I don't know the answer to your question, but you could 'plan B' collect memory with a memory capture program to keep your analysis going while you find the answer. I have an XPx86 and use windd32 to collect the memory, it works fine for me.
Date: Fri, 10 Feb 2012 22:48:54 -0500
From: louislarocca@gmail.com
To: vol-users@volatilityfoundation.org
Subject: [Vol-users] VM image of memory- This is not a VMEM file
When imaging memory on a live VM system to do analysis for malware Volatililty does not recognize it (see below). Is there anyone on this mailing list that has the knowledge on how I can remedy this without shutting the system down and grabbing the VMEM file?
Is it possible to substitute a valid DTB from another image into the memdump of a live VM machine with a Hex editor? And if it can be done does anyone know the addresses of that space to take out and substitute? I hope that made sense......
If you look at a normal image of memory in a hex editor you can clearly see the difference between that and a VM dump from a live system, there seems to be some extra padded stuff right up front.
Volatile Systems Volatility Framework 2.0
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature fou
WindowsCrashDumpSpace32: Header signature invali
JKIA32PagedMemory: No valid DTB found
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Thanks
Lou
_______________________________________________ Vol-users mailing list Vol-users@volatilityfoundation.org http://lists.volatilesystems.com/mailman/listinfo/vol-users