Hi guys,
I found out that version 2.3 of volatility shows an additional DTB address
value for each process in the linux_pslist command.
Can anyone tell me what this address exactly is and how it can be useful?
Thank you!
--
Sebastian
vol-users,
The official registration invitations for OMFW 2013 went out this week. If
you are still planning to attend, I recommend sending a request soon.
There are less than 10 spots remaining!
https://www.volatilityfoundation.org/default/omfw
Reserve your seat by contacting: info [at] volatilesystems [dot] com.
Thanks,
The Volatility Foundation
Good evening,
I have what purports to be a Windows Server 2003 vmss file from an ESXi
server.
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86
AS Layer1 : FileAddressSpace (E:\memory.vmss)
PAE type : No PAE
DTB : 0xe02000L
KDBG : 0x89e3e0
Number of Processors : 32
Image Type (Service Pack) : 8388479
KPCR for CPU 1 : 0xb4428734L
KPCR for CPU 105 : 0x6ab88836
KPCR for CPU 187 : 0xbbb081feL
KPCR for CPU 217 : 0xd26666cfL
KPCR for CPU 244 : 0xf6396926L
KPCR for CPU 43 : 0xdb784fe4L
KPCR for CPU 0 : 0xbfcc7b14L
KPCR for CPU 144 : 0xfdce5831L
KPCR for CPU 163 : 0xe645d2edL
KPCR for CPU 240 : 0xe641b395L
KPCR for CPU 0 : 0x54430b95
KPCR for CPU 121 : 0xe647cb92L
KPCR for CPU 156 : 0x11fcab95
KPCR for CPU 88 : 0x7e5a9411
KPCR for CPU 0 : 0x3a144ddb
KPCR for CPU 0 : 0xad8d25f2L
KPCR for CPU 167 : 0x6a05fdd2
KPCR for CPU 149 : 0x9623d84aL
KPCR for CPU 116 : 0x4d5a811c
KPCR for CPU 0 : 0x770a23f1
KPCR for CPU 0 : 0x62485716
KPCR for CPU 47 : 0xb52572fcL
KPCR for CPU 0 : 0x1449293a
KPCR for CPU 46 : 0x4997edb2
KPCR for CPU 0 : 0x95971adeL
KPCR for CPU 0 : 0x95bcc716L
KPCR for CPU 53 : 0x55851105
KPCR for CPU 0 : 0x55bcc700
KPCR for CPU 0 : 0xd5893716L
KPCR for CPU 169 : 0x4a21113d
KPCR for CPU 1 : 0x88f33d8dL
KPCR for CPU 0 : 0xa3d2de22L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 1970-01-01 00:00:00 UTC+0000
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File "E:\Tools\volatility-2.2\volatility\commands.py", line 111, in
execute
func(outfd, data)
File "E:\Tools\volatility-2.2\volatility\plugins\imageinfo.py", line 34,
in re
nder_text
for k, v in data:
File "E:\Tools\volatility-2.2\volatility\plugins\imageinfo.py", line 109,
in c
alculate
yield ('Image local date and time',
timefmt.display_datetime(data['ImageDate
time'].as_datetime(), data['ImageTz']))
File "E:\Tools\volatility-2.2\volatility\timefmt.py", line 82, in
display_date
time
dt = dt.astimezone(custom_tz)
ValueError: tzinfo.utcoffset() returned 1440; must be in -1439 .. 1439
Or, maybe it isn't.
Anyhow, I converted it with imagecopy and while imageinfo returns the same
information, none of the other commands will work:
E:\Tools\volatility-2.2>python vol.py -f E:\RAM\memory.raw
--profile=Win2003SP2x86 connections
Volatile Systems Volatility Framework 2.2
No suitable address space mapping found
Tried to open image as:
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64: Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Win2003SP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Any thoughts on how to work with this image would be most welcome.
-David
As part of some recent work, I was looking at integrating CMU's Binary Analysis Platform (BAP)[1] with the Volatility framework. The (partly hacky) result of this work can be found at:
https://bitbucket.org/carlpulley/libbap
If nothing else, it provides some idea as to what can be done with such integrations. Hopefully, it will be of interest to others within the RE/Memory forensics communities?
All the best,
Carl.
[1] http://bap.ece.cmu.edu/
1) There are missing symbols required for plugins to run that kallsyms does
not have. I suspect you can get a partial listing of these if you run
Volatility with -dd and look for errors about symbol resolution errors.
2) It seems you built a kernel using the sources of the phone, but that it
is not actually the kernel running on the phone? If you are going to use
the System.map from the kernel then the phone needs to actually run that
kernel. Otherwise, you need the System.map from when the vendor compiled
the kernel. Did the distributed sources you use have a System.map file with
them and/or a debug kernel (vmlinux)?
On Wed, Aug 28, 2013 at 5:52 AM, Winston Siauw (DT) <winston(a)holmes.nl>wrote:
> Hi Andrew,****
>
> ** **
>
> Thanks again for your reply.****
>
> I have manage to build the kernel, retrieve the System.map file and build
> a profile with it.****
>
> However, volatility does not give any output nor error as can be seen
> below:****
>
> ** **
>
> $ python vol.py --profile=LinuxprofileHtcOneV-IcsARM -f /dump.lime
> linux_pslist****
>
> Volatile Systems Volatility Framework 2.3_beta****
>
> WARNING : volatility.obj : Overlay structure tty_struct not present
> in vtypes****
>
> Offset Name Pid Uid Gid
> DTB Start Time****
>
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------****
>
> ( empty )****
>
> ** **
>
> As indicated in your last mail, the build System.map and the device
> Kallsyms are not equal. ****
>
> However, besides not having the same symbols as System.map the memory
> addresses also differ. ****
>
> Is this expected or is this because I have done something wrong?****
>
> I.e.:****
>
> ** **
>
> System.map (builded kernel):****
>
> c0008200 t set_reset_devices****
>
> c0008224 t debug_kernel****
>
> c000824c t quiet_kernel****
>
> ** **
>
> Kallsyms (from device):****
>
> c0008200 t set_reset_devices****
>
> c0008218 t debug_kernel****
>
> c0008230 t quiet_kernel****
>
> ** **
>
> ** **
>
> Moreover, is it known which symbols are exactly missing in the Kallsyms
> file that are noted in the System.map and can I implement a work around for
> this? ****
>
> Furthermore, in another post (
> http://lists.volatilityfoundation.org/pipermail/vol-users/2013-February/000…)
> Michael Hale Ligh* *indicated: ****
>
> “Only as a last resort use /proc/kallsyms and even in that case, delete
> the lines related to lime so****
>
> it doesn't raise ValueError”. Thus if I delete all lime related lines in
> the kallsyms then it would work?****
>
> ** **
>
> ** **
>
> Best regards,****
>
> ** **
>
> Winston****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> *From:* Andrew Case [mailto:atcuno@gmail.com]
> *Sent:* Wednesday, August 14, 2013 7:58 PM
> *To:* Winston Siauw (DT)
> *Cc:* vol-users(a)volatilityfoundation.org
> *Subject:* Re: [Vol-users] custom Android profile: No suitable address
> space****
>
> ** **
>
> Hello,
>
> We are working on new documentation for this issue and actually hope to
> develop a workaround if at all possible. The issue is that kallsyms, while
> having a different file format as you noticed, does not contain all of the
> same symbols as System.map and because of this Volatility cannot use a
> profile that has kallsyms output. There are symbols in System.map that are
> currently required for Volatility to operate and these symbols are not
> contained in kallsyms. ****
>
> If you can obtain the System.map file for the kernel you wish to analyze
> then please use that and incorporate it into the profile.
>
> Thanks,
> Andrew****
>
> ** **
>
> On Wed, Aug 14, 2013 at 3:28 AM, Winston Siauw (DT) <winston(a)holmes.nl>
> wrote:****
>
> Hi All,****
>
> ****
>
> Currently, I am using Volatility to analyze a lime dump of an Android
> device and I have the same error message as the post of the ”no suitable
> address space mapping found” (
> http://lists.volatilityfoundation.org/pipermail/vol-users/2013-July/000942.…
> ).****
>
> ****
>
> I have followed the steps as indicated in the Volatility Android memory
> forensic instructions (
> https://code.google.com/p/volatility/wiki/AndroidMemoryForensics) and
> listed them below the dotted line in this mail. ****
>
> However, the error “No suitable address space mapping found ” is showing.
> ****
>
> ****
>
> Anybody have any idea what is going / I am doing wrong ? (please see the
> steps I have performed below)****
>
> ****
>
> ****
>
> Winston ****
>
> ****
>
> *********************************************
>
> Steps I followed:****
>
> ****
>
> Memory research of Device : HTC One V****
>
> kernel device primou-ics-crc-3.0.16-133e482****
>
> Android : 4.0.3****
>
> Host system for Volatility: Ubuntu 13.04****
>
> Python 2.7.4 (default, Apr 19 2013, 18:32:33) ****
>
> [GCC 4.7.3] on linux2****
>
> ****
>
> ****
>
> Steps as followed from
> https://code.google.com/p/volatility/wiki/AndroidMemoryForensics except
> for the emulator steps:****
>
> ****
>
> 1. Downloaded lime, cross compiled lime and build a *.ko file and
> created a lime.dump (format=lime) file****
>
> 2. Downloaded Volatility, created a zip profile ****
>
> a. System.map retrieved from the device at /proc/kallsyms****
>
> b. Module.dwarf ****
>
> $ head module.dwarf ****
>
> ****
>
> .debug_info****
>
> ****
>
> <0><0x0+0xb><DW_TAG_compile_unit> DW_AT_producer<"GNU C 4.7">
> DW_AT_language<DW_LANG_C89>
> DW_AT_name<"/android/volatility-2.2/tools/linux/module.c">
> DW_AT_comp_dir<"/home/winston/htc/primou-ics-crc-3.0.16-133e482">
> DW_AT_stmt_list<0x00000000>****
>
> <1><0x1d><DW_TAG_typedef> DW_AT_name<"__s8"> DW_AT_decl_file<0x00000001
> include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000013>
> DW_AT_type<<0x00000028>>****
>
> <1><0x28><DW_TAG_base_type> DW_AT_byte_size<0x00000001>
> DW_AT_encoding<DW_ATE_signed_char> DW_AT_name<"signed char">****
>
> <1><0x2f><DW_TAG_typedef> DW_AT_name<"__u8"> DW_AT_decl_file<0x00000001
> include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000014>
> DW_AT_type<<0x0000003a>>****
>
> <1><0x3a><DW_TAG_base_type> DW_AT_byte_size<0x00000001>
> DW_AT_encoding<DW_ATE_unsigned_char> DW_AT_name<"unsigned char">****
>
> <1><0x41><DW_TAG_typedef> DW_AT_name<"__s16"> DW_AT_decl_file<0x00000001
> include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000016>
> DW_AT_type<<0x0000004c>>****
>
> <1><0x4c><DW_TAG_base_type> DW_AT_byte_size<0x00000002>
> DW_AT_encoding<DW_ATE_signed> DW_AT_name<"short int">****
>
> ****
>
> 3. Using Volatility 2.2 and I have tried volatility
> 2.3-development and the latest volatility from svn co
> https://volatility.googlecode.com/svn/trunk (latest check out at 9th of
> august 2013)****
>
> a. $ python vol.py –info ****
>
> LinuxprofileHTCOneV2x86 - A Profile for Linux profileHTCOneV2 x86****
>
> b. Note, I implemented a work around since my system.map /
> proc/kallsyms sometimes contained four columns instead of 3. ****
>
> Part of my system.map file:****
>
> c0682d70 A _etext****
>
> bf005000 t dhd_sleep_pm_callback [bcmdhd]****
>
> Error: ****
>
> File
> "/android/volatility-2.2/volatility/plugins/overlays/linux/linux.py", line
> 86, in parse_system_map****
>
> (str_addr, symbol_type, symbol) = line.strip().split()****
>
> ValueError: too many values to unpack****
>
> Work around :****
>
> Added in
> /android/volatility-2.2/volatility/plugins/overlays/linux/linux.py, line 87:
> ****
>
> (str_addr, symbol_type, symbol) = line.strip().split()[0:3]
> //added work around ****
>
> #(str_addr, symbol_type, symbol) = line.strip().split()
> // original****
>
> c. $ python vol.py --profile=LinuxprofileHTCOneV2x86 -f
> /android/resultfiles/HTVOneV/lime7-31-13_1317.lime linux_pslist****
>
> Volatile Systems Volatility Framework 2.3_alpha****
>
> WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present
> in vtypes****
>
> Offset Name Pid Uid Start Time
> ****
>
> ---------- -------------------- --------------- --------------- ----------
> ****
>
> No suitable address space mapping found****
>
> Tried to open image as:****
>
> MachOAddressSpace: mac: need base****
>
> LimeAddressSpace: lime: need base****
>
> WindowsHiberFileSpace32: No base Address Space****
>
> WindowsCrashDumpSpace64: No base Address Space****
>
> WindowsCrashDumpSpace32: No base Address Space****
>
> JKIA32PagedMemoryPae: No base Address Space****
>
> AMD64PagedMemory: No base Address Space****
>
> JKIA32PagedMemory: No base Address Space****
>
> IA32PagedMemoryPae: Module disabled****
>
> IA32PagedMemory: Module disabled****
>
> MachOAddressSpace: MachO Header signature invalid****
>
> MachOAddressSpace: MachO Header signature invalid****
>
> LimeAddressSpace: Invalid Lime header signature****
>
> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile****
>
> WindowsCrashDumpSpace64: Header signature invalid****
>
> WindowsCrashDumpSpace32: Header signature invalid****
>
> JKIA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -:
> 'NoneType' and 'long'****
>
> AMD64PagedMemory: Incompatible profile LinuxprofileHTCOneV2x86 selected***
> *
>
> JKIA32PagedMemory - EXCEPTION: unsupported operand type(s) for -:
> 'NoneType' and 'long'****
>
> IA32PagedMemoryPae: Module disabled****
>
> IA32PagedMemory: Module disabled****
>
> FileAddressSpace: Must be first Address Space****
>
> ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -: 'NoneType'
> and 'long'****
>
> ****
>
> ****
>
> ****
>
> ****
>
> ****
>
> ****
>
> ****
>
> ****
>
> ****
>
> ****
>
> ****
>
> ****
>
> ****
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users****
>
> ** **
>
