search

libvmi / python

LibVMI Python bindings
http://libvmi.com/
GNU Lesser General Public License v3.0
30 stars 22 forks source link

No suitable address space mapping found #53

Open darshantank opened 4 years ago

darshantank commented 4 years ago

I'm trying to use LibVMI python bindings to introspect my VMs (win7 and ubuntu).

When I run the command, I get following message on my terminal.

_# python vol.py -l vmi://win7Guest --profile=Win7SP1x64 pslist

Volatility Foundation Volatility Framework 2.6.1 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VMWareMetaAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space QemuCoreDumpElf: No base Address Space VMWareAddressSpace: No base Address Space WindowsCrashDumpSpace32: No base Address Space SkipDuplicatesAMD64PagedMemory: No base Address Space WindowsAMD64PagedMemory: No base Address Space LinuxAMD64PagedMemory: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack' LimeAddressSpace - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack' WindowsHiberFileSpace32 - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack' WindowsCrashDumpSpace64BitMap - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack' WindowsCrashDumpSpace64 - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack' HPAKAddressSpace: Location is not of file scheme VMWareMetaAddressSpace: Location is not of file scheme VirtualBoxCoreDumpElf64 - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack' QemuCoreDumpElf - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack' VMWareAddressSpace: Invalid VMware signature: - WindowsCrashDumpSpace32 - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack' SkipDuplicatesAMD64PagedMemory: Incompatible profile Win7SP1x64 selected WindowsAMD64PagedMemory - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack' LinuxAMD64PagedMemory: Incompatible profile Win7SP1x64 selected AMD64PagedMemory - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack' IA32PagedMemoryPae: Incompatible profile Win7SP1x64 selected IA32PagedMemory: Incompatible profile Win7SP1x64 selected OSXPmemELF - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack' VMIAddressSpace: Must be first Address Space FileAddressSpace: Must be first Address Space ArmAddressSpace: Profile does not have valid Address Space check

I'm missing something at somewhere. What are the possible causes of such message?

Thanking you.

Wenzel commented 4 years ago

hi @darshantank

No suitable address space mapping found

This usually means that Volatility tried all avaiable address spaces, and none of them has been selected.

VMIAddressSpace: Must be first Address Space

When the VMIAddressSpace was selected and tested, it required not to be stacked onto another address space.

You can ask Volatility devs for more information.

tklengyel commented 4 years ago

In the interim I would suggest just using the vmifs tool that's part of LibVMI and then running Volatility on that file as if it was a memory dump. I always found the VMIAddressSpace to be buggy and unreliable.

darshantank commented 4 years ago

@ tklengyel Thanks for your concern and response.

I'm very much keen and interested to integrate LibVMI with Volatility framework.

I'm completely unaware of the functionality of the vmifs tool.

Sir, May I ask you, How do I use vmifs tool with Volatility on a live virtual machine?

Could you please elaborate the steps ?

Thanking you.

tklengyel commented 4 years ago

It's really straight forward. Compile it and it will tell you how to use it. It creates a file that represents the target VMs memory. You run Volatility on that file as if it was an ordinary memory dump.

darshantank commented 4 years ago

@ tklengyel Thanks for your concern and response. I really appreciate your time and effort.

After following your instructions, I'm able to install volatility framework and integrate it with python-libvmi.

I'm able to run pslist plugin on my Windows 7 VM. But I'm unable to run any plugins on my Ubuntu 16.04.6 VM.

I have successfully created new profile for my VM running Ubuntu 16.04.6 LTS as described at https://github.com/volatilityfoundation/volatility/wiki/Linux

And move the zip file under 'volatility/plugins/overlays/linux/'

python vol.py --info | grep Linux

Volatility Foundation Volatility Framework 2.6.1 LinuxUbuntu1604x64 - A Profile for Linux Ubuntu1604 x64 LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space. linux_aslr_shift - Automatically detect the Linux ASLR shift linux_banner - Prints the Linux banner information linux_yarascan - A shell in the Linux memory image

But when I run vol.py, it shows the following message on my terminal , and did not get the list of running process. # python vol.py -l vmi://ubuntu_Guest --profile=LinuxUbuntu1604x64 linux_pslist

Offset Name Pid PPid Uid Gid DTB Start Time

No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space VMWareMetaAddressSpace: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareAddressSpace: No base Address Space WindowsCrashDumpSpace32: No base Address Space QemuCoreDumpElf: No base Address Space SkipDuplicatesAMD64PagedMemory: No base Address Space WindowsAMD64PagedMemory: No base Address Space LinuxAMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64BitMap: Header signature invalid VMWareMetaAddressSpace: Location is not of file scheme WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Location is not of file scheme VirtualBoxCoreDumpElf64: ELF Header signature invalid VMWareAddressSpace: Invalid VMware signature: - WindowsCrashDumpSpace32: Header signature invalid QemuCoreDumpElf: ELF Header signature invalid SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected WindowsAMD64PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected LinuxAMD64PagedMemory: Failed valid Address Space check IA32PagedMemoryPae: Incompatible profile LinuxUbuntu1604x64 selected AMD64PagedMemory: Failed valid Address Space check IA32PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected OSXPmemELF: ELF Header signature invalid VMIAddressSpace: Must be first Address Space FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check

I would greatly appreciate it if you kindly give us some feedback and share your views.

Thanks