Hey Adam, Can you share those profiles?
Thanks On 4 May 2016 at 15:25, Adam Pridgen <[email protected]> wrote: > Thomas, > > Which profile are you using? You should create a profile for the Linux VM > you are trying to analyze. I have had to do this for several clean > installs of Ubuntu because of Linux kernel versions. > > -- Adam > On May 4, 2016 8:50 AM, "Thomas Hungenberg" <[email protected]> wrote: > >> Hi, >> >> I was provided a suspend-to-disk snapshot image along with a copy of the >> virtual harddisk file from a QEMU/KVM-based Linux server for analysis. >> >> Analysis of the harddisk is done. Now I'd like to dump running processes >> etc. >> from the server's memory image. >> >> I loaded the snapshot into QEMU and used the QEMU monitor to dump a >> memory image >> using the 'dump-guest-memory' command. >> So now I have this: >> memory.img: ELF 64-bit LSB core file Intel 80386, version 1 (SYSV), >> SVR4-style >> >> Then, I set up a fresh VM with Debian Linux in the same version the >> virtual >> server was running. Next, I installed the kernel image and related files >> extracted from the virtual harddisk on this new VM to get a Linux system >> running exactly the same kernel version. On this VM, I created a >> Volatility >> profile using the files provided in /tools/linux/. >> >> Unfortunately, Volatility crashes when running imageinfo on the dumped >> memory image file: >> ========================================================================= >> $ python vol.py imageinfo -f /path/to/memory.img >> Volatility Foundation Volatility Framework 2.5 >> INFO : volatility.debug : Determining profile based on KDBG >> search... >> Suggested Profile(s) : No suggestion (Instantiated with >> Server_x64) >> AS Layer1 : QemuCoreDumpElf (Unnamed AS) >> AS Layer2 : FileAddressSpace (/path/to/memory.img) >> PAE type : No PAE >> DTB : -0x1L >> Traceback (most recent call last): >> File "vol.py", line 192, in <module> >> main() >> File "vol.py", line 183, in main >> command.execute() >> File "/opt/tools/volatility-master/volatility/commands.py", line 145, >> in execute >> func(outfd, data) >> File "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", >> line 45, in render_text >> for k, t, v in data: >> File "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", >> line 103, in calculate >> kdbg = volmagic.KDBG.v() >> File "/opt/tools/volatility-master/volatility/obj.py", line 748, in >> __getattr__ >> return self.m(attr) >> File "/opt/tools/volatility-master/volatility/obj.py", line 730, in m >> raise AttributeError("Struct {0} has no member >> {1}".format(self.obj_name, attr)) >> AttributeError: Struct VOLATILITY_MAGIC has no member KDBG >> ========================================================================= >> >> When running other Volatility Plugins on the memory image with the >> created profile, >> it says "No suitable address space mapping found": >> ========================================================================= >> $ python vol.py linux_netstat -f /path/to/memory.img --profile=Server_x64 >> Volatility Foundation Volatility Framework 2.5 >> No suitable address space mapping found >> Tried to open image as: >> MachOAddressSpace: mac: need base >> LimeAddressSpace: lime: need base >> WindowsHiberFileSpace32: No base Address Space >> WindowsCrashDumpSpace64BitMap: No base Address Space >> WindowsCrashDumpSpace64: No base Address Space >> HPAKAddressSpace: No base Address Space >> VirtualBoxCoreDumpElf64: No base Address Space >> VMWareMetaAddressSpace: No base Address Space >> QemuCoreDumpElf: No base Address Space >> [...] >> ========================================================================= >> >> Any suggestions? >> What am I missing? >> >> >> - Thomas >> >> >> _______________________________________________ >> Vol-users mailing list >> [email protected] >> http://lists.volatilesystems.com/mailman/listinfo/vol-users >> > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users > >
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
