You may need to format the raw image using - https://github.com/juergh/lqs2mem
Geoff -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Ligh Sent: Wednesday, May 04, 2016 7:40 AM To: Adam Pridgen <[email protected]>; [email protected] Subject: Re: [Vol-users] Analyzing memory from a QEMU snapshot Also, imageinfo is a Windows-only plugin that accesses Windows-only data structures (thus the error when running on a Linux memory image). Try something like linux_pslist and see if that works on your sample. Cheers, MHL On 5/4/16 9:25 AM, Adam Pridgen wrote: > Thomas, > > Which profile are you using? You should create a profile for the > Linux VM you are trying to analyze. I have had to do this for several > clean installs of Ubuntu because of Linux kernel versions. > > -- Adam > > On May 4, 2016 8:50 AM, "Thomas Hungenberg" <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > I was provided a suspend-to-disk snapshot image along with a copy of the > virtual harddisk file from a QEMU/KVM-based Linux server for analysis. > > Analysis of the harddisk is done. Now I'd like to dump running > processes etc. > from the server's memory image. > > I loaded the snapshot into QEMU and used the QEMU monitor to dump a > memory image > using the 'dump-guest-memory' command. > So now I have this: > memory.img: ELF 64-bit LSB core file Intel 80386, version 1 (SYSV), > SVR4-style > > Then, I set up a fresh VM with Debian Linux in the same version the > virtual > server was running. Next, I installed the kernel image and related files > extracted from the virtual harddisk on this new VM to get a Linux system > running exactly the same kernel version. On this VM, I created a > Volatility > profile using the files provided in /tools/linux/. > > Unfortunately, Volatility crashes when running imageinfo on the dumped > memory image file: > ========================================================================= > $ python vol.py imageinfo -f /path/to/memory.img > Volatility Foundation Volatility Framework 2.5 > INFO : volatility.debug : Determining profile based on KDBG > search... > Suggested Profile(s) : No suggestion (Instantiated with > Server_x64) > AS Layer1 : QemuCoreDumpElf (Unnamed AS) > AS Layer2 : FileAddressSpace (/path/to/memory.img) > PAE type : No PAE > DTB : -0x1L > Traceback (most recent call last): > File "vol.py", line 192, in <module> > main() > File "vol.py", line 183, in main > command.execute() > File "/opt/tools/volatility-master/volatility/commands.py", line > 145, in execute > func(outfd, data) > File > "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line > 45, in render_text > for k, t, v in data: > File > "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line > 103, in calculate > kdbg = volmagic.KDBG.v() > File "/opt/tools/volatility-master/volatility/obj.py", line 748, > in __getattr__ > return self.m(attr) > File "/opt/tools/volatility-master/volatility/obj.py", line 730, in m > raise AttributeError("Struct {0} has no member > {1}".format(self.obj_name, attr)) > AttributeError: Struct VOLATILITY_MAGIC has no member KDBG > > ====================================================================== > === > > When running other Volatility Plugins on the memory image with the > created profile, > it says "No suitable address space mapping found": > ========================================================================= > $ python vol.py linux_netstat -f /path/to/memory.img > --profile=Server_x64 > Volatility Foundation Volatility Framework 2.5 > No suitable address space mapping found > Tried to open image as: > MachOAddressSpace: mac: need base > LimeAddressSpace: lime: need base > WindowsHiberFileSpace32: No base Address Space > WindowsCrashDumpSpace64BitMap: No base Address Space > WindowsCrashDumpSpace64: No base Address Space > HPAKAddressSpace: No base Address Space > VirtualBoxCoreDumpElf64: No base Address Space > VMWareMetaAddressSpace: No base Address Space > QemuCoreDumpElf: No base Address Space > [...] > > ====================================================================== > === > > Any suggestions? > What am I missing? > > > - Thomas > > > _______________________________________________ > Vol-users mailing list > [email protected] <mailto:[email protected]> > http://lists.volatilesystems.com/mailman/listinfo/vol-users > > > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users >
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
