Re: [Vol-users] Linux profile w/LiME not working

4 Feb 2013

      Hello,

Thanks to both of you for all the research and the very detailed explanation. That's 3
for 3 from the Volatility team in what, 10 days? Amazing.

I am now curious at what point in CentOS/RH kernels his behavior has changed, since I
assume it works fine on recent versions of 5.x. Another science experiment perhaps...

PS I tried the same approach (LiME + create Volatility profile) on BackTrack and it worked
great (didn't need to comment out pmem either).

PPS How soon will the bash_history auto-discovery be ready for testing? The gdb method
worked great, but obviously a bit involved.

--
bk

On Feb 4, 2013, at 7:58 AM, Michael Hale Ligh wrote:

...
  Hey Brian, 

 In a nutshell, we've investigated the issue and found that it's most definitely
not LiME causing the problem. LiME is producing a valid memory dump. The problem is with
volatility's DTB finding and address-space verification checks (two different factors
there). Fortunately, we believe it to be a quite isolated and extraordinary case specific
to CentOS 5.3 x64 with the 2.6.18.x kernel. I will explain a little about how we came to
this conclusion, however it will mostly be for documentation purposes. After understanding
the differences and considering the time involved in supporting this "special"
case, we probably won't be supporting it in the future (also since its going on 4+
years old now). 

 The first task was actually finding install media for CentOS 5.3. I tracked one down
here: http://www2.frugalware.org/mirror/centos.org/5.3/isos/x86_64/

 After installing it, I built the volatility profile and dumped memory with LiME. When
trying to analyze with volatility, I got the same error as you did, the main indicator
was:

 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
 DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: Failed valid
Address Space check

 The cause of this error message is the VolatilityLinuxIntelValidAS check is failing. You
can see the code here:
http://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/….
To pass the check, the virtual address of the init_task structure, when translated to a
physical address, must equal the virtual address minus a hard-coded "shift"
value of 0xffffffff80000000 (which is consistent on all x64 distributions and kernel
versions that we've seen. 

 Before we can translate virtual addresses to physical, we need the kernel DTB. This is
found on typical systems by querying the init_level4_pgt symbol from System.map and
subtracting the shift value. As you can see, this symbol exists in the CentOS 5.3 x64
2.6.18.x:

 # grep init_level4_pgt System.map-2.6.18-128.el5 
 ffffffff80001000 T init_level4_pgt

 When you subtract the shift, it leaves 0x1000. If you view this offset in the *raw*
memory dump (not the lime formatted memory dump, because that has headers which will
change the offset), you'll see that 0x1000 is most definitely not a DTB, its all
zeros:

 $ xxd -s 0x1000 ~/Documents/Virtual\
Machines.localized/CentOS53x64.vmwarevm/CentOS53x64-Snapshot1.vmem | less

 0001000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0001010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0001020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0001030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0001040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0001050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0001060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0001070: 0000 0000 0000 0000 0000 0000 0000 0000  ................

 After digging through the kernel source, Andrew found that this particular kernel uses a
symbol called boot_level4_pgt to store the kernel DTB instead. But:

 # grep boot_level4_pgt System.map-2.6.18-128.el5 
 # 

 So, what we have is a System.map that initializes init_level4_pgt to a value that
isn't the DTB, and the value that stores the real DTB is not in the map file.
We've never heard of boot_level4_pgt, so apparently it was a very short-lived thing. 

 Anyway, back on the live CentOS 5.3 system, we loaded an lkm that read and printed the
value of the init_task structure's mm->pgd value. It came up with 0x3e58d000 for my
VM. I went back and plugged that into the --dtb parameter to volatility (which will
override the value it gets from init_level4_pgt):

 $ python2.6 vol.py -f ~/Desktop/centos53x64-128.lime
--profile="LinuxCentOS53-128x64" --dtb=0x3e58d000

 There was still an issue with verifying the AMD64PagedMemory address space, however this
time the virtual address of the init_task was actually translated properly (since we
supplied the DTB manually). Some debug messaged showed that the check was failing because
the shift value was 0x200000 bytes off. So a very simple patch of the following nature was
able to fix everything up:

 Index: volatility/plugins/overlays/linux/linux64.py
 ===================================================================
 --- volatility/plugins/overlays/linux/linux64.py	(revision 3020)
 +++ volatility/plugins/overlays/linux/linux64.py	(working copy)
 @@ -33,7 +33,7 @@
          """Tries to locate the DTB."""
          profile = self.obj_vm.profile

 -        yield profile.get_symbol("init_level4_pgt") - 0xffffffff80000000
 +        yield profile.get_symbol("init_level4_pgt") - 0xffffffff7fe00000

  class Linux64ObjectClasses(obj.ProfileModification):
 Index: volatility/plugins/overlays/linux/linux.py
 ===================================================================
 --- volatility/plugins/overlays/linux/linux.py	(revision 3020)
 +++ volatility/plugins/overlays/linux/linux.py	(working copy)
 @@ -656,7 +656,7 @@
          if self.obj_vm.profile.metadata.get('memory_model', '32bit') ==
"32bit":
              shift = 0xc0000000
          else:
 -            shift = 0xffffffff80000000
 +            shift = 0xffffffff7fe00000

          yield self.obj_vm.vtop(init_task_addr) == init_task_addr - shift

 Now we can find the DTB and pass the AMD64 address space check with no issues:

 $ python2.6 vol.py -f ~/Desktop/centos53x64-128.lime
--profile="LinuxCentOS53-128x64" linux_pslist
 Volatile Systems Volatility Framework 2.3_alpha
 Offset             Name                 Pid             Uid             Gid    DTB       
        Start Time
 ------------------ -------------------- --------------- --------------- ------
------------------ ----------
 ......
 0x000081003cbbf080 firefox              6905            500             500   
0x000000002256a000 Sun, 03 Feb 2013 12:19:45 +0000
 0x000081001bf08860 su                   7008            500             500   
0x0000000018130000 Sun, 03 Feb 2013 12:21:04 +0000
 0x000081002d899100 bash                 7011            0               0     
0x0000000025b19000 Sun, 03 Feb 2013 12:21:05 +0000
 0x000081002a3bf820 notification-da      9374            500             500   
0x000000001f444000 Sun, 03 Feb 2013 12:26:40 +0000
 0x000081003fe6e7a0 bash                 10392           500             500   
0x0000000014785000 Sun, 03 Feb 2013 12:34:50 +0000
 0x0000810014f9a100 insmod               10597           0               0     
0x0000000012399000 Sun, 03 Feb 2013 12:36:11 +0000

 $ python2.6 vol.py -f ~/Desktop/centos53x64-128.lime
--profile="LinuxCentOS53-128x64" linux_dmesg
 Volatile Systems Volatility Framework 2.3_alpha
 WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present in vtypes
 <5>Linux version 2.6.18-128.el5 (mockbuild(a)builder10.centos.org) (gcc version 4.1.2
20080704 (Red Hat 4.1.2-44)) #1 SMP Wed Jan 21 10:41:14 EST 2009
 <6>Command line: ro root=LABEL=/ quiet
 <6>BIOS-provided physical RAM map:
 <4> BIOS-e820: 0000000000000000 - 000000000009f000 (usable)
 <4> BIOS-e820: 000000000009f000 - 00000000000a0000 (reserved)
 <4> BIOS-e820: 00000000000ca000 - 00000000000cc000 (reserved)

 $ python2.6 vol.py -f ~/Desktop/centos53x64-128.lime
--profile="LinuxCentOS53-128x64" linux_ifconfig
 Volatile Systems Volatility Framework 2.3_alpha
 WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present in vtypes
 Interface        IP Address           MAC Address        Promiscous Mode
 ---------------- -------------------- ------------------ ---------------
 lo               127.0.0.1            00:00:00:00:00:00  False          
 eth0             192.168.16.240       00:0c:29:d4:30:9e  False          
 sit0             0.0.0.0              00:00:00:00:00:00  False 

 One of the reasons the shift *could* be different is if CONFIG_RELOCATABLE kernel option
is set. However, on my CentOS 5.3 x64 2.6.18.x, the option is *not* enabled and I'm
guessing its not on your either. Plus, Andrew has analyzed systems in the past with this
option *enabled* yet the shift value was still 0xffffffff80000000. 

 So in the future if this becomes a problem, we may consider some fuzzing/brute-forcing
around the 0xffffffff80000000 plus or minus 0x200000 area, but currently its only been
seen as different on on the 4+ year old CentOS 5.3 x64 2.6.18.x, so its not a major issue
for us at this time. 

 Hope this helps!
 MHL

 On Thu, Jan 31, 2013 at 11:24 AM, Brian Keefer &lt;chort(a)effu.se&gt; wrote:
 Hello, sending to list for archive(?) sake.

 chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py
--profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime -dd linux_lsmod
 Volatile Systems Volatility Framework 2.3_alpha
 DEBUG   : volatility.utils    : Voting round
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: need base
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: need base
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
 DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: No base
Address Space
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
 DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: No base
Address Space
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base Address
Space
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
 DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: No base
Address Space
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
 DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No base Address
Space
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
 DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: No base
Address Space
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
 DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemoryPae: No base
Address Space
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
 DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base Address
Space
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
 DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemory: No base Address
Space
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
 DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Module disabled
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
 DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Module disabled
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
 DEBUG   : volatility.plugins.overlays.linux.linux: CentOS_5.3: Found dwarf file
System.map-2.6.18-128.el5 with 365 symbols
 DEBUG   : volatility.plugins.overlays.linux.linux: CentOS_5.3: Found system file
System.map-2.6.18-128.el5 with 1 symbols
 DEBUG   : volatility.obj      : Applying modification from BashTypes
 DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
 DEBUG   : volatility.obj      : Applying modification from ELF64Modification
 DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
 DEBUG   : volatility.obj      : Applying modification from LimeTypes
 DEBUG   : volatility.obj      : Applying modification from MachoTypes
 DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
 DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
 DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
 DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
 DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
 DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
 DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
 WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present in vtypes
 DEBUG   : volatility.obj      : Applying modification from Linux64ObjectClasses
 DEBUG   : volatility.utils    : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x5c93d50>
 DEBUG   : volatility.utils    : Voting round
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO Header
signature invalid
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
 DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 0x3FF8F860,
instantiating lime_header
 DEBUG   : volatility.utils    : Succeeded instantiating
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x5c93d10>
 DEBUG   : volatility.utils    : Voting round
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO Header
signature invalid
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid Lime
header signature
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
 DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32:
PO_MEMORY_IMAGE is not available in profile
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
 DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: Header
signature invalid
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid magic
found
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
 DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: ELF64
Header signature invalid
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
 DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: Invalid VMware
signature: 0xf000ff53
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
 DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: Header
signature invalid
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
 DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemoryPae: Incompatible
profile LinuxCentOS_5_3x64 selected
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
 DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: Failed valid
Address Space check
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
 DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemory: Incompatible
profile LinuxCentOS_5_3x64 selected
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
 DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Module disabled
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
 DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Module disabled
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be first
Address Space
 DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Incompatible
profile LinuxCentOS_5_3x64 selected
 No suitable address space mapping found
 Tried to open image as:
  MachOAddressSpace: mac: need base
  LimeAddressSpace: lime: need base
  WindowsHiberFileSpace32: No base Address Space
  WindowsCrashDumpSpace64: No base Address Space
  HPAKAddressSpace: No base Address Space
  VirtualBoxCoreDumpElf64: No base Address Space
  VMWareSnapshotFile: No base Address Space
  WindowsCrashDumpSpace32: No base Address Space
  JKIA32PagedMemoryPae: No base Address Space
  AMD64PagedMemory: No base Address Space
  JKIA32PagedMemory: No base Address Space
  IA32PagedMemoryPae: Module disabled
  IA32PagedMemory: Module disabled
  MachOAddressSpace: MachO Header signature invalid
  MachOAddressSpace: MachO Header signature invalid
  LimeAddressSpace: Invalid Lime header signature
  WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
  WindowsCrashDumpSpace64: Header signature invalid
  HPAKAddressSpace: Invalid magic found
  VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
  VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
  WindowsCrashDumpSpace32: Header signature invalid
  JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
  AMD64PagedMemory: Failed valid Address Space check
  JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
  IA32PagedMemoryPae: Module disabled
  IA32PagedMemory: Module disabled
  FileAddressSpace: Must be first Address Space
  ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected

 --
 chort

 On Jan 31, 2013, at 8:20 AM, Andrew Case wrote:

  Hey,

 Can you run again with "-dd" added before linux_lsmod and send me the output?

 The lack of cpuinfo_x86 does not change lsmod so do not worry about that part...

 On Thu, Jan 31, 2013 at 1:18 AM, Brian Keefer &lt;chort(a)effu.se&gt; wrote:
> I built LiME from the tarball on the project site (not latest svn) and was able to
dump memory successfully (type=lime). After many trials and tribulations I was able to get
the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I
put the profile in the correct directory, and vol.py --info lists it as expected, however
when I try to use the profile with the memory image I get an error.
>
> chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py
--profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod
> Volatile Systems Volatility Framework 2.3_alpha
> WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present in vtypes
> No suitable address space mapping found
> Tried to open image as:
> MachOAddressSpace: mac: need base
> LimeAddressSpace: lime: need base
> WindowsHiberFileSpace32: No base Address Space
> WindowsCrashDumpSpace64: No base Address Space
> HPAKAddressSpace: No base Address Space
> VirtualBoxCoreDumpElf64: No base Address Space
> VMWareSnapshotFile: No base Address Space
> WindowsCrashDumpSpace32: No base Address Space
> JKIA32PagedMemoryPae: No base Address Space
> AMD64PagedMemory: No base Address Space
> JKIA32PagedMemory: No base Address Space
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> MachOAddressSpace: MachO Header signature invalid
> MachOAddressSpace: MachO Header signature invalid
> LimeAddressSpace: Invalid Lime header signature
> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
> WindowsCrashDumpSpace64: Header signature invalid
> HPAKAddressSpace: Invalid magic found
> VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
> VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
> WindowsCrashDumpSpace32: Header signature invalid
> JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
> AMD64PagedMemory: Failed valid Address Space check
> JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> FileAddressSpace: Must be first Address Space
> ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected
>
> On a hunch I checked the directory I built the profile in (copied headers &
source from the target system):
> chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo *
> System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo
> System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open
> System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq
> System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq
> System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq
> System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op
> System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations
> System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq
> System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq
> System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq
>
>
> Platform running Volatility (2.3_alpha, latest from svn):
> Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64
x86_64 GNU/Linux
>
> Source of memory image:
> Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64
x86_64 x86_64 GNU/Linux
>
> What am I missing?
>
>
> --
> chort
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users  
 _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [Vol-users] Linux profile w/LiME not working