I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error.
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
AMD64PagedMemory: Failed valid Address Space check
JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected
On a hunch I checked the directory I built the profile in (copied headers & source from the target system):
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo *
System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo
System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open
System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq
System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op
System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations
System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq
Platform running Volatility (2.3_alpha, latest from svn):
Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Source of memory image:
Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
What am I missing?
--
chort
WARNING : volatility.obj : NoneObject as string: Pointer Owner invalid
I saw some people also having the same issues, but I am not seeing the fix anywhere. Suggestions?
Imagine my chagrin to find that the new volatility site contains exactly what I proposed below. Mea culpa for referencing old directions and code... :-/
For those that come after me, take a look at https://github.com/volatilityfoundation/volatility/wiki/Linux and specifically:
"You can find a repository of pre-built profiles at the volatilityfoundation/profiles Github.”
Cheers,
Jesse
On Dec 29, 2014, at 7:32 PM, Jesse Bowling <jessebowling(a)gmail.com> wrote:
> Hello,
>
> Hoping someone on the list has a profile for Centos 6.5 running a 2.6.32-431.17.1.el6.x86_64 kernel they wouldn’t mind sharing...It’s a non-standard thing for my environment, so I don’t have a similar box to build from (and am hoping to save the time of building a machine just for this)...
>
> Tangential to this, are there any repositories of Volatility profiles for Linux? I noticed Ken Pryor’s Github repo which seems like a great idea (and platform) for this, however he only has a few Ubuntu versions and it doesn’t look like it’s been updated in a while...Any interest from the Volatility team in starting something similar (if it’s not already happening and I just don’t know about it)?
>
> Cheers,
>
> Jesse
Hi James,
I have updated timeliner to work with the new OpenPyxl API. Just for
reference, my install is from [1]. In addition to this, I have also
added xlsx output as a renderer for the unified output [2]. So you
should be able to get xlsx output from any plugin that has already been
converted. You can see which plugins have this support by using the
--help/-h switch. For example:
$ python vol.py -f mem.img pslist --help
[snip]
Module Output Options: dot, html, json, quicktext, sqlite, text, xlsx
[snip]
$ python vol.py -f mem.img pslist --output=xlsx --output-file=pslist.xlsx
All the best,
-Jamie
[1] https://pypi.python.org/pypi/openpyxl
[2]
https://github.com/volatilityfoundation/volatility/commit/c4a9a732c9411e7b0…
On 12/19/14 7:40 AM, James Lay wrote:
> On Fri, 2014-12-19 at 03:01 +0000, Jamie Levy wrote:
>> OpenPyxl just changed their API and it is no longer compatible. I am in the process of fixing the timeliner plugin to use the new API.
>>
>> Also, the excel output for psxview has already been converted to the new API.
>>
>> All the best,
>>
>> -Jamie
>>
>>
>>
>> ------Original Message------
>> From: James Lay
>> Sender: vol-users-bounces(a)volatilityfoundation.org <mailto:vol-users-bounces@volatilityfoundation.org>
>> To: Volatility
>> ReplyTo: jlay(a)slave-tothe-box.net <mailto:jlay@slave-tothe-box.net>
>> Subject: [Vol-users] Trick to getting xlsx output
>> Sent: Dec 18, 2014 6:27 PM
>>
>> Hey all,
>>
>> Using 2.4...not able to get xlsx output...greeted with:
>>
>> Volatility Foundation Volatility Framework 2.4
>> ERROR : volatility.plugins.timeliner: You must install OpenPyxl for
>> xlsx format:
>> https://bitbucket.org/ericgazoni/openpyxl/wiki/Home
>>
>> My install method for volatility was download, extract, move to
>> /opt/volatility, and python vol.py from there.
>> My install method for openpyxl was:
>>
>> hg clone https://bitbucket.org/openpyxl/openpyxl
>> cd openpyxl
>> python setup.py build
>> sudo python setup.py install
>>
>> Is there anything else I need to check? I see a slew of items in:
>>
>> /usr/local/lib/python2.7/dist-packages/openpyxl-2.1.4-py2.7.egg/
>>
>> Thank you.
>>
>> James
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org <mailto:Vol-users@volatilityfoundation.org>
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
> Awesome....looking forward to it...thank you.
>
> James
--
Jamie Levy (@gleeda)
Blog: http://volatility-labs.blogspot.com/
GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
OpenPyxl just changed their API and it is no longer compatible. I am in the process of fixing the timeliner plugin to use the new API.
Also, the excel output for psxview has already been converted to the new API.
All the best,
-Jamie
------Original Message------
From: James Lay
Sender: vol-users-bounces(a)volatilesystems.com
To: Volatility
ReplyTo: jlay(a)slave-tothe-box.net
Subject: [Vol-users] Trick to getting xlsx output
Sent: Dec 18, 2014 6:27 PM
Hey all,
Using 2.4...not able to get xlsx output...greeted with:
Volatility Foundation Volatility Framework 2.4
ERROR : volatility.plugins.timeliner: You must install OpenPyxl for
xlsx format:
https://bitbucket.org/ericgazoni/openpyxl/wiki/Home
My install method for volatility was download, extract, move to
/opt/volatility, and python vol.py from there.
My install method for openpyxl was:
hg clone https://bitbucket.org/openpyxl/openpyxl
cd openpyxl
python setup.py build
sudo python setup.py install
Is there anything else I need to check? I see a slew of items in:
/usr/local/lib/python2.7/dist-packages/openpyxl-2.1.4-py2.7.egg/
Thank you.
James
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilesystems.com
http://lists.volatilesystems.com/mailman/listinfo/vol-users
Hey all,
Using 2.4...not able to get xlsx output...greeted with:
Volatility Foundation Volatility Framework 2.4
ERROR : volatility.plugins.timeliner: You must install OpenPyxl for
xlsx format:
https://bitbucket.org/ericgazoni/openpyxl/wiki/Home
My install method for volatility was download, extract, move to
/opt/volatility, and python vol.py from there.
My install method for openpyxl was:
hg clone https://bitbucket.org/openpyxl/openpyxl
cd openpyxl
python setup.py build
sudo python setup.py install
Is there anything else I need to check? I see a slew of items in:
/usr/local/lib/python2.7/dist-packages/openpyxl-2.1.4-py2.7.egg/
Thank you.
James
I have some processes listed in pslist and psscan that are unable to be dumped using procdump by either the pid or the offset.
Are there other approaches that can be used to dump these processes? Not in front of computer right now but error was something like unable to parse the peb.
I can get the exact error message later if it helps. All other plugins work just find so memory image is not in question.
Sent from my iPhone
Dnardoni(a)gmail.com
Ciao Guys
I want to use from volatility to analyze a linux memory data. So I created a profile of that kernel, transfered it to volatility directory on my computer, now I want to run the plugins but I can not run any of the plugins as It throughs various errors in one case pslist there is no output, other cases it says the command is not suppoerted for this profile, did anyone had the same experience?
Regards
Reza
We are excited to announce that on next Monday, December 15th, from
9AM-11AM PST, the Art of Memory Forensics authors will be doing an AMA
(Ask Me Anything) on Reddit's netsec.
This is a chance to ask us non-technical questions, comment on or ask
about the book, or anything else related to Volatility and memory
forensics.
The last book AMA on Reddit was for the Android Hacker's Handbook and it
will really well with over 300 comments (
https://www.reddit.com/r/netsec/comments/27zdxc/android_hackers_handbook_ama
) . We are hoping to have ours be big as well so please try to attend
and spread the word!
--
Thanks,
Andrew (@attrc)
