12:30 p.m.
Hello,
I hope someone can help with this.
I am attempting to perform live memory analysis on linux virtual machines
using Xen, LibVMI and Volatility.
The command I am attempting to run is:
# python vol.py -l vmi://ubuntu-pvm-01 --profile=Linuxubuntux64 linux_psaux
I created the profile Linuxubuntux64 using the instructions on the
Volatility linux plugin page
I have included the pyvmiaddressspace.py file below:
# Volatility
#
# Copyright 2011 Sandia Corporation. Under the terms of Contract
# DE-AC04-94AL85000 with Sandia Corporation, the U.S. Government
# retains certain rights in this software.
#
# Authors:
# bdpayne(a)acm.org (Bryan D. Payne)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import volatility.addrspace as addrspace
import urllib
import pyvmi
#pylint: disable-msg=C0111
class PyVmiAddressSpace(addrspace.BaseAddressSpace):
"""
This address space can be used in conjunction with LibVMI
and the Python bindings for LibVMI. The end result is that
you can connect Volatility to view the memory of a running
virtual machine from any virtualization platform that
LibVMI supports.
For this AS to be instantiated, we need the VM name to
connect to.
"""
print "pyvmiaddressspace loaded"
order = 90
def __init__(self, base, config, layered = False, **kwargs):
print "__init__"
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base == None or layered, "Must be first Address
Space")
self.as_assert(config.LOCATION.startswith("vmi://"), "Location
doesn't start with vmi://")
self.name = urllib.url2pathname(config.LOCATION[6:])
self.vmi = pyvmi.init(self.name, "partial")
self.as_assert(not self.vmi is None, "VM not found")
self.dtb = self.get_cr3()
def read(self, addr, length):
print "read"
return self.zread(addr, length)
# assert addr < self.vmi.get_memsize(), "addr too big"
#
# end = addr+length
#
# if end > self.vmi.get_memsize():
# memory = None
# else:
# try:
# memory = self.vmi.read_pa(addr, length)
# except:
# memory = None
#
# return memory
# account for holes in physical mem
def zread(self, addr, length):
print "zread"
assert addr < self.vmi.get_memsize(), "addr too big"
end = addr+length
if end > self.vmi.get_memsize():
memory = None
else:
memory = self.vmi.zread_pa(addr, length)
assert memory != None, "memory is None"
print memory
return memory
def is_valid_address(self, addr):
print "is_valid_address"
if addr == None:
return False
return 4096 < addr < self.vmi.get_memsize() - 1
def write(self, addr, data):
print "write"
nbytes = self.vmi.write_pa(addr, data)
if nbytes != len(data):
return False
return True
def get_cr3(self):
print "get_cr3"
cr3 = self.vmi.get_vcpureg("cr3", 0);
return cr3
def get_available_addresses(self):
print "get_available_addresses"
yield (4096, self.vmi.get_memsize() - 1)
return
I have added the print statements myself in order to help with debugging
and the output is as follows:
root@xenbox:~/downloads/volatility-2.2# python vol.py -l
vmi://ubuntu-pvm-01 --profile=Linuxubuntux64 linux_psaux
Volatile Systems Volatility Framework 2.2
pyvmiaddressspace loaded
Pid Uid
Arguments
__init__
get_cr3
read
zread
read
zread
g�g�g02c�1c�c�
g�gP� 'pH�'�H�g -g�
g-
read
zread
g�
read
zread
g@�
read
zread
read
zread
g�
read
zread
g@�
read
zread
__init__
read
zread
g-
read
zread
root@xenbox:~/downloads/volatility-2.2#
I added the print statements to see if the addressspace plugin was
obtaining any information at all, because without them the only output was:
Volatile Systems Volatility Framework 2.2
Pid Uid Arguments
I am only just getting to grips with using Volatility so any advice as to
how to debug this issue would be much appreciated.
Thanks,
Mike