The original file was a 'QEMU suspend to disk image': 00000000 51 45 56 4d 00 00 00 03 07 00 00 00 0d 70 63 2d |QEVM.........pc-| 00000010 69 34 34 30 66 78 2d 32 2e 35 01 00 00 00 02 03 |i440fx-2.5......| 00000020 72 61 6d 00 00 00 00 00 00 00 04 00 00 00 00 41 |ram............A|
I loaded this into QEMU and used the monitor command 'dump-guest-memory' which gave me a 'ELF 64-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style' file: 00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 04 00 03 00 01 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |@...............| This is what I'm trying to load with Volatility. Running lqs2mem on the original suspend to disk image does not work. Cheers, Thomas On 04.05.2016 16:51, Torres, Geoff (Cyber Security) wrote: > You may need to format the raw image using - https://github.com/juergh/lqs2mem > > Geoff > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Michael Ligh > Sent: Wednesday, May 04, 2016 7:40 AM > To: Adam Pridgen <[email protected]>; > [email protected] > Subject: Re: [Vol-users] Analyzing memory from a QEMU snapshot > > Also, imageinfo is a Windows-only plugin that accesses Windows-only data > structures (thus the error when running on a Linux memory image). Try > something like linux_pslist and see if that works on your sample. > > Cheers, > MHL > > On 5/4/16 9:25 AM, Adam Pridgen wrote: >> Thomas, >> >> Which profile are you using? You should create a profile for the >> Linux VM you are trying to analyze. I have had to do this for several >> clean installs of Ubuntu because of Linux kernel versions. >> >> -- Adam >> >> On May 4, 2016 8:50 AM, "Thomas Hungenberg" <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi, >> >> I was provided a suspend-to-disk snapshot image along with a copy of the >> virtual harddisk file from a QEMU/KVM-based Linux server for analysis. >> >> Analysis of the harddisk is done. Now I'd like to dump running >> processes etc. >> from the server's memory image. >> >> I loaded the snapshot into QEMU and used the QEMU monitor to dump a >> memory image >> using the 'dump-guest-memory' command. >> So now I have this: >> memory.img: ELF 64-bit LSB core file Intel 80386, version 1 (SYSV), >> SVR4-style >> >> Then, I set up a fresh VM with Debian Linux in the same version the >> virtual >> server was running. Next, I installed the kernel image and related files >> extracted from the virtual harddisk on this new VM to get a Linux system >> running exactly the same kernel version. On this VM, I created a >> Volatility >> profile using the files provided in /tools/linux/. >> >> Unfortunately, Volatility crashes when running imageinfo on the dumped >> memory image file: >> ========================================================================= >> $ python vol.py imageinfo -f /path/to/memory.img >> Volatility Foundation Volatility Framework 2.5 >> INFO : volatility.debug : Determining profile based on KDBG >> search... >> Suggested Profile(s) : No suggestion (Instantiated with >> Server_x64) >> AS Layer1 : QemuCoreDumpElf (Unnamed AS) >> AS Layer2 : FileAddressSpace (/path/to/memory.img) >> PAE type : No PAE >> DTB : -0x1L >> Traceback (most recent call last): >> File "vol.py", line 192, in <module> >> main() >> File "vol.py", line 183, in main >> command.execute() >> File "/opt/tools/volatility-master/volatility/commands.py", line >> 145, in execute >> func(outfd, data) >> File >> "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line >> 45, in render_text >> for k, t, v in data: >> File >> "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line >> 103, in calculate >> kdbg = volmagic.KDBG.v() >> File "/opt/tools/volatility-master/volatility/obj.py", line 748, >> in __getattr__ >> return self.m(attr) >> File "/opt/tools/volatility-master/volatility/obj.py", line 730, in m >> raise AttributeError("Struct {0} has no member >> {1}".format(self.obj_name, attr)) >> AttributeError: Struct VOLATILITY_MAGIC has no member KDBG >> >> ====================================================================== >> === >> >> When running other Volatility Plugins on the memory image with the >> created profile, >> it says "No suitable address space mapping found": >> ========================================================================= >> $ python vol.py linux_netstat -f /path/to/memory.img >> --profile=Server_x64 >> Volatility Foundation Volatility Framework 2.5 >> No suitable address space mapping found >> Tried to open image as: >> MachOAddressSpace: mac: need base >> LimeAddressSpace: lime: need base >> WindowsHiberFileSpace32: No base Address Space >> WindowsCrashDumpSpace64BitMap: No base Address Space >> WindowsCrashDumpSpace64: No base Address Space >> HPAKAddressSpace: No base Address Space >> VirtualBoxCoreDumpElf64: No base Address Space >> VMWareMetaAddressSpace: No base Address Space >> QemuCoreDumpElf: No base Address Space >> [...] >> >> ====================================================================== >> === >> >> Any suggestions? >> What am I missing? >> >> >> - Thomas >> >> >> _______________________________________________ >> Vol-users mailing list >> [email protected] <mailto:[email protected]> >> http://lists.volatilesystems.com/mailman/listinfo/vol-users >> >> >> >> _______________________________________________ >> Vol-users mailing list >> [email protected] >> http://lists.volatilesystems.com/mailman/listinfo/vol-users >> > > > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users > -- - Thomas CERT-Bund Incident Response & Malware Analysis Team _______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
