I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error.
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
AMD64PagedMemory: Failed valid Address Space check
JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected
On a hunch I checked the directory I built the profile in (copied headers & source from the target system):
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo *
System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo
System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open
System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq
System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op
System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations
System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq
Platform running Volatility (2.3_alpha, latest from svn):
Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Source of memory image:
Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
What am I missing?
--
chort
Hi all,
I've just created a profile for my Ubuntu 12.04 (3.5.0-25) and I've
dumped the memory using virtualbox guestcoredump.
Using the linux_proc_maps plugin I get the following output:
http://paste.ubuntu.com/5576450/
I was expecting similar output to "cat /proc/<pid>/maps". As you can
see, these "-0x4...000" addresses are obviously wrong. Is this I am
doing wrong myself, or is this a bug? It happens for other processes
as well.
If this is a bug I'll make a new issue in the tracker with the steps
I've followed to produce this.
Cheers,
Edwin
Thanks,
looking forward for your reply :)
On Wed, Mar 20, 2013 at 3:18 PM, david nardoni <dnardoni(a)gmail.com> wrote:
> I will get you all those details today, except the full snapshot. I can
> not share that
>
> Happy to run whatever you need and provide output
>
> Sent from my iPhone
>
> On Mar 20, 2013, at 3:31 AM, nir izraeli <nirizr(a)gmail.com> wrote:
>
> Hi Dave,
>
> a few questions if you don't mind,
> what's the VM version (vmware has numbered versions for their file
> formats, you can usually look it up in the VM's properties)?
> could you share the output of psscan?
> what other plugins you've tried running? could you share the output?
> will it be possible to upload the VMware snapshot somewhere so i could
> look into it?
>
> Thanks,
> - Nir.
>
>
>
> On Tue, Mar 19, 2013 at 2:31 AM, david nardoni <dnardoni(a)gmail.com> wrote:
>
>> I think I have some issues with a 8+gb VMware snapshot. I can get
>> psscan and thrdscan output but no other output from other plugins.
>>
>> Any suggestions from the group on troubleshooting the image.
>>
>> Fyi I can see all the data when I view it in hbgary responder pro.
>>
>> Thanks
>>
>> Dave
>>
>> Sent from my iPhone
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
>
Hi,
I was wondering: did anyone ever managed to do an analysis with a real
device? I know the answer is Yes.
The thing is that I've seen around many nice examples and tutorials
working... but all of them with the emulator. The only real device sample
"in the wild" seems to be the Evo4GRodeo samples from DFWRS Challenge.
This time I'm pretty sure I did (almost?) everything right. Although if it
doesn't work, probably it's not.
I've tried also with another smartphone other than the HTC One X, the
Galaxy Nexus, getting the correct kernel version. No compilation errors, no
module errors, no lime module crashing on the phone, no volatility profiles
error, nothing. Everything (looks) right.
But still, when trying to run volatility I still keep getting empty results
like this:
hydra:volatility-read-only paco$ python vol.py
--profile=LinuxGalaxyNexus-3_0_1x86 -f ~/memdump/test-lime-4.7.lime
linux_pslist
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present
in vtypes
Offset Name Pid Uid Gid DTB
Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
Now I start wondering two things:
- Is it my lime dump the issue? the header looks fine, if I look inside
with hexdump it seems reasonable, if I strings it I find my data.
- Is it the volatility profile? Maybe, because I've event tried to dump the
memory of my Galaxy Nexus with FROST (which uses LiME) and the result looks
the same. So I started believing my problem is in the profile, although I
cannot seem to find any other way to understand where the problem could be.
So if anyone who successfully analyzed Android memory dumps from any real
life device is willing to share his experience and/or Volatility profile,
it would be great.
Thanks
P.
--
Pasquale Stirparo, MEng
GCFA, OPST, OWSE, ECCE
Brian,
You must be talking about Jesse's rawmoddump plugin. Its interesting to see
how people go about solving problems. Rather than typing 3 lines into the
existing volshell plugin, he re-implemented the same functionality into a
70 line file and then blogged about it as if it was some ground breaking
new capability...lol.
Anyway, there are a few possible explanations for finding a legitimate
driver at an offset from the base address reported by modscan. One is that
modscan found an _LDR_DATA_TABLE_ENTRY structure in physical memory that
represents a driver that was once loaded at address XXXXXXXX but has since
moved or unloaded. In that case, the kernel would be allowed to map another
driver into that available space (starting at either the exact same or a
nearby address).
Another plausible scenario is that modscan found an _LDR_DATA_TABLE_ENTRY
for a module that is still loaded at its original address (check with
modlist which will show currently loaded modules). The driver has another
driver embedded in its resources section that it installed or planned to
install. In that case you would expect to find another PE file somewhere
near the base of the first one.
Hope this helps,
MHL
On Fri, Mar 22, 2013 at 12:28 AM, Brian Keefer <chort(a)effu.se> wrote:
> Michael,
>
> Yes, modscan showed the file as being
> from C:\Users\Bob\ApplicationData\dumpme.sys -like path. It's great to
> learn this can be done via volshell, which is not something I've explored
> yet. Someone else sent me a plugin off-list that essentially wraps that
> functionality.
>
> It looks like the legitimate driver is at an offset from the base address
> reported by modscan (is it typical for drivers to load from a user
> directory?). I'm not sure what the padding is before it. Could it perhaps
> be instructions, or maybe an XOR'd PE header? Not sure exactly.
>
> --
> chort
>
>
>
> On Mar 21, 2013, at 8:53 PM, Michael Hale Ligh wrote:
>
> Hey Brian,
>
> You can use volshell to extract an arbitrary region of memory from any
> address space (in this case kernel memory if you're trying to acquire a
> kernel module). However, what do you mean "reference a file in user's
> AppData"? Is that the driver's path on disk (i.e.
> C:\Users\Bob\ApplicationData\dumpme.sys)?
>
> You would use volshell like this:
>
> >>> data = self.addrspace.zread(assumed_base_address, assumed_module_size)
> >>> with open('file.dmp', 'wb') as f:
> ...... f.write(data)
> >>>
>
> Cheers,
> MHL
>
>
> On Thu, Mar 21, 2013 at 5:32 PM, Brian Keefer <chort(a)effu.se> wrote:
>
>> Working with a ransomware infection, trying to dump one of the modules
>> that looks suspicious (the only one to reference a file in user's AppData).
>> I'm trying to dump it via the base address found through modscan, but
>> getting:
>> moddump Error: e_magic 8D4C is not a valid DOS signature.
>>
>> I tried -u. Is there any other way to dump it?
>>
>> --
>> chort
>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
>
>
My Malware Analysts Cookbook refers to this module and I found a couple
of videos on how to use it; I just can't seem to locate the module itself.
Has it perhaps been deprecated by some other plugin or process?
Thanks!
-=[ Steve ]=-
> Hello,It seems you have identified some issues while the rest of the
output is explainable. 1) linux_check_afinfoBeing empty means that > nothing
is hooked (this is good)2) linux_check_creds, linux_pidhashtable,
linux_psxview
> These are missing support for your kernel version. Can you please paste
the output of uname -a on your machine along with the specific > version of
centos that you are using?
> 3) linux_check_evt_arm & linux_check_syscall_arm
> These only support ARM based computers (e.g. Android) and I assume your
memory sample is from an Intel based computer. We will soon > have a patch
that allows plugins to check what architecture they are being run against
and then these plugins will report they are ARM only instead of having
exceptions.
> 4) linux_check_ttyThis seems like a bug we will have to fix.Thank you for
your report and please get us the kernel & centos version so > we can
attempt to fix some of them.Thanks,Andrew (@attrc)
>
Hi Andrew,
I am sorry but it's my mistake because the os is not real centos but a
derived. The os is clearos (infact centos based) distro for firewalls.
Anyway:
# uname -a
Linux fw2.mycompany.local 2.6.18-308.1.1.v5 #1 SMP Sun Mar 11 18:15:19 MDT
2012 i686 i686 i386 GNU/Linux
# cat /etc/issue
ClearOS Enterprise Edition release 5.2
# cat /etc/redhat-release
CentOS release 5.4 (Final)
Thanks very much and I am sorry for the mistake.
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Trascorri la Pasqua all'Hotel Maestri di Riccione a due passi dal mare, da
Viale Ceccarini e dal nuovo lungomare pedonale. 2 giorni pensione completa a
Euro 170 in doppia a persona, un bambino fino
ai 6 anni in camera con due adulti gratuito
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12790&d=20130325
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
Last minute giugno in all inclusive all'Hotel Fior di Loto di Rimini per due persone, una settimana, Euro 686 a coppia, pensione completa, bevande ai pasti, servizio spiaggia
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12774&d=25-3
> Hello,It seems you have identified some issues while the rest of the
output is explainable. 1) linux_check_afinfoBeing empty means that > nothing
is hooked (this is good)2) linux_check_creds, linux_pidhashtable,
linux_psxview
> These are missing support for your kernel version. Can you please paste
the output of uname -a on your machine along with the specific > version of
centos that you are using?
> 3) linux_check_evt_arm & linux_check_syscall_arm
> These only support ARM based computers (e.g. Android) and I assume your
memory sample is from an Intel based computer. We will soon > have a patch
that allows plugins to check what architecture they are being run against
and then these plugins will report they are ARM only instead of having
exceptions.
> 4) linux_check_ttyThis seems like a bug we will have to fix.Thank you for
your report and please get us the kernel & centos version so > we can
attempt to fix some of them.Thanks,Andrew (@attrc)
>
Hi Andrew,
I am sorry but it's my mistake because the os is not real centos but a
derived. The os is clearos (infact centos based) distro for firewalls.
Anyway:
# uname -a
Linux fw2.mycompany.local 2.6.18-308.1.1.v5 #1 SMP Sun Mar 11 18:15:19 MDT
2012 i686 i686 i386 GNU/Linux
# cat /etc/issue
ClearOS Enterprise Edition release 5.2
# cat /etc/redhat-release
CentOS release 5.4 (Final)
Thanks very much and I am sorry for the mistake.
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Pasqua all'hotel Stella di Riccione, pernottamento e colazione, 2 gg Euro
106 a persona in doppia, bimbo fino a 3 anni GRATIS. Biglietti per i parchi
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12791&d=20130325
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
Riduzione del 10% sulle tariffe di pensione per le prenotazioni pervenute entro il 30 aprile 2013 all'Hotel Embassy di Pesaro
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12769&d=25-3
Hi,
I am trying to analyze a memory dump from a Centos server but I have got
some problems.
------ Plugin linux_check_afinfo ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Symbol Name Member
Address
------------------------------------------ ------------------------------
----------
------ Plugin linux_check_creds ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
PIDs
--------
ERROR : volatility.plugins.linux.check_creds: This command is not
supported in this profile.
------ Plugin linux_check_evt_arm ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Check PASS/FAIL Info
------------------------------ --------- ------------------------------
SWI Offset Instruction FAIL -
------ Plugin linux_check_syscall_arm ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Index Address Symbol
---------- ---------- ------------------------------
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/common.py", line
55, in execute
commands.Command.execute(self, *args, **kwargs)
File "/root/vltlt/volatility-read-only/volatility/commands.py", line 111,
in execute
func(outfd, data)
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
line 88, in render_text
for (i, call_addr, hooked) in data:
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
line 66, in calculate
num_syscalls = self._get_syscall_table_size()
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
line 38, in _get_syscall_table_size
opcode = obj.Object("unsigned int", offset = vector_swi_addr, vm =
self.addr_space)
File "/root/vltlt/volatility-read-only/volatility/obj.py", line 169, in
Object
offset = int(offset)
TypeError: int() argument must be a string or a number, not 'NoneType'
------ Plugin linux_check_tty ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Name Address Symbol
---------------- ---------- ------------------------------
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/common.py", line
55, in execute
commands.Command.execute(self, *args, **kwargs)
File "/root/vltlt/volatility-read-only/volatility/commands.py", line 111,
in execute
func(outfd, data)
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/tty_check.py",
line 59, in render_text
for name, call_addr in data:
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/tty_check.py",
line 52, in calculate
recv_buf = tty_dev.ldisc.ops.receive_buf
File "/root/vltlt/volatility-read-only/volatility/obj.py", line 735, in
__getattr__
return self.m(attr)
File "/root/vltlt/volatility-read-only/volatility/obj.py", line 717, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct ldisc has no member ops
------ Plugin linux_pidhashtable ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
ERROR : volatility.plugins.linux.pidhashtable: calculate_v2: This profile
is currently unsupported by this plugin. Please file a bug report on our
issue tracker to have supprot added.
Offset Name Pid Uid Gid DTB
Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
------ Plugin linux_psxview ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
ERROR : volatility.plugins.linux.pidhashtable: calculate_v2: This profile
is currently unsupported by this plugin. Please file a bug report on our
issue tracker to have supprot added.
Offset(V) Name PID pslist pid_hash kmem_cache
---------- -------------------- ------ ------ -------- ----------
The others plugins work fine.
Bye.
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Una PASQUA in famiglia, in un hotel sul mare. L'Hotel Adelphi Riccione
propone un'offerta con ingresso ai parchi inclusi e i bimbi gratis fino a
tre anni. Piano famiglia a partire da 3 notti in mezza o pensione completa
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12777&d=20130322
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
Last minute giugno in all inclusive all'Hotel Fior di Loto di Rimini per due persone, una settimana, Euro 686 a coppia, pensione completa, bevande ai pasti, servizio spiaggia
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12774&d=22-3
Working with a ransomware infection, trying to dump one of the modules that looks suspicious (the only one to reference a file in user's AppData). I'm trying to dump it via the base address found through modscan, but getting:
moddump Error: e_magic 8D4C is not a valid DOS signature.
I tried -u. Is there any other way to dump it?
--
chort
