10:50 a.m.
Okay, is there anyway you can run the source version? The latest
Volatility should support the profile you are trying.
Thanks,
Andrew (@attrc)
On 06/03/2016 09:38 AM, Rob Hunter wrote:
Hi Andrew,
This is the output I get .
regards,
Rob
./volatility_2.5_mac --plugins=./mac -f ../ram.dump mac_get_profile -d
Volatility Foundation Volatility Framework 2.5
DEBUG : volatility.debug : Applying modification from
BasicObjectClasses
DEBUG : volatility.debug : Applying modification from BigPageTableMagic
DEBUG : volatility.debug : Applying modification from
ControlAreaModification
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from
EditBoxObjectClasses
DEBUG : volatility.debug : Applying modification from EditBoxVTypes
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from
HandleTableEntryPreWin8
DEBUG : volatility.debug : Applying modification from IEHistoryVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from
PoolTagModification
DEBUG : volatility.debug : Applying modification from
PoolTrackTagOverlay
DEBUG : volatility.debug : Applying modification from
SSLKeyModification
DEBUG : volatility.debug : Applying modification from
UnloadedDriverVTypes
DEBUG : volatility.debug : Applying modification from
VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from
VirtualBoxModification
DEBUG : volatility.debug : Applying modification from Win32KGahtiVType
DEBUG : volatility.debug : Applying modification from Win32Kx86VTypes
DEBUG : volatility.debug : Applying modification from
WinSyscallsAttribute
DEBUG : volatility.debug : Applying modification from
WinXP2003AddressObject
DEBUG : volatility.debug : Applying modification from WinXPSyscalls
DEBUG : volatility.debug : Applying modification from
XP2003x86BaseVTypes
DEBUG : volatility.debug : Applying modification from
XP2003x86TimerVType
DEBUG : volatility.debug : Applying modification from WindowsVTypes
DEBUG : volatility.debug : Applying modification from
AtomTablex86Overlay
DEBUG : volatility.debug : Applying modification from EVTObjectTypes
DEBUG : volatility.debug : Applying modification from
ObjectTypeKeyModification
DEBUG : volatility.debug : Applying modification from
ProcessAuditVTypes
DEBUG : volatility.debug : Applying modification from WindowsOverlay
DEBUG : volatility.debug : Applying modification from CallbackMods
DEBUG : volatility.debug : Applying modification from MalwarePspCid
DEBUG : volatility.debug : Applying modification from MalwareWSPVTypes
DEBUG : volatility.debug : Applying modification from TimerVTypes
DEBUG : volatility.debug : Applying modification from TokenXP2003
DEBUG : volatility.debug : Applying modification from UserAssistVTypes
DEBUG : volatility.debug : Applying modification from
VadFlagsModification
DEBUG : volatility.debug : Applying modification from
VadTagModification
DEBUG : volatility.debug : Applying modification from WinAllTime
DEBUG : volatility.debug : Applying modification from
WinPEObjectClasses
DEBUG : volatility.debug : Applying modification from WinPEVTypes
DEBUG : volatility.debug : Applying modification from WinXPTrim
DEBUG : volatility.debug : Applying modification from WinXPx86Vad
DEBUG : volatility.debug : Applying modification from
WindowsObjectClasses
DEBUG : volatility.debug : Applying modification from XPOverlay
DEBUG : volatility.debug : Applying modification from
XPx86SessionOverlay
DEBUG : volatility.debug : Applying modification from AuditpolTypesXP
DEBUG : volatility.debug : Applying modification from
CmdHistoryObjectClasses
DEBUG : volatility.debug : Applying modification from
CmdHistoryVTypesx86
DEBUG : volatility.debug : Applying modification from
CrashInfoModification
DEBUG : volatility.debug : Applying modification from
DumpFilesVTypesx86
DEBUG : volatility.debug : Applying modification from HeapModification
DEBUG : volatility.debug : Applying modification from KDBGObjectClass
DEBUG : volatility.debug : Applying modification from
KPCRProfileModification
DEBUG : volatility.debug : Applying modification from MFTTYPES
DEBUG : volatility.debug : Applying modification from MalwareDrivers
DEBUG : volatility.debug : Applying modification from MalwareIDTGDTx86
DEBUG : volatility.debug : Applying modification from MalwareKthread
DEBUG : volatility.debug : Applying modification from ServiceBase
DEBUG : volatility.debug : Applying modification from ShellBagsTypesXP
DEBUG : volatility.debug : Applying modification from
ShimCacheTypesXPx86
DEBUG : volatility.debug : Applying modification from Win32KCoreClasses
DEBUG : volatility.debug : Applying modification from
XPHeapModification
Profile Shift Address
-------------------------------------------------- -------------
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x1179d3910>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
ERROR : volatility.debug : Unable to find an OS X profile for the
given memory sample.
On 03 Jun 2016, at 16:30, Andrew Case
<atcuno(a)gmail.com
<mailto:atcuno@gmail.com>> wrote:
As a quick check, can you verify that mac_get_profile matches the one
you are using? Don't specify --profile when running it.
Thanks,
Andrew (@attrc)
On 06/03/2016 03:09 AM, Rob Hunter wrote:
> Hello list,
>
> I’m trying to use Volatility on an OSX memory dump. I was unable to
> download mac memory reader as the site is offline. I’ve used osxpmem
> from recall.
>
> The commands I used to perform the dump were:
>
> sudo kextutil MacPmem.kext
> sudo ./osxpmem --format elf -o ./ram.dump
>
> I then moved ram.dump into my volatility directory
>
> To check my downloaded profile is included I’ve run the command
> ./volatility_2.5_mac --plugins=./mac —imageinfo
> and then I ran
>
> ./volatility_2.5_mac --plugins=./mac
> --profile=MacElCapitan_10_11_4_15E65x64 -f ../ram.dump mac_pslist
>
> and got
>
> Volatility Foundation Volatility Framework 2.5
> Offset Name Pid Uid Gid PGID
> Bits DTB Start Time
> ------------------ -------------------- -------- -------- --------
> -------- ------------ ------------------ ----------
> No suitable address space mapping found
> Tried to open image as:
> MachOAddressSpace: mac: need base
> LimeAddressSpace: lime: need base
> WindowsHiberFileSpace32: No base Address Space
> WindowsCrashDumpSpace64BitMap: No base Address Space
> VMWareMetaAddressSpace: No base Address Space
> WindowsCrashDumpSpace64: No base Address Space
> HPAKAddressSpace: No base Address Space
> VirtualBoxCoreDumpElf64: No base Address Space
> QemuCoreDumpElf: No base Address Space
> VMWareAddressSpace: No base Address Space
> WindowsCrashDumpSpace32: No base Address Space
> AMD64PagedMemory: No base Address Space
> IA32PagedMemoryPae: No base Address Space
> IA32PagedMemory: No base Address Space
> OSXPmemELF: No base Address Space
> MachOAddressSpace: MachO Header signature invalid
> LimeAddressSpace: Invalid Lime header signature
> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
> WindowsCrashDumpSpace64BitMap: Header signature invalid
> VMWareMetaAddressSpace: VMware metadata file is not available
> WindowsCrashDumpSpace64: Header signature invalid
> HPAKAddressSpace: Invalid magic found
> VirtualBoxCoreDumpElf64: ELF Header signature invalid
> QemuCoreDumpElf: ELF Header signature invalid
> VMWareAddressSpace: Invalid VMware signature: 0x4034b50
> WindowsCrashDumpSpace32: Header signature invalid
> AMD64PagedMemory: Failed valid Address Space check
> IA32PagedMemoryPae: Failed valid Address Space check
> IA32PagedMemory: Failed valid Address Space check
> OSXPmemELF: ELF Header signature invalid
> FileAddressSpace: Must be first Address Space
> ArmAddressSpace: Failed valid Address Space check
>
>
> Apparently my OSXPmemElf signature is invalid. What can I do to dump
> memory with a valid signature? Or does my problem lie elsewhere?
>
> Regards,
> Rob
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org <mailto:Vol-users@volatilityfoundation.org>
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>