Hey Adam,

Can you share those profiles? 

Thanks

On 4 May 2016 at 15:25, Adam Pridgen <adam.pridgen@thecoverofnight.com> wrote:

Thomas,

Which profile are you using?  You should create a profile for the Linux VM you are trying to analyze.  I have had to do this for several clean installs of Ubuntu because of Linux kernel versions.

-- Adam

On May 4, 2016 8:50 AM, "Thomas Hungenberg" <th@cert-bund.de> wrote:
Hi,

I was provided a suspend-to-disk snapshot image along with a copy of the
virtual harddisk file from a QEMU/KVM-based Linux server for analysis.

Analysis of the harddisk is done. Now I'd like to dump running processes etc.
from the server's memory image.

I loaded the snapshot into QEMU and used the QEMU monitor to dump a memory image
using the 'dump-guest-memory' command.
So now I have this:
memory.img: ELF 64-bit LSB  core file Intel 80386, version 1 (SYSV), SVR4-style

Then, I set up a fresh VM with Debian Linux in the same version the virtual
server was running. Next, I installed the kernel image and related files
extracted from the virtual harddisk on this new VM to get a Linux system
running exactly the same kernel version. On this VM, I created a Volatility
profile using the files provided in /tools/linux/.

Unfortunately, Volatility crashes when running imageinfo on the dumped
memory image file:
=========================================================================
$ python vol.py imageinfo -f /path/to/memory.img
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : No suggestion (Instantiated with Server_x64)
                     AS Layer1 : QemuCoreDumpElf (Unnamed AS)
                     AS Layer2 : FileAddressSpace (/path/to/memory.img)
                      PAE type : No PAE
                           DTB : -0x1L
Traceback (most recent call last):
  File "vol.py", line 192, in <module>
    main()
  File "vol.py", line 183, in main
    command.execute()
  File "/opt/tools/volatility-master/volatility/commands.py", line 145, in execute
    func(outfd, data)
  File "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line 45, in render_text
    for k, t, v in data:
  File "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line 103, in calculate
    kdbg = volmagic.KDBG.v()
  File "/opt/tools/volatility-master/volatility/obj.py", line 748, in __getattr__
    return self.m(attr)
  File "/opt/tools/volatility-master/volatility/obj.py", line 730, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
=========================================================================

When running other Volatility Plugins on the memory image with the created profile,
it says "No suitable address space mapping found":
=========================================================================
$ python vol.py linux_netstat -f /path/to/memory.img --profile=Server_x64
Volatility Foundation Volatility Framework 2.5
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
[...]
=========================================================================

Any suggestions?
What am I missing?


     - Thomas


_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users