Re: [Vol-users] Analyzing memory from a QEMU snapshot

Thomas, Which profile are you using? You should create a profile for the Linux VM you are trying to analyze. I have had to do this for several clean installs of Ubuntu because of Linux kernel versions. -- Adam On May 4, 2016 8:50 AM, "Thomas Hungenberg" &lt;th(a)cert-bund.de <mailto:th@cert-bund.de>> wrote: Hi, I was provided a suspend-to-disk snapshot image along with a copy of the virtual harddisk file from a QEMU/KVM-based Linux server for analysis. Analysis of the harddisk is done. Now I'd like to dump running processes etc. from the server's memory image. I loaded the snapshot into QEMU and used the QEMU monitor to dump a memory image using the 'dump-guest-memory' command. So now I have this: memory.img: ELF 64-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style Then, I set up a fresh VM with Debian Linux in the same version the virtual server was running. Next, I installed the kernel image and related files extracted from the virtual harddisk on this new VM to get a Linux system running exactly the same kernel version. On this VM, I created a Volatility profile using the files provided in /tools/linux/. Unfortunately, Volatility crashes when running imageinfo on the dumped memory image file: ========================================================================= $ python vol.py imageinfo -f /path/to/memory.img Volatility Foundation Volatility Framework 2.5 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with Server_x64) AS Layer1 : QemuCoreDumpElf (Unnamed AS) AS Layer2 : FileAddressSpace (/path/to/memory.img) PAE type : No PAE DTB : -0x1L Traceback (most recent call last): File "vol.py", line 192, in <module> main() File "vol.py", line 183, in main command.execute() File "/opt/tools/volatility-master/volatility/commands.py", line 145, in execute func(outfd, data) File "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line 45, in render_text for k, t, v in data: File "/opt/tools/volatility-master/volatility/plugins/imageinfo.py", line 103, in calculate kdbg = volmagic.KDBG.v() File "/opt/tools/volatility-master/volatility/obj.py", line 748, in __getattr__ return self.m(attr) File "/opt/tools/volatility-master/volatility/obj.py", line 730, in m raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr)) AttributeError: Struct VOLATILITY_MAGIC has no member KDBG ========================================================================= When running other Volatility Plugins on the memory image with the created profile, it says "No suitable address space mapping found": ========================================================================= $ python vol.py linux_netstat -f /path/to/memory.img --profile=Server_x64 Volatility Foundation Volatility Framework 2.5 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareMetaAddressSpace: No base Address Space QemuCoreDumpElf: No base Address Space [...] ========================================================================= Any suggestions? What am I missing? - Thomas _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org <mailto:Vol-users@volatilityfoundation.org> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users