I downloaded Red Hat Enterprise Linux 5.7 and 5.9 and loaded them into
separate VMs. I then created profiles for both of these systems using the
instructions provided. However, when trying to run linux_pslist (and
pslist) using the profiles, I am still seeing an incompatibility profile
issue. The VM of the snapshot I have is Red Hat Enterprise Linux Server
2.6.18.274.el5. The profile I created using 5.7 is the same kernel as my
target VM. (Note: I was unable to create this profile directly from the
target VM)
# python vol.py --info | grep Linux
Volatile Systems Volatility Framework 2.3_beta
LinuxCentOS63x64 - A Profile for Linux CentOS63 x64
LinuxFedora17x64 - A Profile for Linux Fedora17 x64
LinuxMandriva2011x64 - A Profile for Linux Mandriva2011 x64
LinuxOpenSuSE12x86 - A Profile for Linux OpenSuSE12 x86
LinuxRHEL57x64 - A Profile for Linux RHEL57 x64
LinuxRHEL59x64 - A Profile for Linux RHEL59 x64
LinuxUbuntu1204x64 - A Profile for Linux Ubuntu1204 x64
linux_yarascan - A shell in the Linux memory image
# python vol.py -f server_vmsn.raw --profile=LinuxRHEL57x64 linux_pslist
Volatile Systems Volatility Framework 2.3_beta
*** Failed to import volatility.plugins.addrspaces.legacyintel
(AttributeError: 'module' object has no attribute
'AbstractWritablePagedMemory')
Offset Name Pid Uid
Gid DTB Start Time
------------------ -------------------- --------------- ---------------
------ ------------------ ----------
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxRHEL57x64 selected
IA32PagedMemory: Incompatible profile LinuxRHEL57x64 selected
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
Any ideas?? Also I can share both of the profiles if someone wants them.
On Tue, Jul 9, 2013 at 4:51 PM, Andrew Case <atcuno(a)gmail.com> wrote:
Hello,
You need to build a profile for the specific kernel you are running.
This wiki page walks through building a profile:
https://code.google.com/p/volatility/wiki/LinuxMemoryForensics
In general though you need to get a debug version of the kernel you
are running and then use dwarfdump to extract the information needed
by Volatility. You also need the System.map file, but that should be
placed in /boot by your distribution so it is not an issue to obtain.
Write back if you need any help with the process.
Thanks,
Andrew (@attrc)
On Tue, Jul 9, 2013 at 11:18 AM, Robert Miller
<robert.millerii(a)gmail.com> wrote:
Is there a Linux profile for RedHat for the
latest version of
volatility? I
am attempting to run pslist against a VM running
Redhat. However, I am
having no luck. I used imagecopy to convert a .vmss and a .vmsn file to
a
memory dump file. Neither file works with
pslist. I used the CentOS
profile and the results are below. If I don't specify a profile, you
don't
see the "invalid pde_value" lines. Any
ideas?
python vol.py --profile=LinuxCentOS63x64 -f
serverName_vmsn.raw
linux_pslist
Volatile Systems Volatility Framework 2.3_beta
*** Failed to import volatility.plugins.addrspaces.legacyintel
(AttributeError: 'module' object has no attribute
'AbstractWritablePagedMemory')
WARNING : volatility.obj : Overlay structure tty_struct not present
in
vtypes
Offset Name Pid Uid
Gid
DTB Start Time
------------------ -------------------- --------------- ---------------
------ ------------------ ----------
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value
65d70100
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value
65d70100
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value
65d70100
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxCentOS63x64 selected
IA32PagedMemory: Incompatible profile LinuxCentOS63x64 selected
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users