search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.55k stars 1.71k forks source link

volatility problem #1042

Closed sarulon closed 8 years ago

sarulon commented 8 years ago

2016-08-14 23:56:43,795 [volatility.utils] DEBUG: Voting round 2016-08-14 23:56:43,808 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 2016-08-14 23:56:43,810 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 2016-08-14 23:56:43,819 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 2016-08-14 23:56:43,829 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 2016-08-14 23:56:43,840 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 2016-08-14 23:56:43,842 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 2016-08-14 23:56:43,842 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 2016-08-14 23:56:43,843 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 2016-08-14 23:56:43,843 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 2016-08-14 23:56:43,844 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 2016-08-14 23:56:43,844 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 2016-08-14 23:56:43,845 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 2016-08-14 23:56:43,846 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 2016-08-14 23:56:43,846 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 2016-08-14 23:56:43,847 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 2016-08-14 23:56:43,847 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 2016-08-14 23:56:43,850 [volatility.obj] DEBUG: Applying modification from BasicObjectClasses 2016-08-14 23:56:43,851 [volatility.obj] DEBUG: Applying modification from BigPageTableMagic 2016-08-14 23:56:43,851 [volatility.obj] DEBUG: Applying modification from ControlAreaModification 2016-08-14 23:56:43,852 [volatility.obj] DEBUG: Applying modification from ELF32Modification 2016-08-14 23:56:43,852 [volatility.obj] DEBUG: Applying modification from ELF64Modification 2016-08-14 23:56:43,853 [volatility.obj] DEBUG: Applying modification from ELFModification 2016-08-14 23:56:43,853 [volatility.obj] DEBUG: Applying modification from HPAKVTypes 2016-08-14 23:56:43,854 [volatility.obj] DEBUG: Applying modification from HandleTableEntryPreWin8 2016-08-14 23:56:43,855 [volatility.obj] DEBUG: Applying modification from IEHistoryVTypes 2016-08-14 23:56:43,855 [volatility.obj] DEBUG: Applying modification from LimeTypes 2016-08-14 23:56:43,856 [volatility.obj] DEBUG: Applying modification from MachoModification 2016-08-14 23:56:43,856 [volatility.obj] DEBUG: Applying modification from MachoTypes 2016-08-14 23:56:43,857 [volatility.obj] DEBUG: Applying modification from MbrObjectTypes 2016-08-14 23:56:43,857 [volatility.obj] DEBUG: Applying modification from PoolTagModification 2016-08-14 23:56:43,858 [volatility.obj] DEBUG: Applying modification from PoolTrackTagOverlay 2016-08-14 23:56:43,858 [volatility.obj] DEBUG: Applying modification from SSLKeyModification 2016-08-14 23:56:43,859 [volatility.obj] DEBUG: Applying modification from UnloadedDriverVTypes 2016-08-14 23:56:43,859 [volatility.obj] DEBUG: Applying modification from VMwareVTypesModification 2016-08-14 23:56:43,860 [volatility.obj] DEBUG: Applying modification from VirtualBoxModification 2016-08-14 23:56:43,861 [volatility.obj] DEBUG: Applying modification from Vista2008Tcpip 2016-08-14 23:56:43,862 [volatility.obj] DEBUG: Applying modification from Win32KGahtiVType 2016-08-14 23:56:43,862 [volatility.obj] DEBUG: Applying modification from Win32Kx86VTypes 2016-08-14 23:56:43,863 [volatility.obj] DEBUG: Applying modification from Win7SP01Syscalls 2016-08-14 23:56:43,864 [volatility.obj] DEBUG: Applying modification from Win7SP1x86GuiVTypes 2016-08-14 23:56:43,865 [volatility.obj] DEBUG: Applying modification from Win7Vista2008x86Timers 2016-08-14 23:56:43,866 [volatility.obj] DEBUG: Applying modification from WinSyscallsAttribute 2016-08-14 23:56:43,868 [volatility.obj] DEBUG: Applying modification from Win7GuiOverlay 2016-08-14 23:56:43,869 [volatility.obj] DEBUG: Applying modification from Win7Tcpip 2016-08-14 23:56:43,870 [volatility.obj] DEBUG: Applying modification from WindowsVTypes 2016-08-14 23:56:43,870 [volatility.obj] DEBUG: Applying modification from AtomTablex86Overlay 2016-08-14 23:56:43,872 [volatility.obj] DEBUG: Applying modification from HiberWin7SP01x86 2016-08-14 23:56:43,873 [volatility.obj] DEBUG: Applying modification from ObjectTypeKeyModification 2016-08-14 23:56:43,873 [volatility.obj] DEBUG: Applying modification from PoolTrackTypeOverlay 2016-08-14 23:56:43,874 [volatility.obj] DEBUG: Applying modification from ProcessAuditVTypes 2016-08-14 23:56:43,875 [volatility.obj] DEBUG: Applying modification from WindowsOverlay 2016-08-14 23:56:43,883 [volatility.obj] DEBUG: Applying modification from CallbackMods 2016-08-14 23:56:43,883 [volatility.obj] DEBUG: Applying modification from EThreadCreateTime 2016-08-14 23:56:43,885 [volatility.obj] DEBUG: Applying modification from MalwarePspCid 2016-08-14 23:56:43,887 [volatility.obj] DEBUG: Applying modification from MalwareWSPVTypes 2016-08-14 23:56:43,888 [volatility.obj] DEBUG: Applying modification from TimerVTypes 2016-08-14 23:56:43,888 [volatility.obj] DEBUG: Applying modification from UserAssistVTypes 2016-08-14 23:56:43,889 [volatility.obj] DEBUG: Applying modification from VadFlagsModification 2016-08-14 23:56:43,889 [volatility.obj] DEBUG: Applying modification from VadTagModification 2016-08-14 23:56:43,891 [volatility.obj] DEBUG: Applying modification from VistaPolicyKey 2016-08-14 23:56:43,892 [volatility.obj] DEBUG: Applying modification from VistaVad 2016-08-14 23:56:43,893 [volatility.obj] DEBUG: Applying modification from VistaWin7KPCR 2016-08-14 23:56:43,894 [volatility.obj] DEBUG: Applying modification from Win7LdrDataTableEntry 2016-08-14 23:56:43,895 [volatility.obj] DEBUG: Applying modification from Win7Pointer64 2016-08-14 23:56:43,896 [volatility.obj] DEBUG: Applying modification from Win7SP1CMHIVE 2016-08-14 23:56:43,897 [volatility.obj] DEBUG: Applying modification from Win7x86DTB 2016-08-14 23:56:43,898 [volatility.obj] DEBUG: Applying modification from Win7x86Hiber 2016-08-14 23:56:43,900 [volatility.obj] DEBUG: Applying modification from WinAllTime 2016-08-14 23:56:43,902 [volatility.obj] DEBUG: Applying modification from WinPEObjectClasses 2016-08-14 23:56:43,903 [volatility.obj] DEBUG: Applying modification from WinPEVTypes 2016-08-14 23:56:43,903 [volatility.obj] DEBUG: Applying modification from WindowsObjectClasses 2016-08-14 23:56:43,904 [volatility.obj] DEBUG: Applying modification from AudipolWin7 2016-08-14 23:56:43,905 [volatility.obj] DEBUG: Applying modification from CmdHistoryObjectClasses 2016-08-14 23:56:43,906 [volatility.obj] DEBUG: Applying modification from CmdHistoryVTypesWin7x86 2016-08-14 23:56:43,906 [volatility.obj] DEBUG: Applying modification from CrashInfoModification 2016-08-14 23:56:43,908 [volatility.obj] DEBUG: Applying modification from DumpFilesVTypesx86 2016-08-14 23:56:43,909 [volatility.obj] DEBUG: Applying modification from HeapModification 2016-08-14 23:56:43,911 [volatility.obj] DEBUG: Applying modification from KDBGObjectClass 2016-08-14 23:56:43,913 [volatility.obj] DEBUG: Applying modification from KPCRProfileModification 2016-08-14 23:56:43,917 [volatility.obj] DEBUG: Applying modification from MFTTYPES 2016-08-14 23:56:43,918 [volatility.obj] DEBUG: Applying modification from MalwareDrivers 2016-08-14 23:56:43,918 [volatility.obj] DEBUG: Applying modification from MalwareIDTGDTx86 2016-08-14 23:56:43,920 [volatility.obj] DEBUG: Applying modification from MalwareKthread 2016-08-14 23:56:43,926 [volatility.obj] DEBUG: Applying modification from NetscanObjectClasses 2016-08-14 23:56:43,926 [volatility.obj] DEBUG: Applying modification from ServiceBase 2016-08-14 23:56:43,927 [volatility.obj] DEBUG: Applying modification from ShellBagsTypesWin7 2016-08-14 23:56:43,929 [volatility.obj] DEBUG: Applying modification from ShimCacheTypesWin7x86 2016-08-14 23:56:43,929 [volatility.obj] DEBUG: Applying modification from UserAssistWin7VTypes 2016-08-14 23:56:43,930 [volatility.obj] DEBUG: Applying modification from VistaObjectClasses 2016-08-14 23:56:43,931 [volatility.obj] DEBUG: Applying modification from Win32KCoreClasses 2016-08-14 23:56:43,932 [volatility.obj] DEBUG: Applying modification from Win7KDBG 2016-08-14 23:56:43,933 [volatility.obj] DEBUG: Applying modification from Win7ObjectClasses 2016-08-14 23:56:43,934 [volatility.obj] DEBUG: Applying modification from ServiceVista 2016-08-14 23:56:43,935 [volatility.obj] DEBUG: Applying modification from ServiceVistax86 2016-08-14 23:56:43,937 [volatility.obj] DEBUG: Applying modification from Win7Win32KCoreClasses 2016-08-14 23:56:44,006 [volatility.utils] DEBUG: Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f096fa7b5d0> 2016-08-14 23:56:44,007 [volatility.utils] DEBUG: Voting round 2016-08-14 23:56:44,008 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 2016-08-14 23:56:44,008 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 2016-08-14 23:56:44,009 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 2016-08-14 23:56:44,010 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 2016-08-14 23:56:44,011 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 2016-08-14 23:56:44,011 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 2016-08-14 23:56:44,012 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 2016-08-14 23:56:44,013 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 2016-08-14 23:56:44,014 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 2016-08-14 23:56:44,030 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 2016-08-14 23:56:44,031 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 2016-08-14 23:56:44,031 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 2016-08-14 23:56:44,032 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 2016-08-14 23:56:44,065 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 2016-08-14 23:56:44,098 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 2016-08-14 23:56:44,098 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 2016-08-14 23:56:44,099 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 2016-08-14 23:56:44,132 [volatility.utils] DEBUG: Voting round 2016-08-14 23:56:44,132 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 2016-08-14 23:56:44,133 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 2016-08-14 23:56:44,133 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 2016-08-14 23:56:44,134 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 2016-08-14 23:56:44,134 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 2016-08-14 23:56:44,135 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 2016-08-14 23:56:44,136 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 2016-08-14 23:56:44,136 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 2016-08-14 23:56:44,137 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 2016-08-14 23:56:44,137 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 2016-08-14 23:56:44,138 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 2016-08-14 23:56:44,138 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 2016-08-14 23:56:44,139 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 2016-08-14 23:56:44,139 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 2016-08-14 23:56:44,140 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 2016-08-14 23:56:44,140 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 2016-08-14 23:56:44,141 [volatility.utils] DEBUG: Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f096c103550> 2016-08-14 23:56:44,141 [volatility.utils] DEBUG: Voting round 2016-08-14 23:56:44,142 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 2016-08-14 23:56:44,142 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 2016-08-14 23:56:44,143 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 2016-08-14 23:56:44,144 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 2016-08-14 23:56:44,144 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 2016-08-14 23:56:44,145 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 2016-08-14 23:56:44,146 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 2016-08-14 23:56:44,146 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 2016-08-14 23:56:44,147 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 2016-08-14 23:56:44,161 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 2016-08-14 23:56:44,162 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 2016-08-14 23:56:44,162 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 2016-08-14 23:56:44,163 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 2016-08-14 23:56:44,164 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 2016-08-14 23:56:44,164 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 2016-08-14 23:56:44,165 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 2016-08-14 23:56:44,165 [volatility.utils] DEBUG: Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 2016-08-14 23:56:44,174 [modules.processing.memory] ERROR: Generic error executing volatility Traceback (most recent call last): File "/home/alex/cuckoo/modules/processing/memory.py", line 1028, in run results = VolatilityManager(self.memory_path).run() File "/home/alex/cuckoo/modules/processing/memory.py", line 948, in run vol = VolatilityAPI(self.memfile, self.osprofile) File "/home/alex/cuckoo/modules/processing/memory.py", line 59, in init self.init_config() File "/home/alex/cuckoo/modules/processing/memory.py", line 113, in init_config self.addr_space = utils.load_as(self.config) File "/usr/local/lib/python2.7/dist-packages/volatility-2.4-py2.7.egg/volatility/utils.py", line 65, in load_as raise error AddrSpaceError: No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareMetaAddressSpace: No base Address Space VMWareAddressSpace: No base Address Space QemuCoreDumpElf: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: No xpress signature found WindowsCrashDumpSpace64BitMap: Header signature invalid WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF Header signature invalid VMWareMetaAddressSpace: VMware metadata file is not available VMWareAddressSpace: Cannot find the Memory tag QemuCoreDumpElf: ELF Header signature invalid WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile Win7SP1x86 selected IA32PagedMemoryPae: No valid DTB found IA32PagedMemory: No valid DTB found OSXPmemELF: ELF Header signature invalid FileAddressSpace: Must be first Address Space ArmAddressSpace: No valid DTB found

doomedraven commented 8 years ago

try update to vol 2.5, and do you have defined vm profile in your machinary config?

sarulon commented 8 years ago

yes , the profile is Win7SP1x86 i have volatility version 2.4

doomedraven commented 8 years ago

update to latest 2.5

jbremer commented 8 years ago

Please start with @doomedraven's suggestion and let us know how that works out for you.

Limbolindi commented 8 years ago

same error but vol 2.5

@sarulon have you checked your mem.dump file? -> mine exits, but it is empty (size 0) --> i guess the vol. errror is because of the empty "dump"

?

doomedraven commented 8 years ago

can you execute vol.py -f memory.dmp --profile your_profile_here imageinfo? and put output here

Limbolindi commented 8 years ago

im not sure about the SP (but both SP0 / SP1 same output)

mli@CDC-CUCKOO-CLUSTER-MASTER-01:/sandbox/cuckoo/storage/analyses/1$ vol.py -f memory.dmp --profile Win7SP1x86 imageinfo Volatility Foundation Volatility Framework 2.5 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with no profile) AS Layer1 : FileAddressSpace (/sandbox/cuckoo/storage/analyses/1/memory.dmp) PAE type : No PAE

mli@CDC-CUCKOO-CLUSTER-MASTER-01:/sandbox/cuckoo/storage/analyses/1$ ls -la | grep memory.dmp -rw-rw-r-- 1 mli mli 0 Aug 19 16:26 memory.dmp

*and yeah my clock is wrong^^

doomedraven commented 8 years ago

and output of vol.py -f memory.dmp --profile your_profile_here kdbgscan which virtualization software do yo uuse? it looks like it takes broken dumps

Limbolindi commented 8 years ago

Im pretty sure its the mem.dump causing this problem ;D

905 #901

mli@CDC-CUCKOO-CLUSTER-MASTER-01:/sandbox/cuckoo/storage/analyses/1$ vol.py -f memory.dmp --profile Win7SP1x86 kdbgscan Volatility Foundation Volatility Framework 2.5 mli@CDC-CUCKOO-CLUSTER-MASTER-01:/sandbox/cuckoo/storage/analyses/1$

doomedraven commented 8 years ago

which machinery do you use?

Limbolindi commented 8 years ago

now im using vsphere, cause esx doesn't support mem-dumps

jgajek commented 8 years ago

Can you post the cuckoo log from the analysis? The vSphere machinery module is supposed to create a snapshot of the analysis VM, download the .vmsn snapshot file to memory.dmp, then delete the snapshot.

Limbolindi commented 8 years ago

2016-08-19 18:00:08,147 [lib.cuckoo.core.resultserver] DEBUG: File upload request for files/61d147f3d5b8c8f8_pafish.log 2016-08-19 18:00:08,148 [lib.cuckoo.core.resultserver] DEBUG: Uploaded file length: 732 2016-08-19 18:00:08,964 [lib.cuckoo.core.guest] INFO: analysis1: analysis completed successfully 2016-08-19 18:00:08,973 [lib.cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer 2016-08-19 18:00:09,208 [modules.machinery.vsphere] INFO: Creating snapshot cuckoo_memdump_410673 for machine CDC-CUCKOO-CLUSTER-SLAVE-WIN7-000 2016-08-19 18:00:12,301 [modules.machinery.vsphere] INFO: Downloading memory dump [CDC_ERNA_Internal_Storage] CDC-CUCKOO-CLUSTER-SLAVE-WIN7-01/CDC-CUCKOO-CLUSTER-SLAVE-WIN7-01-Snapshot14.vmsn to /sandbox/cuckoo/storage/analyses/2/memory.dmp 2016-08-19 18:00:12,344 [modules.machinery.vsphere] INFO: Removing snapshot cuckoo_memdump_410673 for machine CDC-CUCKOO-CLUSTER-SLAVE-WIN7-000 2016-08-19 18:00:14,670 [modules.machinery.vsphere] INFO: Powering off virtual machine CDC-CUCKOO-CLUSTER-SLAVE-WIN7-000 2016-08-19 18:00:16,745 [lib.cuckoo.core.scheduler] DEBUG: Released database task #2 2016-08-19 18:00:16,788 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" on analysis at "/sandbox/cuckoo/storage/analyses/2"

(need the whole *.log file?)

jgajek commented 8 years ago

This log is sufficient. It seems to be doing what it's supposed to, but the .vmsn file should not be empty. Which version of ESXi are you running?

sarulon commented 8 years ago

@doomedraven here the vol.py for memory.dmp

vol.py -f cuckoo/storage/analyses/15/memory.dmp --profile Win7SP0x86 imageinfo Volatility Foundation Volatility Framework 2.5 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with no profile) AS Layer1 : FileAddressSpace (/home/alex/cuckoo/storage/analyses/15/memory.dmp) PAE type : No PAE

-rw-r--r-- 1 root root 9.6M Aug 25 10:45 cuckoo/storage/analyses/15/memory.dmp

running on esxi 6.0

jgajek commented 8 years ago

@sarulon The size of the memory.dmp file is too small. Please try with the updated version of the vSphere machinery module, which should fetch the correct file.

sarulon commented 8 years ago

@jgajek where can i take the updated module ?

jgajek commented 8 years ago

@sarulon It's been merged in this git repo.

https://github.com/cuckoosandbox/cuckoo/blob/master/modules/machinery/vsphere.py

sarulon commented 8 years ago

@jgajek its working thanks