Hi,
I was provided a suspend-to-disk snapshot image along with a copy of the
virtual harddisk file from a QEMU/KVM-based Linux server for analysis.
Analysis of the harddisk is done. Now I'd like to dump running processes etc.
from the server's memory image.
I loaded the snapshot into QEMU and used the QEMU monitor to dump a memory image
using the 'dump-guest-memory' command.
So now I have this:
memory.img: ELF 64-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style
Then, I set up a fresh VM with Debian Linux in the same version the virtual
server was running. Next, I installed the kernel image and related files
extracted from the virtual harddisk on this new VM to get a Linux system
running exactly the same kernel version. On this VM, I created a Volatility
profile using the files provided in /tools/linux/.
Unfortunately, Volatility crashes when running imageinfo on the dumped
memory image file:
=========================================================================
$ python vol.py imageinfo -f /path/to/memory.img
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with Server_x64)
AS Layer1 : QemuCoreDumpElf (Unnamed AS)
AS Layer2 : FileAddressSpace (/path/to/memory.img)
PAE type : No PAE
DTB : -0x1L
Traceback (most recent call last):
File "vol.py", line 192, in <module>
main()
File "vol.py", line 183, in main
command.execute()
File "/opt/tools/volatility-master/volatility/commands.py", line 145, in execute
func(outfd, data)
File "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line 45, in render_text
for k, t, v in data:
File "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line 103, in calculate
kdbg = volmagic.KDBG.v()
File "/opt/tools/volatility-master/volatility/obj.py", line 748, in __getattr__
return self.m(attr)
File "/opt/tools/volatility-master/volatility/obj.py", line 730, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
=========================================================================
When running other Volatility Plugins on the memory image with the created profile,
it says "No suitable address space mapping found":
=========================================================================
$ python vol.py linux_netstat -f /path/to/memory.img --profile=Server_x64
Volatility Foundation Volatility Framework 2.5
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareMetaAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
[...]
=========================================================================
Any suggestions?
What am I missing?
- Thomas
Hi all,
I'm new on volatility so sorry if this question does not fit the purpose
of this mailing list.
I was starting play with LiME (Linux Memory Extract)[1] and I was able
to dump a memory image of an Android Emulator where ChatSecure[2] was
running.
ChatSecure asked a master password at the first run and this password is
stored by using a library called CacheWord [3].
Here the question: in order to find out if ChatSecure stores this
password in memory, how should I use volatility?
A doc/tutorial link or any suggestion are more than welcome.
Thanks,
Massimo
[1] https://github.com/504ensicsLabs/LiME
[2] https://github.com/guardianproject/ChatSecureAndroid
[3] https://github.com/guardianproject/cacheword
1. I have a directory with a memory dump called memdum.bin
2. I run volatility image info against it and I get
Air:ticket_number jamesk$ vol.py -f memdump.bin imageinfo
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86 (Instantiated with Win2003SP0x86)
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/Users/jamesk/Desktop/jackcr-challenge/DC-USTXHOU/ticket_number/memdump.bin)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x805583d0L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2012-11-27 02:01:57 UTC+0000
Image local date and time : 2012-11-26 20:01:57 -0600
3. I can run vol.py --profile=Win2003SP0x86 -f memdump.bin pslist and get process list just fine…but...
In that same directory as the memdump.bin file I have a .volatilityrc file which contains
[DEFAULT]
PROFILE=Win2003SP2x86
LOCATION=file://memdump.bin <file:///memdump.bin>
When I run vol.py pslist I get:
No suitable address space mapping found
Is my syntax incorrect somewhere?
Jk
Hello,
I was wondering if there was any plugin right now equivalent to
'imageinfo' but for Linux or Mac ? I was planning on give it a try if
not, but didn't want to waste time if anybody had done it before.
Thank you,
--
Stanislas 'P1kachu' Lejay
EPITA - LSE
If you're sleeping, you're doing it wrong.
I am attempting to recover the Truecrypt Master Keys from a Win7SP1x64
memory image and getting the below errors.
Using the Volatility 2.5 Windows stand-alone:
C:\>vol2.5.exe -f Truecrypt_MountedContainer.bin --profile Win7SP1x64
truecryptmaster -T 7.1a
Volatility Foundation Volatility Framework 2.5
Container:
Hidden Volume: No
Removable: No
Read Only: No
Disk Length: 0 (bytes)
Host Length: 0 (bytes)
Encryption Algorithm: -
Mode: -
Master Key
Traceback (most recent call last):
File "<string>", line 192, in <module>
File "<string>", line 183, in main
File
"C:\Users\Jake\Documents\GitHub\volatility\build\pyinstaller\out00-PYZ.py
z\volatility.commands", line 145, in execute
File
"C:\Users\Jake\Documents\GitHub\volatility\build\pyinstaller\out00-PYZ.py
z\volatility.plugins.tcaudit", line 666, in render_text
File
"C:\Users\Jake\Documents\GitHub\volatility\build\pyinstaller\out00-PYZ.py
z\volatility.utils", line 71, in Hexdump
TypeError: object of type 'NoneType' has no len()
Hey guys,
I'm back from the other side ! I started refreshing my tools to add Windows
8, 8.1 and 10 support.
I'm looking for Beta Testers for Hibr2Bin: Here is the link:
http://www.comae.io/
Thanks!
Hi all,
I'm trying to access the data that's exposed by the messagehooks plugin,
specifically:
volatility.plugins.gui.messagehooks.MessageHooks().calculate()
I want to be able to work with the window_stations and atom_tables that are
yielded by the method.
I tried making a new instance of the class and manually calling:
mh = messagehooks.MessageHooks(atoms.Atoms, sessions.SessionsMixin)
for x in mh.calculate():
print x
However when run, I get an attribute error:
File "plugin.py", line 81, in calculate()
for x in mh.calculate():
File ".../messagehooks.py", line 68, in calculate
in atoms.Atoms(self._config).calculate())
File ".../messagehooks.py", line 6, in <genexpr>
atom_tables = dict((atom_table, winsta)
File ".../atoms.py", line 153, in calculate
for wndsta in windowstations.WndScan(self._config).calculate():
File ".../common.py", line 45, in __init__
config.add_option("VIRTUAL", short_option = "V", default = False,
AttributeError: type object 'Atoms' has no attribute 'add_option'
Is there a better/correct way of getting at the data normally yielded by a
plugin's calculate method?
Thank you,
Adam
On 04.05.2016 17:46, Torres, Geoff (Cyber Security) wrote:
> When you say " Running lqs2mem on the original suspend to disk image does not work", do you mean that you're getting an error? Or that it's creating an image that doesn't work in volatility?
>
> I've ran lqs2mem literally on hundreds of QEMU images with no problems.
>
> Can you post the output of your run?
>
> If I recall correctly, Juerg had to pad a certain section of memory in order to get the structures to line up. It's possible that later versions of QEMU/KVM changed so that padding isn't necessary any more.
Running lqs2mem on the original image returns "Invalid section type: 7"
- Thomas
Hello,
I am using volatility in order to do live introspection in a linux virtual machine (i m using libvmi and pyvmiaddresspace.py to access the vms memory).
The problem that I am facing is that once i run a command for example linux_pslist I get a segmentation fault(core dumped) error with no further information about it.
Some general information about the system:
I have recompiled libvmi in order to work with the kvm-qemu patch and I have tried the process-list example for linux that is featured with libvmi and it works fine.
I have also tried to manualy execute
pyvmi.init("instance-name","partial") which is what pyvmiaddresspace.py is doing and this also works (along with all the pyvmi related commands like get_memsize(), get_vcpureg()).
>From what I understand the problem should lie somewhere in volatility. Before the recompilation of libvmi everything was working fine (without the kvm patch).
Any help would be greatly appreciated.
Thanks
Anna
Hello All,
We are excited to announce that we now have public trainings scheduled
in NYC, Amsterdam, and Reston, VA! This is your chance to learn memory
forensics and malware analysis directly from the Volatility developers.
These three locations sell out quickly so please contact us ASAP if you
wish to attend:
http://volatility-labs.blogspot.com/2016/04/windows-malware-and-memory-fore…
--
Thanks,
Andrew (@attrc)
