search

bosstrojan / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Volatility failed to scan memory dump of Virtualbox #439

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
I done a memory dump with elf format using Virtualbox manager.

VBoxManage debugvm "image_name" dumpguestcore --filename test.elf
It worked well. Then I try to analyze the dump with volatility.

The imageinfo worked well and get the result.

volatility-2.2.standalone.exe -f test.elf imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : FileAddressSpace (C:\work\volatility\test.elf)
                      PAE type : No PAE
                           DTB : 0x2f3000L
                          KDBG : 0x5461d0
          Number of Processors : 0
     Image Type (Service Pack) : -
             KUSER_SHARED_DATA : 0xffdf0000L
It is failed When I tried to using pslist.

volatility-2.2.standalone.exe -f test.elf --profile=WinXPSP3x86 pslist
Volatile Systems Volatility Framework 2.2
No suitable address space mapping found
Tried to open image as:
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 JKIA32PagedMemory: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: No xpress signature found
 WindowsCrashDumpSpace64: Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile WinXPSP3x86 selected
 JKIA32PagedMemory: Failed valid Address Space check
 JKIA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace: Must be first Address Space
Could anyone help to look at the issue why Volatility could not find "suitable 
address space mapping found" ???

Great thanks!!

Original issue reported on code.google.com by dennis.u...@gmail.com on 19 Aug 2013 at 2:00

GoogleCodeExporter commented 8 years ago 
You're using volatility-2.2.standalone.exe and the VirtualBox support wasn't 
added until 2.3. Please check out the 2.3 code from svn (see the Source tab of 
the project's google code page for instructions) if you want to use VirtualBox 
support. Otherwise, standalone exe's for 2.3 will be available on the Downloads 
page shortly (when 2.3 is released).

Original comment by michael.hale@gmail.com on 19 Aug 2013 at 4:13