[Vol-users] Virtual Machine - RedHat

Is there a Linux profile for RedHat for the latest version of volatility? I am attempting to run pslist against a VM running Redhat. However, I am having no luck. I used imagecopy to convert a .vmss and a .vmsn file to a memory dump file. Neither file works with pslist. I used the CentOS profile and the results are below. If I don't specify a profile, you don't see the "invalid pde_value" lines. Any ideas? linux_pslist Volatile Systems Volatility Framework 2.3_beta *** Failed to import volatility.plugins.addrspaces.legacyintel (AttributeError: 'module' object has no attribute 'AbstractWritablePagedMemory') WARNING : volatility.obj : Overlay structure tty_struct not present in vtypes Offset Name Pid Uid Gid DTB Start Time ------------------ -------------------- --------------- --------------- ------ ------------------ ---------- WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 65d70100 WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 65d70100 WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 65d70100 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Failed valid Address Space check IA32PagedMemoryPae: Incompatible profile LinuxCentOS63x64 selected IA32PagedMemory: Incompatible profile LinuxCentOS63x64 selected FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check