search

Leor3961 / volatility

Automatically exported from code.google.com/p/volatility
0 stars 0 forks source link

volatility doesn't validate that the memory image (-f) exists #35

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
example:

root@newubuntu:~/vol# python volatility.py --no-cache pslist -f XPSP3.vmem 
--profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Name                 Pid    PPid   Thds   Hnds   Time
System                    4      0     56    382 1970-01-01 00:00:00
smss.exe                552      4      3     19 2010-09-08 14:57:09
csrss.exe               600    552     11    394 2010-09-08 14:57:11
.....

root@newubuntu:~/vol# python volatility.py --no-cache pslist -f 
file_that_doesnt_exist --profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
No suitable address space mapping found
Tried to open image as:
 WindowsHiberFileSpace32: Filename must be specified and exist
 WindowsCrashDumpSpace32: Filename must be specified and exist
 JKIA32PagedMemory: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace: Filename must be specified and exist

--------------

similar to --profile it should validate that the file exists and is readable by 
the user

Original issue reported on code.google.com by atc...@gmail.com on 25 Sep 2010 at 7:25

GoogleCodeExporter commented 8 years ago 
This issue was closed by revision r458.

Original comment by mike.auty@gmail.com on 25 Sep 2010 at 8:05

GoogleCodeExporter commented 8 years ago 
I have a few issues with Volatility. I get this error message. What can i do?
root@bt:/pentest/forensics/volatility# ./vol.py pslist -l /root/memdump.img
Volatile Systems Volatility Framework 2.0
No suitable address space mapping found
Tried to open image as:
 WindowsHiberFileSpace32: No base Address Space
 EWFAddressSpace: Location is not of file scheme
 WindowsCrashDumpSpace32: No base Address Space
 JKIA32PagedMemory: No base Address Space
 IA32PagedMemoryPae: Module disabled
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: Module disabled
 FirewireAddressSpace: Not a firewire URN
 FileAddressSpace: Location is not of file scheme

Original comment by pious...@gmail.com on 9 Feb 2012 at 6:28

GoogleCodeExporter commented 8 years ago 
Hiya, you're using the -l command line option, which stands for location and 
accepts a standard URN.  As you can see, the FileAddressSpace cannot load it 
because "Location is not of file scheme".  You should be using the -f command 
line parameter, or providing a valid file:// URN...

For questions like that, it's probably best to ask on the volatility IRC 
channel, or the mailing list.  If you're then told you should be filing an 
issue, please file a new one, since comments on old bugs aren't always seen...

Original comment by mike.auty@gmail.com on 9 Feb 2012 at 7:57