Nicebear / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Can't Read Profile on Suse x86_64 #435

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
I'm having trouble reading memory images created either with fmem or lime with 
a profile created for OpenSuse X86_64. This seems nearly identical to issue 326.

What steps will reproduce the problem?

1. Capture memory profile with lime
 insmod lime-3.9.4-1.g51bf0ff-default.ko "path=/mnt/suse.lime.dump format=lime"

2. Create Volatility profile
 zip /home/me/volatility/volatility/plugins/overlays/linux/Suse12.3.zip /home/me/volatility/tools/linux/module.dwarf /boot/System.map-3.9.4-1.g51bf0ff-default 

3. Ensure it sees the profile
 python vol.py --info | grep Linux
Volatile Systems Volatility Framework 2.3_beta
LinuxSuse12_3x64 - A Profile for Linux Suse12.3 x64

4. Try to do something:
$~/volatility> python vol.py -f /mnt/suse.lime.dump --profile=LinuxSuse12_3x64 
-dd linux_arp
Volatile Systems Volatility Framework 2.3_beta
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.plugins.overlays.linux.linux: Suse12.3: Found dwarf file 
boot/System.map-3.9.4-1.g51bf0ff-default with 614 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: Suse12.3: Found system file 
boot/System.map-3.9.4-1.g51bf0ff-default with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from 
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from 
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain 
not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.obj      : Applying modification from Linux64ObjectClasses
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 
0x7f2b9a62c750>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0xDB66D840, instantiating lime_header
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f2b9a62c910>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid 
magic found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: 
Invalid VMware signature: 0x0
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.obj      : None object instantiated: Unable to 
read_long_long_phys at 0x119e6d090L
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: Failed 
valid Address Space check
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: 
Incompatible profile LinuxSuse12_3x64 selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: 
Incompatible profile LinuxSuse12_3x64 selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be 
first Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: Could not 
read_long_phys at offset 0x3ffffffff068L
DEBUG1  : volatility.obj      : None object instantiated: Could not 
read_long_phys at offset 0x3ffffffff040L
DEBUG1  : volatility.obj      : None object instantiated: No suggestions 
available
DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Failed 
valid Address Space check
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0x0
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Incompatible profile LinuxSuse12_3x64 selected
 IA32PagedMemory: Incompatible profile LinuxSuse12_3x64 selected
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check

What is the expected output? 
Good stuff

What do you see instead?
Sadness: IA32PagedMemory: Incompatible profile LinuxSuse12_3x64 selected

What version of the product are you using? 
Volatility 2.3 (from SVN)
Lime revision 15 (from SVN)
Also tried a raw capture using fmem_1.6-1, exactly the same result 

On what operating system?
OpenSuse 12.3 x86_64

Please provide any additional information below.
I can try this on another kernel version or Suse install. 

Original issue reported on code.google.com by relative...@gmail.com on 19 Jul 2013 at 8:06

GoogleCodeExporter commented 8 years ago

Original comment by michael.hale@gmail.com on 22 Jul 2013 at 12:22

GoogleCodeExporter commented 8 years ago
Can you paste the exact steps and output of how you built the profile, 
including the downloading of any kernel packages, uname -a on the machine being 
investigated, and the name of the packaged used?

Original comment by atc...@gmail.com on 22 Jul 2013 at 12:24

GoogleCodeExporter commented 8 years ago
Looks like this was due to an issue with Lime creating a bad dump. I've since 
been able to get a proper Lime dump and have volatility work on it under Suse 
12.3 and Volatility 2.3  

Original comment by relative...@gmail.com on 16 Aug 2013 at 3:08

GoogleCodeExporter commented 8 years ago

Original comment by atc...@gmail.com on 18 Sep 2013 at 3:03