Hi,
I've got to beg some help again. After finally getting Volatility for Linux to work, I procured a Mac mini to test Volatility in that space. I've carefully followed the instructions at http://code.google.com/p/volatility/wiki/MacMemoryForensics to create a profile file named 12.1.0.64bit.zip, which I placed in the volatility/plugins/overlays/mac folder. When I use the -info option in volatility, I see the profile as Mac12_1_0_64bitx64, so it's getting that far. However when I try to actually analyze an 8GB dump (dumped using MacMemoryreader_3.0.2) from the same Mac mini that I used to generate the profile, I get the following issues:
$ python ./vol.py mac_machine_info --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*
Volatile Systems Volatility Framework 2.1_rc3
WARNING : volatility.obj : Deprecation warning: A plugin is making use of profile.add_types
Major Version: -
Minor Version: -
Memory Size: -
Max CPUs: -
Physical CPUs: -
Logical CPUs: -
$ python ./vol.py mac_dmesg --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*
Volatile Systems Volatility Framework 2.1_rc3
WARNING : volatility.obj : Deprecation warning: A plugin is making use of profile.add_types
Traceback (most recent call last):
File "./vol.py", line 185, in <module>
main()
File "./vol.py", line 176, in main
command.execute()
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/commands.py", line 111, in execute
func(outfd, data)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/mac/mac_dmesg.py", line 57, in render_text
for buf in data:
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/mac/mac_dmesg.py", line 41, in calculate
if bufc[bufx] == 0 and bufc[0] != 0:
TypeError: string indices must be integers, not NoneObject
$ python ./vol.py imageinfo --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*
Volatile Systems Volatility Framework 2.1_rc3
Determining profile based on KDBG search...
Traceback (most recent call last):
File "./vol.py", line 185, in <module>
main()
File "./vol.py", line 176, in main
command.execute()
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/commands.py", line 111, in execute
func(outfd, data)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/imageinfo.py", line 34, in render_text
for k, v in data:
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/imageinfo.py", line 44, in calculate
suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/kdbgscan.py", line 112, in calculate
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/obj.py", line 743, in __getattr__
return self.m(attr)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/obj.py", line 725, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBGHeader
Does anyone know what may be going on here?
Thanks
John
P.S. Here's my -info output:
$ python ./vol.py --info
Volatile Systems Volatility Framework 2.1_rc3
Scanner Checks
--------------
CheckHiveSig - Check for a registry hive signature
CheckPoolIndex - Checks the pool index
CheckPoolSize - Check pool block size
CheckPoolType - Check the pool type
CheckProcess - Check sanity of _EPROCESS
CheckSocketCreateTime - Check that _ADDRESS_OBJECT.CreateTime makes sense
CheckThreads - Check sanity of _ETHREAD
KPCRScannerCheck - Checks the self referential pointers to find KPCRs
MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at the offset
MultiStringFinderCheck - Checks for multiple strings per page
PoolTagCheck - This scanner checks for the occurance of a pool tag
Address Spaces
--------------
AMD64PagedMemory - Standard AMD 64-bit address space.
ArmAddressSpace - No docs
FileAddressSpace - This is a direct file AS.
IA32PagedMemory - Legacy x86 non PAE address space (to use specify --use_old_as)
IA32PagedMemoryPae - Legacy x86 PAE address space (to use specify --use_old_as)
JKIA32PagedMemory - Standard x86 32 bit non PAE address space.
JKIA32PagedMemoryPae - Standard x86 32 bit PAE address space.
LimeAddressSpace - Address space for Lime
MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.
Profiles
--------
LinuxDebian2632x86 - A Profile for Linux Debian2632 x86
Mac12_1_0_64bitx64 - A Profile for Mac 12.1.0.64bit x64
Macmac_profilex64 - A Profile for Mac mac_profile x64
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x86 - A Profile for Windows 7 SP1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86
Plugins
-------
apihooks - Detect API hooks in process and kernel memory
bioskbd - Reads the keyboard buffer from Real Mode memory
callbacks - Print system-wide notification routines
cmdscan - Extract command history by scanning for _COMMAND_HISTORY
connections - Print list of open connections [Windows XP and 2003 Only]
connscan - Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
consoles - Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo - Dump crash-dump information
devicetree - Show device tree
dlldump - Dump DLLs from a process address space
dlllist - Print list of loaded dlls for each process
driverirp - Driver IRP hook detection
driverscan - Scan for driver objects _DRIVER_OBJECT
envars - Display process environment variables
filescan - Scan Physical memory for _FILE_OBJECT pool allocations
gdt - Display Global Descriptor Table
getsids - Print the SIDs owning each process
handles - Print list of open handles for each process
hashdump - Dumps passwords hashes (LM/NTLM) from memory
hibinfo - Dump hibernation file information
hivedump - Prints out a hive
hivelist - Print list of registry hives.
hivescan - Scan Physical memory for _CMHIVE objects (registry hives)
idt - Display Interrupt Descriptor Table
imagecopy - Copies a physical address space out as a raw DD image
imageinfo - Identify information for the image
impscan - Scan for calls to imported functions
kdbgscan - Search for and dump potential KDBG values
kpcrscan - Search for and dump potential KPCR values
ldrmodules - Detect unlinked DLLs
linux_arp - Print the ARP table
linux_cpuinfo - Prints info about each active processor
linux_dmesg - Gather dmesg buffer
linux_dump_map - No docs
linux_ifconfig - Gathers active interfaces
linux_iomem - Provides output similar to /proc/iomem
linux_lsmod - Gather loaded kernel modules
linux_lsof - Lists open files
linux_memmap - Dumps the memory map for linux tasks.
linux_mount - Gather mounted fs/devices
linux_netstat - Lists open sockets
linux_proc_maps - gathers process maps for linux
linux_psaux - gathers processes along with full command line and start time
linux_pslist - Gather active tasks by walking the task_struct->task list
linux_route_cache - Lists routing table
lsadump - Dump (decrypted) LSA secrets from the registry
mac_arp - prints the arp table
mac_dmesg - prints the kernel debug buffer
mac_get_processors - No docs
mac_ifconfig - No docs
mac_ip_filters - No docs
mac_list_open_files - No docs
mac_lsmod - No docs
mac_machine_info - No docs
mac_mount - No docs
mac_netstat - No docs
mac_notifiers - detects rootkits that add hooks into I/O Kit (e.g. LogKext)
mac_proc_maps - No docs
mac_psaux - No docs
mac_pslist - No docs
mac_route - No docs
mac_runq - No docs
mac_trustedbsd - No docs
mac_version - No docs
mac_vfs_events - No docs
mac_wait_queues - No docs
malfind - Find hidden and injected code
memdump - Dump the addressable memory for a process
memmap - Print the memory map
moddump - Dump a kernel driver to an executable file sample
modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules - Print list of loaded modules
mutantscan - Scan for mutant objects _KMUTANT
netscan - Scan a Vista, 2008 or Windows 7 image for connections and sockets
patcher - Patches memory based on page scans
printkey - Print a registry key, and its subkeys and values
procexedump - Dump a process to an executable file sample
procmemdump - Dump a process to an executable memory sample
pslist - print all running processes by following the EPROCESS lists
psscan - Scan Physical memory for _EPROCESS pool allocations
pstree - Print process list as a tree
psxview - Find hidden processes with various process listings
raw2dmp - Converts a physical memory sample to a windbg crash dump
shimcache - Parses the Application Compatibility Shim Cache registry key
sockets - Print list of open sockets
sockscan - Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
ssdt - Display SSDT entries
strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan - Scan for Windows services
symlinkscan - Scan for symbolic link objects
thrdscan - Scan physical memory for _ETHREAD objects
threads - Investigate _ETHREAD and _KTHREADs
timers - Print kernel timers and associated module DPCs
userassist - Print userassist registry keys and information
vaddump - Dumps out the vad sections to a file
vadinfo - Dump the VAD info
vadtree - Walk the VAD tree and display in tree format
vadwalk - Walk the VAD tree
volshell - Shell in the memory image
yarascan - Scan process or kernel memory with Yara signatures
Hi Folks,
Thanks tons to Mike Auty, Andrew Case, Joe Sylve, Andrew DiMino, Michael Cohen, and Jamie Levy, I'm now up and running with Volatility for Linux. I did want to mention a couple of things that I ran into problems with. It's possible we might want for some related items to be more prominent in the documentation.
1. While the -h option output does include the line, "--info Print information about all registered objects", it still wasn't immediately clear to me that this option would list available profiles. In fact, I somehow managed to miss the existence of --info entirely. It might be useful to actually include the list of available profiles in the -h output. Alternatively, maybe we could move -info in the -h output closer to the top, & specifically mention that it will list available profiles?
2. It wasn't clear to me initially that to define a profile, you drop an appropriately named .zip file with appropriate contents into volatility/plugins. It's still not entirely clear, as from some of my reading it looks like you're supposed to put the profile file into volatility/plugins/overlays/<ostype> instead. I'm guessing both probably work, though I haven't tested. I suspect one is legacy or something. You might want to append a notation to the -profile line in the -h output to, "see the tools/<ostype>/README file for details on profile creation", and then spell this out a little more clearly there, including how the profile name is constructed, based on the name of the zip file.
3. I ran into a problem using the specific zip command listed in the tools/linux/README file, "zip Distro.zip module.dwarf /boot/System.map-2.6.32-8-generic". This creates a zip file with a boot subfolder containing the System.map file, which didn't work in my testing. I had to copy the System.map file to the current folder and then zip up the two files.
4. The linux wiki document is out of date, but I imagine you already knew that. It should refer to the linux-trunk branch instead of the scudette branch. It also doesn't say where to put the .zip file to create a profile, how the name of the new profile is created, based on the .zip file name, or how to get a list of available profiles.
Thanks again
John
Response anyone? I can't believe this would really be this broken, so I have to be doing something wrong (or maybe not... see below). I first tried this with r2149, and have checked a couple of the more recent updates, I but get the same result. Are the wiki<http://code.google.com/p/volatility/wiki/LinuxMemoryForensics> instructions I'm following maybe out-of-date?
Looking further, I tried this with -dubug, and got:
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
> /home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/plugins/addrspaces/mmap_address_space.py(67)__init__()
-> access=mmap.ACCESS_READ)
Then looked at line 67 in mmap_address_space.py, and see:
# On 64 bit architectures we can just map the entire image
# into our process. TODO(scudette): Try to make this work on
# 32 bit systems by segmenting into several smallish maps.
self.map = mmap.mmap(self.fhandle.fileno(), self.fsize,
access=mmap.ACCESS_READ)
So, assuming the above TODO comment related to the issue I'm seeing; Is it because I'm running volatility on a 32bit system, or because I'm trying to analyze a dump from a 32bit system?
Thanks
John
From: McCash John-GKJN37
Sent: Tuesday, August 07, 2012 2:12 PM
To: 'vol-dev(a)volatilityfoundation.org'
Subject: Problem with Linux Volatility
Hi Folks,
Sorry you only seem to hear from me about once a year, but I got fired up over Joe's & Andrew's Forensic Summit presentations and resolved to try out the new stuff in the Linux & Mac branches. Unfortunately I don't seem to have gotten very far with it. I've got the scudette branch installed on a SIFT Kit VM, and have successfully used LiME to dump memory from it. I've also successfully created a profile for the SIFT Kit's 2.6.31-23-generic kernel, using json I successfully dumped from module_dwarf.ko. I even tried the live /dev/pmem memory interface you get when you load up the pmem.ko module. When I attempt to run Volatility , here's what happens...
root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python vol.py
The Volatility Memory Forensic Framework technology preview (3.0_tp1).
NOTE: This is pre-release software and is provided for evauation only. Please
check at http://volatility.googlecode.com/ for officially supported versions.
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License.
>>> session.filename = "/dev/pmem"
>>> session.profile_file = "myprofile.zip"
>>> session.profile = "Linux32"
>>> vol (plugins.pslist)
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
ERROR:root:Error: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py", line 292, in vol
self.last = super(InteractiveSession, self).vol(*args, **kwargs)
File "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py", line 154, in vol
ui_renderer.start(plugin_name=result.name, kwargs=kwargs)
AttributeError: 'NoneType' object has no attribute 'name'
>>>
Am I doing something brain-damaged?
Thanks
John
Hi Folks,
Sorry you only seem to hear from me about once a year, but I got fired up over Joe's & Andrew's Forensic Summit presentations and resolved to try out the new stuff in the Linux & Mac branches. Unfortunately I don't seem to have gotten very far with it. I've got the scudette branch installed on a SIFT Kit VM, and have successfully used LiME to dump memory from it. I've also successfully created a profile for the SIFT Kit's 2.6.31-23-generic kernel, using json I successfully dumped from module_dwarf.ko. I even tried the live /dev/pmem memory interface you get when you load up the pmem.ko module. When I attempt to run Volatility , here's what happens...
root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python vol.py
The Volatility Memory Forensic Framework technology preview (3.0_tp1).
NOTE: This is pre-release software and is provided for evauation only. Please
check at http://volatility.googlecode.com/ for officially supported versions.
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License.
>>> session.filename = "/dev/pmem"
>>> session.profile_file = "myprofile.zip"
>>> session.profile = "Linux32"
>>> vol (plugins.pslist)
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
ERROR:root:Error: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py", line 292, in vol
self.last = super(InteractiveSession, self).vol(*args, **kwargs)
File "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py", line 154, in vol
ui_renderer.start(plugin_name=result.name, kwargs=kwargs)
AttributeError: 'NoneType' object has no attribute 'name'
>>>
Am I doing something brain-damaged?
Thanks
John
Hi
I just added JSON output for malfind and apihooks. See:
http://code.google.com/p/volatility/issues/detail?id=305
Do you need anything else from me to get it merged upstream ? Wishes ?
Thorsten Sick
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
Hey everyone,
The 2.1 RC1 downloads are now available [1]. Per the usual, there are zip
and tar archives of the source code, a windows module installer, and a
standalone windows executable (with python and all dependencies
build-in). We ask that you test vigorously over the next 2 weeks,
especially with any x64 images, and let us know via the issue tracker [2]
if you run into any bugs. At the end of July, we'll announce the official
release of 2.1.
Also, a lot of the documentation [3] has been updated, including the FAQ,
command reference, features by plugin matrix, and roadmap, so that may be a
useful resource to you when using 2.1.
Thank you very much!
[1]. http://code.google.com/p/volatility/downloads/list
[2]. http://code.google.com/p/volatility/issues/list
[3]. http://code.google.com/p/volatility/w/list
Hi
I modified threads to also create JSON output (diff and sample attached
to bug).
http://code.google.com/p/volatility/issues/detail?id=289
Everyone who is interested in this kind of features please check the
code and give some feedback.
Thanks
Thorsten Sick
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
Hello
My name is Thorsten Sick, I am Researcher at Avira. Currently I am part
of the ITES project. This project's aim is to develop
detection/protection technology using the benefits from a guest system
running in a virtual machine. Short: Sensors in the VM and in the
hypervisor layer.
One of my first steps would be to automate Malware analysis and use some
big guns. Volatility would be a big gun. Combined with cuckoobox it
could be very powerful.
But for that volatility needs:
- A log format that could be parsed in a simple way (JSON ?) for the plugins
- Maybe some nice API to control it from Cuckoobox
I am ready to implement that. But before doing stuff only half I would
love to hear your opinion.
Especially if you have some whishes what exactly should be in those
logs, please tell me. If you maintain a plugin, please tell me. I am
ready to write the log code or we try to figure out a format and you can
code it yourself.
What I am doing here should have benefits for the community-if done right.
You can also find me in the IRC.
Thanks
Thorsten
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
Hello all,
I have applied a small change to the output file name of malfind.py but
Tortiose seems not to be willing to upload it.
Error: Unallowed method.
How can I upload the code using Tortoise SVN??
CU
Mic
