commands.Command.execute(self, *args, **kwargs)
File "/home/robert/lime/volatility-git/volatility/volatility/commands.py", line 145, in execute
func(outfd, data)
File "/home/robert/lime/volatility-git/volatility/volatility/plugins/linux/find_file.py", line 137, in render_text
for (file_path, inode) in data:
File "/home/robert/lime/volatility-git/volatility/volatility/plugins/linux/find_file.py", line 126, in calculate
for page in self.get_file_contents(inode):
File "/home/robert/lime/volatility-git/volatility/volatility/plugins/linux/find_file.py", line 238, in get_file_contents
data = self.get_page_contents(inode, idx)
File "/home/robert/lime/volatility-git/volatility/volatility/plugins/linux/find_file.py", line 202, in get_page_contents
page_addr = self.find_get_page(inode, idx)
File "/home/robert/lime/volatility-git/volatility/volatility/plugins/linux/find_file.py", line 193, in find_get_page
page = self.radix_tree_lookup_slot(inode.i_mapping.page_tree, offset)
File "/home/robert/lime/volatility-git/volatility/volatility/plugins/linux/find_file.py", line 170, in radix_tree_lookup_slot
height = node.height
AttributeError: 'NoneType' object has no attribute 'height'
Looking into the module.dwarf file from the profile I do see multiple elements with radix_tree names or paths, although I have no idea how to interpret them.
I have made much use of duckduckgo and friends and read much from the VolatilityFoundation docs and here on github, but to no avail.
Could someone please nudge me in the right direction.
Thanks!
debian 8 32bit profile
Hello,
I have tried to create a profile for Debian 8.0 32 bit with header version 3.16.0-4-686.pae
Unfortunately, I did not succeed.
the error was when i did the "make" command
"dwarfdump ERROR: dwarf_attrlist : DW_DLE_UNKNOWN_FORM (242) possibly corrupted DWARF data"
Will someone from the team will be wiling to help me in creating the profile?
Thanks!
Which profile should I use?
Which profile would be best for High Sierra 10.13.4 (17E199) ? I tried a bunch, however, got no love.
Im using version 2.6 on Windows 10 and Kali to get a dump file but I always get the message "Unable to read pages for task"
Im using version 2.6 on Windows 10 and Kali to get a dump file but I always get the message "Unable to read pages for task"
Issue to import new profile
Hi,
I have been able to suscessfuly create a .zip in Archlinux but not able to import it.
When I try I got this error message :
Volatility Foundation Volatility Framework 2.5
*** Failed to import volatility.plugins.overlays.linux.linux (ValueError: too many values to unpack)
Any idea? Many thanks for your hel
Request: Need profile for macOS 10.14.3 (18D109) | Mojave
there is a need to create volatility profile for Mojave, current version is 10.14.3
Request: OSX 10.10 Profile
Is it possible to add stock profiles for OSX Yosemite (10.10.2) x64 systems?
Windows 2000 32Bit ,SP4
I know this OS version is very old, but i need this profile so badly.
I didn't find anyone requesting this profile on google.
Please advise how to find this profile
CentOS67 profile to contribute
I have a build and verified functional profile for CentOS6.7x86_64, but I do not have push permissions to be able to upload or share it to the repository.
May I have permissions to share it, or is there someone I can hand the profile off to for the inclusion?
CentOS67.zip
Unable to run vol.py plugins for "Ubuntu 16.04.6" target
I have successfully created a new profile for my VM running Ubuntu 16.04.6 LTS as described at https://github.com/volatilityfoundation/volatility/wiki/Linux and move the zip file under 'volatility/plugins/overlays/linux/'
When I run vol.py, it shows the following message on my terminal and did not get the list of the running processes.
(venv) root@dmt-HP-Laptop-15-da1xxx:/home/dmt/volatility#
python vol.py -l vmi://ubuntu_Guest --profile=LinuxUbuntu1604x64 linux_pslist -d
Volatility Foundation Volatility Framework 2.6.1
DEBUG : volatility.debug : Ubuntu1604: Found dwarf file boot/System.map-4.15.0-76-generic with 814 symbols
DEBUG : volatility.debug : Ubuntu1604: Found system file boot/System.map-4.15.0-76-generic with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
DEBUG : volatility.debug : Ubuntu1604: Found dwarf file boot/System.map-4.15.0-76-generic with 814 symbols
DEBUG : volatility.debug : Ubuntu1604: Found system file boot/System.map-4.15.0-76-generic with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
Offset Name Pid PPid Uid Gid DTB Start Time
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmi.VMIAddressSpace'>
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.vmi.VMIAddressSpace object at 0x7f603de92510>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmi.VMIAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG : volatility.debug : Requested symbol do_fork not found in module kernel
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Location is not of file scheme
VMWareMetaAddressSpace: Location is not of file scheme
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: -
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected
WindowsAMD64PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected
LinuxAMD64PagedMemory: Failed valid Address Space check
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxUbuntu1604x64 selected
IA32PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected
OSXPmemELF: ELF Header signature invalid
VMIAddressSpace: Must be first Address Space
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
I would greatly appreciate it if you kindly give us some feedback and share your views.
Thanks.
Suitable for volatility3?
I guess I could find out by testing it, but I think the Readme could use a clarification as to whether these profiles will work with Volatility3. If not, maybe there is a collection of Volatility 3 profiles that we could point to. :)
Unable to load 10.11.3 profile
Hello,
I've run into some issues trying to use the profile for OS X 10.11.3. The same issue seems to appear for the 10.11.1 and 10.11.2 profiles.
Adding the profile causes volatility to crash with TypeError: 'int' object has no attribute '__getitem__'.
I'm sure I'm missing something simple, but haven't figured it out yet. This is using a clean clone of volatility from git on OS X 10.11 (Have also tested on a Linux box).
Additional info (stack trace and volatility debug messages):
$ python volatility/vol.py -v -f/Volumes/VMs/OS\ X\ 10.11.vmwarevm/OS\ X\ 10.11-Snapshot1.vmem imageinfo
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Traceback (most recent call last):
File "volatility/vol.py", line 192, in <module>
main()
File "volatility/vol.py", line 183, in main
command.execute()
File "/Users/tribalchicken/Desktop/volatility/volatility/commands.py", line 147, in execute
func(outfd, data)
File "/Users/tribalchicken/Desktop/volatility/volatility/plugins/imageinfo.py", line 45, in render_text
for k, t, v in data:
File "/Users/tribalchicken/Desktop/volatility/volatility/plugins/imageinfo.py", line 55, in calculate
suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
File "/Users/tribalchicken/Desktop/volatility/volatility/plugins/kdbgscan.py", line 116, in calculate
buf = addrspace.BufferAddressSpace(self._config)
File "/Users/tribalchicken/Desktop/volatility/volatility/addrspace.py", line 378, in __init__
BaseAddressSpace.__init__(self, None, config, **kwargs)
File "/Users/tribalchicken/Desktop/volatility/volatility/addrspace.py", line 73, in __init__
self.profile = self._set_profile(config.PROFILE)
File "/Users/tribalchicken/Desktop/volatility/volatility/addrspace.py", line 98, in _set_profile
ret = profs[profile_name]()
File "/Users/tribalchicken/Desktop/volatility/volatility/plugins/overlays/mac/mac.py", line 1810, in __init__
obj.Profile.__init__(self, *args, **kwargs)
File "/Users/tribalchicken/Desktop/volatility/volatility/obj.py", line 859, in __init__
self.reset()
File "/Users/tribalchicken/Desktop/volatility/volatility/plugins/overlays/mac/mac.py", line 1830, in reset
self.compile()
File "/Users/tribalchicken/Desktop/volatility/volatility/obj.py", line 960, in compile
self.types[name] = self._convert_members(name)
File "/Users/tribalchicken/Desktop/volatility/volatility/obj.py", line 1235, in _convert_members
members[k] = (v[0], self._list_to_type(k, v[1], self.vtypes))
File "/Users/tribalchicken/Desktop/volatility/volatility/obj.py", line 1152, in _list_to_type
if typeList[0] == 'void':
TypeError: 'int' object has no attribute '__getitem__'
Debug:
...
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from MacObjectClasses
DEBUG : volatility.debug : Applying modification from MacObjectClasses2
DEBUG : volatility.debug : Applying modification from MacObjectClasses4
DEBUG : volatility.debug : Applying modification from MacOverlay
DEBUG : volatility.debug : Applying modification from MachoOverlay
> /Users/tribalchicken/Desktop/volatility/volatility/obj.py(1152)_list_to_type()
-> if typeList[0] == 'void':
(Pdb)
Interestingly enough, attempting to build my own profile on an 10.11.3 VM yields a different error - But that will probably be a different issue (or a user issue - haven't looked at it too much).
Let me know if I can provide any other info.
Cheers,
Thomas
Profile created for macOS 10.11.6_15G31x64 does not work
I carefully followed the instructions and created a profile that Volatility identifies using the --info command. However, when I try to use it with a memory image of an ElCapitan_10.11.6 (15G31) system, I get this error:
[nimi /Volumes/SanDiskSSD 20:12:33]$ volatility_2.6_mac64_standalone/volatility_2.6_mac64_standalone --profile=MacElCapitan_10_11_6_15G31x64 -l 10.11.vmem mac_psaux
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.overlays.windows.win10_x86_17763_vtypes (ImportError: No module named win10_x86_17763_vtypes)
*** Failed to import volatility.plugins.overlays.windows.win10_x64_17763_vtypes (ImportError: No module named win10_x64_17763_vtypes)
*** Failed to import volatility.plugins.overlays.windows.win10_x64_15063_syscalls (ImportError: No module named win10_x64_15063_syscalls)
*** Failed to import volatility.plugins.overlays.windows.win10_x86_10586_syscalls (ImportError: No module named win10_x86_10586_syscalls)
*** Failed to import volatility.plugins.overlays.windows.win10_x86_16299_syscalls (ImportError: No module named win10_x86_16299_syscalls)
*** Failed to import volatility.plugins.overlays.windows.win10_x64_14393_syscalls (ImportError: No module named win10_x64_14393_syscalls)
*** Failed to import volatility.plugins.overlays.windows.win7_sp1_x86_24000_vtypes (ImportError: No module named win7_sp1_x86_24000_vtypes)
*** Failed to import volatility.plugins.overlays.windows.win10_x86_15063_syscalls (ImportError: No module named win10_x86_15063_syscalls)
*** Failed to import volatility.plugins.overlays.windows.win10_x86_17134_vtypes (ImportError: No module named win10_x86_17134_vtypes)
*** Failed to import volatility.plugins.overlays.windows.win10_x64_17134_vtypes (ImportError: No module named win10_x64_17134_vtypes)
*** Failed to import volatility.plugins.gui.vtypes.win10 (ImportError: No module named win10)
*** Failed to import volatility.plugins.overlays.windows.win10_x64_16299_syscalls (ImportError: No module named win10_x64_16299_syscalls)
*** Failed to import volatility.plugins.overlays.windows.win10_x86_16299_vtypes (ImportError: No module named win10_x86_16299_vtypes)
*** Failed to import volatility.plugins.overlays.windows.win10_x64_15063_vtypes (ImportError: No module named win10_x64_15063_vtypes)
*** Failed to import volatility.plugins.overlays.windows.win10_x64_10240_17770_vtypes (ImportError: No module named win10_x64_10240_17770_vtypes)
*** Failed to import volatility.plugins.overlays.windows.win10_x86_10240_17770_vtypes (ImportError: No module named win10_x86_10240_17770_vtypes)
*** Failed to import volatility.plugins.overlays.windows.win10_x86_14393_syscalls (ImportError: No module named win10_x86_14393_syscalls)
*** Failed to import volatility.plugins.overlays.windows.win10_x64_16299_vtypes (ImportError: No module named win10_x64_16299_vtypes)
*** Failed to import volatility.plugins.overlays.windows.win10_x64_10586_syscalls (ImportError: No module named win10_x64_10586_syscalls)
*** Failed to import volatility.plugins.overlays.windows.win7_sp1_x64_24000_vtypes (ImportError: No module named win7_sp1_x64_24000_vtypes)
*** Failed to import volatility.plugins.overlays.windows.win10_x86_15063_vtypes (ImportError: No module named win10_x86_15063_vtypes)
Pid Name Bits Stack Length Argc Arguments
-------- -------------------- ---------------- ------------------ -------- -------- ---------
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
Win10AMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
FileAddressSpace: Location is not of file scheme
ArmAddressSpace: No base Address Space
The memory image was made by running the ElCapitan system in VMWare and suspending VMWare, then processing the .vmem file directly. That should work... but it is not. The .vmem file is precisely 2**31 bytes in size, and the RAM on this VM is 2GiB.
Ubuntu 21.04 Profile
I've got a profile here for Ubuntu 21.04, kernel 5.11.0-17: https://github.com/pathtofile/volatility2-profile-ubuntu2104
Request: Ubuntu 14.04 Profile Request
Is it possible to add stock profiles for Ubuntu 14.04 (x86/x64) systems?
license?
What license is the profiles repo released under? Thanks
Profile for catalinas
Are profiles available for 10.15.2/3? Was just wondering... TY!
Win10 Issue
While processing a Win10 memory image, i get an incomplete imageinfo result and obscured pslist results. Any advice?
vol.py -f memdump.mem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win10x64_10586, Win10x64_14393, Win10x64, Win2016x64_14393
AS Layer1 : Win10AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/cases/memdump.mem)
PAE type : No PAE
DTB : 0x1ab000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2018-04-06 12:42:32 UTC+0000
Image local date and time : 2018-04-06 08:42:32 -0400
PSLIST returns stuff like the following:
0xffffe602d2ec2038 4 0 36...2 0 ------ 0 6285-08-11 06:06:22 UTC+0000
0xffffe602d4f7e038 0�??�???smss.exe 368 0 35...8 0 ------ 0 6235-10-10 05:36:19 UTC+0000
0xffffe602d4eb3578 ??A?�???csrss.ex 472 0 36...4 0 ------ 0 6236-08-31 00:21:17 UTC+0000
0xffffe602d64c0078 556 0 35...8 0 ------ 0 6692-05-05 17:10:47 UTC+0000
0xffffe602d64c4078 ?uK?�???wininit. 564 292 35...4 0 ------ 0 6236-08-31 07:59:24 UTC+0000
0xffffe602d64ca078 ?yK?�???csrss.ex 572 0 37...4 0 ------ 0 6236-08-31 00:21:17 UTC+0000
0xffffe602d6514078 ??O?�???winlogon 664 352 36...0 0 ------ 0 6236-07-21 07:00:39 UTC+0000
0xffffe602d652d578 P?Q?�???services 708 0 36...0 0 ------ 0 6236-08-31 00:21:17 UTC+0000
0xffffe602d654a078 ??T?�???lsass.ex 732 2812 37...4 0 ------ 0 6236-07-21 07:00:39
Is it truly possible to use Volatility with Linux memory dumps?
(I'm sorry I can not write English well)
Have you guys ever used Volatility Framework with Linux memory dumps, of recent day ?
I have been working hard for a few days.
I think that Volatility is the de facto standard in window analysis, on the other hands, it does not work with Memdump from Linux.
Recent kernel versions appear to have broken compatibility. Even if you use some profiles provided by official github, it doesn't match even if one number is different by 3 decimal points.
I Used LiME and lmg(linux memory grabber) for creating profile and dumping physical memory.
Everything is OK.
but, Volatility cannot parse the data.
I tried CentOS, Ubuntu, Kali Linux, Debian, Fedora .. and so on and so forth.
Every case, this messages shown
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
Win10AMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VMWareMetaAddressSpace: VMware metadata file is not available
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0xee300
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
Win10AMD64PagedMemory: Incompatible profile Linuxcpuu-VirtualBox-2017-05-01_04_31_48-profilex86 selected
WindowsAMD64PagedMemory: Incompatible profile Linuxcpuu-VirtualBox-2017-05-01_04_31_48-profilex86 selected
LinuxAMD64PagedMemory: Incompatible profile Linuxcpuu-VirtualBox-2017-05-01_04_31_48-profilex86 selected
AMD64PagedMemory: Incompatible profile Linuxcpuu-VirtualBox-2017-05-01_04_31_48-profilex86 selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
—
Was there a mistake in my work? Or does the volatility still not support those versions of Linux?
How to create a profile outside of a running system?
I'm trying to do some memory analysis on an embedded Linux system. Due to storage constraints there is no /lib/modules/version/build available, but I do have the kernel configuration file and system map, so what I've done is download the kernel source from kernel.org and build that using the kernel configuration file from the embedded system. Then, in tools/linux/ execute
make -C ${KP} CONFIG_DEBUG_INFO=y M="$PWD" modules
dwarfdump -di module.ko >module.dwarf
where ${KP} is the path to the kernel build directory. Then package module.dwarf and the system map from the running system into a zip archive and copy that to volatility/plugins/overlays/linux/. This seems to work OK, or at least I see my profile in the --info list. But when I try to use the profile with a LiME image and the linux_pslist command, I get errors like this:
(lots of messages about missing Crypto.Hash and distorm3 plugins)
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure vm_area_struct not present in vtypes
WARNING : volatility.debug : Overlay structure tty_struct not present in vtypes
WARNING : volatility.debug : Overlay structure sockaddr_un not present in vtypes
WARNING : volatility.debug : Overlay structure hlist_head not present in vtypes
WARNING : volatility.debug : Overlay structure task_struct not present in vtypes
WARNING : volatility.debug : Overlay structure dentry not present in vtypes
WARNING : volatility.debug : Overlay structure net_device not present in vtypes
WARNING : volatility.debug : Overlay structure super_block not present in vtypes
WARNING : volatility.debug : Overlay structure in_ifaddr not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure vm_area_struct not present in vtypes
WARNING : volatility.debug : Overlay structure tty_struct not present in vtypes
WARNING : volatility.debug : Overlay structure sockaddr_un not present in vtypes
WARNING : volatility.debug : Overlay structure hlist_head not present in vtypes
WARNING : volatility.debug : Overlay structure task_struct not present in vtypes
WARNING : volatility.debug : Overlay structure dentry not present in vtypes
WARNING : volatility.debug : Overlay structure net_device not present in vtypes
WARNING : volatility.debug : Overlay structure super_block not present in vtypes
WARNING : volatility.debug : Overlay structure in_ifaddr not present in vtypes
Offset Name Pid PPid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
and all the other address space modules also report no base address. Originally I thought the problem might be my LiME module (the embedded system has no build tools, so I had to follow a similar process to build the LiME kernel module), but the WARNING messages about being unable to find this or that kernel data structure makes me wonder if the problem is in my profile? I wondered if anyone had some ideas/hints?
Problem parsing Red Hat 7.6 vmem image with custom built profile
I was able to build a profile for Red Hat Linux 7.8 maipo x64 kernel 3.10.0-1127.19.1.el7.x86_64. The profile build without issues, showing no errors and building the zip file correctly. On Red I built libdwarf by source code and then created the module.dwarf using with the instructions provided by volatilityfoundation project.
However when I try to analyze the vmem file it fails. What can I do to troubleshoot this problem?
vol.py --profile=LinuxRedHat7_6Maipox64 -f "Snapshot.vmem" linux_bash
Volatility Foundation Volatility Framework 2.6
Pid Name Command Time Command
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
Win10AMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VMWareMetaAddressSpace: VMware metadata file is not available
VirtualBoxCoreDumpElf64: ELF Header signature invalid
QemuCoreDumpElf: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
Win10AMD64PagedMemory: Incompatible profile LinuxRedHat7_6Maipox64 selected
WindowsAMD64PagedMemory: Incompatible profile LinuxRedHat7_6Maipox64 selected
LinuxAMD64PagedMemory: Failed valid Address Space check
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxRedHat7_6Maipox64 selected
IA32PagedMemory: Incompatible profile LinuxRedHat7_6Maipox64 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
I followed the exact same procedure with an Ubuntu 16.06.4 LTS with kernel 4.4.0-177-generic and it worked I was able to analyze the memory on that system with the custom profile that I built, however with Red Hat it does not work, what can I do to solve the problem? Thanks.
Add support for arm based linux memory analysis
I have install all prerequisites and configured everything on my raspberry pi 3. LiME module is able to capture live memory. Module.dwarf is also successfully compiled but due to absence of System.map in /boot directory, I am unable to create profile for arm raspbian. I followed a method suggested by Gus Kenion to create profile. The profile has been successfully made, but, I was not able to analyze the image with that profile. I suggest you to add support or introduce new method to create profiles for arm based devices.
volatility plugin
when I'm trying to run the following command on win 10:
volatility_2.6_win64_standalone.exe --plugins=myplugins --profile=Win10x64 -f 20170224.mem myplugin
I get this error:
Traceback (most recent call last):
File "vol.py", line 192, in
File "vol.py", line 183, in main
File "volatility\commands.py", line 147, in execute
File "volatility\commands.py", line 282, in render_text
File "volatility\commands.py", line 273, in _render
File "volatility\commands.py", line 270, in unified_output
NotImplementedError: Rendering using the unified output format has not been implemented for this plugin.
Failed to execute script vol
how to resolve Struct VOLATILITY_MAGIC has no member KDBG error
when i perform
python vol.py imageinfo -f dump/linux-sample-1.bin
command it gives me a output
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with Linuxbookx64)
AS Layer1 : LinuxAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/ram/Ankit/Volatility/volatility-master/dump/linux-sample-1.bin)
PAE type : No PAE
DTB : 0x1605000L
and following error
Traceback (most recent call last):
File "vol.py", line 192, in
main()
File "vol.py", line 183, in main
command.execute()
File "/home/ram/Ankit/Volatility/volatility-master/volatility/commands.py", line 147, in execute
func(outfd, data)
File "/home/ram/Ankit/Volatility/volatility-master/volatility/plugins/imageinfo.py", line 45, in render_text
for k, t, v in data:
File "/home/ram/Ankit/Volatility/volatility-master/volatility/plugins/imageinfo.py", line 103, in calculate
kdbg = volmagic.KDBG.v()
File "/home/ram/Ankit/Volatility/volatility-master/volatility/obj.py", line 751, in getattr
return self.m(attr)
File "/home/ram/Ankit/Volatility/volatility-master/volatility/obj.py", line 733, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
Probleam With Linux prebuilt Profile
hello everyone ,
friends I'm facing one problem with volatility version 2.6 can you people please help me.
problem is : volatility come with default windows profiles but there is no any Linux profile to resolve this problem there is a already some prebuilt Linux profile is available https://github.com/volatilityfoundation/profiles i follow this instructions but still i'm not geting profile in output profile list after performing
"python vol.py image info -f /dump/victoria-v8.memdump.img"
i follow this solution but it's not work for me in volatility version 2.6
Ubuntu Profile LinuxUbuntu1404x64 Not working
When I create a .raw file from a .dmp, I run:
python vol.py -f ubuntu1404dmpconverted.raw --profile=LinuxUbuntu1404x64 pslist
I get
Volatility Foundation Volatility Framework 2.5 ERROR : volatility.debug : This command does not support the profile LinuxUbuntu1404x64
No command works for this profile.
Profiles not appearing after saving the zip file
I saved the Mac 10.10.3 profile zip file in volatility-2.4/volatility/plugins/overlays/mac but when doing vol.py --info, it is not appearing there. Did I miss anything?
How to make a profile for CentOs6.6
Hi, I have made many profiles for Ubuntu, but I can not make a profile for Centos. So could anyone tell me the way to make a profile for CentOs6.6?
I hope to contribute to the project
Hello, I wanted to inquire if this project is currently accepting community contributions. I've developed a tool based on Docker to create profiles for volatility2 : profile-builder ,and I've already generated several profiles specifically for Ubuntu. I'm wondering if I could upload my profiles to this repository to assist other researchers?
Linux Profile Builder
I've been creating a volatility profile building script to deal with the issue of not having these pre-built. At time of writing, it will allow you to select from any CentOS and Ubuntu release that exists in docker. On the Ubuntu side, it will further prompt for the exact kernel that you wish to profile, giving you the selection of valid kernels to choose from for that specific ubuntu release. Further, though I haven't tested this yet, using Docker it uses the default architecture, so if the docker build supports it, you should be able to build these profiles for any of the architectures available (i.e.: arm for ubuntu).
This seems to make the effort of keeping up with new kernels and all the varieties a bit easier and more automated. I think it would be a worthwhile inclusion into the wiki page on Linux profile building.
The script is hosted here: https://github.com/bannsec/volatility_profile_builder
And you can install it simply with pip install volatility_profile_builder.
This is NOT meant to be the be-all for profile building, as it will NOT work with anything that does not have a working repo (i.e.: ubuntu 14.x, or others). It should help auto build modern profiles though.
Volatility fails with traceback on Linux (possible profile issue)
In order to eliminate some of the unknowns (see the previous issue), I built a LiME module and a volatility profile on an up-to-date laptop installation of Fedora 32 that does have /lib/modules/$(uname -r)/build available. Both built without error, however when I try to run volatility to on the image and use Linux commands like linux_pslist, or even linux_cpuinfo, I get this traceback:
Volatility Foundation Volatility Framework 2.6
(_a bunch of messages about failing to load things that depend on Crypto.Hash or distorm3_)
Traceback (most recent call last):
File "/home/volatility/volatility-master/vol.py", line 192, in <module>
main()
File "/home/volatility/volatility-master/vol.py", line 183, in main
command.execute()
File "/home/volatility/volatility-master/volatility/plugins/linux/common.py", line 64, in execute
commands.Command.execute(self, *args, **kwargs)
File "/home/volatility/volatility-master/volatility/commands.py", line 116, in execute
if not self.is_valid_profile(profs[self._config.PROFILE]()):
File "/home/volatility/volatility-master/volatility/plugins/overlays/linux/linux.py", line 216, in __init__
obj.Profile.__init__(self, *args, **kwargs)
File "/home/volatility/volatility-master/volatility/obj.py", line 862, in __init__
self.reset()
File "/home/volatility/volatility-master/volatility/plugins/overlays/linux/linux.py", line 227, in reset
self.load_vtypes()
File "/home/volatility/volatility-master/volatility/plugins/overlays/linux/linux.py", line 264, in load_vtypes
vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
File "/home/volatility/volatility-master/volatility/dwarf.py", line 71, in __init__
self.feed_line(line)
File "/home/volatility/volatility-master/volatility/dwarf.py", line 162, in feed_line
self.process_statement(**parsed) #pylint: disable-msg=W0142
File "/home/volatility/volatility-master/volatility/dwarf.py", line 204, in process_statement
self.vtypes[name] = [ int(data['DW_AT_byte_size'], self.base), {} ]
KeyError: 'DW_AT_byte_size'
Notable is that I do not get the WARNING messages about unknown structure definitions that were seen in the previous issue, so this is at least a step forward. But I'm stuck here, apparently because the size of a DW is not defined? I'm using Volatility 2.6, Python 2.7.18, and both the subject system and the analysis system are running Fedora 32. In case it matters, the subject system is running kernel 5.7.15-200.fc32.x86_64 and the analysis system is one step behind with 5.7.14-200.fc32.x86_64. It's the fact that it seems to be missing a definition for a fundamental system attribute that makes me wonder if this is a profile issue.
The steps to create the profile were:
Copy the volatility-master tree to the subject system
cd volatility-master/tools/linux
make -C /lib/modules/$(uname -r)/build CONFIG_DEBUG_INFO=y M="$PWD" modules
dwarfdump -di module.ko >module.dwarf
Then package up module.dwarf and /boot/System.map-$(uname -r) into a zip archive
Copy the zip archive to volatility-master/volatility/plugins/overlays/linux/
My volatility command was just:
volatility --profile=Linuxtest-5_7_15-200_fc32_x86_64x64 -f test.lime linux_cpuinfo
So... any hints about what I could try to fix this? I figure if I can get this working it may help with the other issue, or in any case, one step at a time. Thanks!
Is there a freebsd profile available?
Error when building Linux profile
Hi All,
I have been trying hard to create a Linux profile but I ran into error when I build it.
The machine I want to analyze is a Red Hat Enterprise Linux Server release 6.10 (Oracle Linux Server release 6.10)
Below is the error msg:
root@:~/volatility/tools/linux# make -C /lib/modules/4.1.12-112.14.15.el6uek.x86_64/build CONFIG_DEBUG_INFO=y M=$PWD modules
make: Entering directory '/usr/src/4.1.12-112.14.15.el6uek.x86_64'
arch/x86/Makefile:114: stack-protector enabled but compiler support broken
Makefile:658: Cannot use CONFIG_CC_STACKPROTECTOR_REGULAR: -fstack-protector not supported by compiler
CC [M] /root/volatility/tools/linux/module.o
cc1: error: code model kernel does not support PIC mode
make[1]: *** [scripts/Makefile.build:265: /root/volatility/tools/linux/module.o] Error 1
make: *** [Makefile:1430: module/root/volatility/tools/linux] Error 2
make: Leaving directory '/usr/src/4.1.12-112.14.15.el6uek.x86_64'
Thank you
AddrSpaceError with Ubuntu 18.04.3x64 profile on Ubuntu 18.04.3 - 4.15.0-55-generic
Hello,
I've installed volatility 2.5 to work with cuckoo 2.0.7 on Ubuntu 18.04 host with a Windows guest (on which volatility correctly works) and an Ubuntu 18.04.3 guest with 4.15.0-55-generic on which I downloaded 18.04.3x64 profile.
I correctly set osprofile in virtualbox.conf, but when I try to run an ELF file on Ubuntu guest, I have the following error:
Failed to run the processing module "Memory" for task #25:
Traceback (most recent call last):
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 246, in process
data = current.run()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1118, in run
return VolatilityManager(self.memory_path, osprofile).run()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1000, in __init__
self.vol = VolatilityAPI(self.memfile, self.osprofile)
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 79, in __init__
self.init_config()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 149, in init_config
if self.get_dtb():
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 85, in get_dtb
for ep in ps.calculate():
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/filescan.py", line 354, in calculate
addr_space = utils.load_as(self._config, astype = 'physical')
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/utils.py", line 65, in load_as
raise error
AddrSpaceError: No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
FileAddressSpace - EXCEPTION: 'DW_AT_byte_size'
ArmAddressSpace: No base Address Space
Request: Need profile for HighSierra_10.13.4_17E199
I was just testing Mac Volatility with a current OSX patch release, and noticed there was no pregenerated profile for the version I have (HighSierra_10.13.4_17E199).
Imageinfo command dosent work on Linux Memory sample
imageinfo command doesn't work on Linux memory samples right, now consider a scenario where i have number of Linux profiles and i don't know which profile is ideal for my dumps , for this either i have to first find suggested profile by using imageinfo command which help me to go ahead and perform other operations on my Linux memory samples, or another way is to take one by one every profile and test all the profile with my Linux memory samples. which takes to much time so what I'm asking is, is there any alternative command of imageinfo which gives me a suggested profile for my Linux memory samples.
could you make a profile for ElCapitan_10.11.4
how to make own profile?if response very thanks
Linux/RedHat/x86/RedHat56.zip is x64
Looks like the RH profile uploaded to Linux/RedHat/x86/RedHat56.zip is x64 instead of x86
macOS Monterey
Hi, Did volatility support MacOS Monterey version 12.0.1 profile?
I am having issue with "Unable to find an OS X profile for the given memory sample.
OSX El Capitan stock profiles missing
Is it possible to add stock profiles for OSX El Capitan(10.11) x64 systems? Thank you.
No Suitable Address space mapping Found
Hi,
I get the error 'No suitable address space mapping found' when I try to run the following command
sudo python vol.py -f dump2.raw --profile="LinuxUbuntu1204x64" linux_pslist
I have generated the memory dump using Lime with the following command
insmod LiME/src/lime-4.4.0-130-generic.ko "path=dump2.raw format=lime"
I have tried formats raw, padded and lime all to no luck.
I have created the profile on installation of Volatility, my linux kernel version is 4.4.0-130-generic, is this version supported?
Here is my error in full
`Volatility Foundation Volatility Framework 2.6
Offset Name Pid PPid Uid Gid DTB Start Time
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VMWareMetaAddressSpace: VMware metadata file is not available
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x0
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxUbuntu1204x64 selected
WindowsAMD64PagedMemory: Incompatible profile LinuxUbuntu1204x64 selected
LinuxAMD64PagedMemory: Failed valid Address Space check
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxUbuntu1204x64 selected
IA32PagedMemory: Incompatible profile LinuxUbuntu1204x64 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
`
Creating profile in Volatility 2.5
I have created a profile for Ubuntu 16.10 following exactly the guide but there is no profile there.
vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.5
linux_banner - Prints the Linux banner information
linux_yarascan - A shell in the Linux memory image
Ubuntu1610.zip
I'm using Ubuntu 16.10 and have made sure to have all the needed packages (build -essential,linux-headers-generic,dwarfdump)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.