I have a problem, I hope you can answer it.

[lryzxy]

root@ubuntu:/home/ha/Documents/volatility# python vol.py -d -l vmi://ubuntu16 pslist Volatility Foundation Volatility Framework 2.6.1 DEBUG : volatility.debug : Applying modification from BasicObjectClasses DEBUG : volatility.debug : Applying modification from BigPageTableMagic DEBUG : volatility.debug : Applying modification from ControlAreaModification DEBUG : volatility.debug : Applying modification from ELF32Modification DEBUG : volatility.debug : Applying modification from ELF64Modification DEBUG : volatility.debug : Applying modification from ELFModification DEBUG : volatility.debug : Applying modification from HPAKVTypes DEBUG : volatility.debug : Applying modification from HandleTableEntryPreWin8 DEBUG : volatility.debug : Applying modification from IEHistoryVTypes DEBUG : volatility.debug : Applying modification from LimeTypes DEBUG : volatility.debug : Applying modification from MachoModification DEBUG : volatility.debug : Applying modification from MachoTypes DEBUG : volatility.debug : Applying modification from MbrObjectTypes DEBUG : volatility.debug : Applying modification from PoolTagModification DEBUG : volatility.debug : Applying modification from PoolTrackTagOverlay DEBUG : volatility.debug : Applying modification from SSLKeyModification DEBUG : volatility.debug : Applying modification from UnloadedDriverVTypes DEBUG : volatility.debug : Applying modification from VMwareVTypesModification DEBUG : volatility.debug : Applying modification from VirtualBoxModification DEBUG : volatility.debug : Applying modification from Win32KGahtiVType DEBUG : volatility.debug : Applying modification from Win32Kx86VTypes DEBUG : volatility.debug : Applying modification from WinSyscallsAttribute DEBUG : volatility.debug : Applying modification from WinXP2003AddressObject DEBUG : volatility.debug : Applying modification from WinXPSyscalls DEBUG : volatility.debug : Applying modification from XP2003x86BaseVTypes DEBUG : volatility.debug : Applying modification from XP2003x86TimerVType DEBUG : volatility.debug : Applying modification from WindowsVTypes DEBUG : volatility.debug : Applying modification from AtomTablex86Overlay DEBUG : volatility.debug : Applying modification from EVTObjectTypes DEBUG : volatility.debug : Applying modification from ObjectTypeKeyModification DEBUG : volatility.debug : Applying modification from ProcessAuditVTypes DEBUG : volatility.debug : Applying modification from WindowsOverlay DEBUG : volatility.debug : Applying modification from CallbackMods DEBUG : volatility.debug : Applying modification from MalwarePspCid DEBUG : volatility.debug : Applying modification from MalwareWSPVTypes DEBUG : volatility.debug : Applying modification from TimerVTypes DEBUG : volatility.debug : Applying modification from TokenXP2003 DEBUG : volatility.debug : Applying modification from UserAssistVTypes DEBUG : volatility.debug : Applying modification from VadFlagsModification DEBUG : volatility.debug : Applying modification from VadTagModification DEBUG : volatility.debug : Applying modification from WinAllTime DEBUG : volatility.debug : Applying modification from WinPEObjectClasses DEBUG : volatility.debug : Applying modification from WinPEVTypes DEBUG : volatility.debug : Applying modification from WinXPTrim DEBUG : volatility.debug : Applying modification from WinXPx86Vad DEBUG : volatility.debug : Applying modification from WindowsObjectClasses DEBUG : volatility.debug : Applying modification from XPOverlay DEBUG : volatility.debug : Applying modification from XPx86SessionOverlay DEBUG : volatility.debug : Applying modification from AuditpolTypesXP DEBUG : volatility.debug : Applying modification from CmdHistoryObjectClasses DEBUG : volatility.debug : Applying modification from CmdHistoryVTypesx86 DEBUG : volatility.debug : Applying modification from CrashInfoModification DEBUG : volatility.debug : Applying modification from DumpFilesVTypesx86 DEBUG : volatility.debug : Applying modification from HeapModification DEBUG : volatility.debug : Applying modification from KDBGObjectClass DEBUG : volatility.debug : Applying modification from KPCRProfileModification DEBUG : volatility.debug : Applying modification from MFTTYPES DEBUG : volatility.debug : Applying modification from MalwareDrivers DEBUG : volatility.debug : Applying modification from MalwareIDTGDTx86 DEBUG : volatility.debug : Applying modification from MalwareKthread DEBUG : volatility.debug : Applying modification from ServiceBase DEBUG : volatility.debug : Applying modification from ShellBagsTypesXP DEBUG : volatility.debug : Applying modification from ShimCacheTypesXPx86 DEBUG : volatility.debug : Applying modification from Win10ObjectClasses DEBUG : volatility.debug : Applying modification from Win32KCoreClasses DEBUG : volatility.debug : Applying modification from XPHeapModification DEBUG : volatility.debug : Voting round DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.linux.vmi.VMIAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.debug : Applying modification from BasicObjectClasses DEBUG : volatility.debug : Applying modification from BigPageTableMagic DEBUG : volatility.debug : Applying modification from ControlAreaModification DEBUG : volatility.debug : Applying modification from ELF32Modification DEBUG : volatility.debug : Applying modification from ELF64Modification DEBUG : volatility.debug : Applying modification from ELFModification DEBUG : volatility.debug : Applying modification from HPAKVTypes DEBUG : volatility.debug : Applying modification from HandleTableEntryPreWin8 DEBUG : volatility.debug : Applying modification from IEHistoryVTypes DEBUG : volatility.debug : Applying modification from LimeTypes DEBUG : volatility.debug : Applying modification from MachoModification DEBUG : volatility.debug : Applying modification from MachoTypes DEBUG : volatility.debug : Applying modification from MbrObjectTypes DEBUG : volatility.debug : Applying modification from PoolTagModification DEBUG : volatility.debug : Applying modification from PoolTrackTagOverlay DEBUG : volatility.debug : Applying modification from SSLKeyModification DEBUG : volatility.debug : Applying modification from UnloadedDriverVTypes DEBUG : volatility.debug : Applying modification from VMwareVTypesModification DEBUG : volatility.debug : Applying modification from VirtualBoxModification DEBUG : volatility.debug : Applying modification from Win32KGahtiVType DEBUG : volatility.debug : Applying modification from Win32Kx86VTypes DEBUG : volatility.debug : Applying modification from WinSyscallsAttribute DEBUG : volatility.debug : Applying modification from WinXP2003AddressObject DEBUG : volatility.debug : Applying modification from WinXPSyscalls DEBUG : volatility.debug : Applying modification from XP2003x86BaseVTypes DEBUG : volatility.debug : Applying modification from XP2003x86TimerVType DEBUG : volatility.debug : Applying modification from WindowsVTypes DEBUG : volatility.debug : Applying modification from AtomTablex86Overlay DEBUG : volatility.debug : Applying modification from EVTObjectTypes DEBUG : volatility.debug : Applying modification from ObjectTypeKeyModification DEBUG : volatility.debug : Applying modification from ProcessAuditVTypes DEBUG : volatility.debug : Applying modification from WindowsOverlay DEBUG : volatility.debug : Applying modification from CallbackMods DEBUG : volatility.debug : Applying modification from MalwarePspCid DEBUG : volatility.debug : Applying modification from MalwareWSPVTypes DEBUG : volatility.debug : Applying modification from TimerVTypes DEBUG : volatility.debug : Applying modification from TokenXP2003 DEBUG : volatility.debug : Applying modification from UserAssistVTypes DEBUG : volatility.debug : Applying modification from VadFlagsModification DEBUG : volatility.debug : Applying modification from VadTagModification DEBUG : volatility.debug : Applying modification from WinAllTime DEBUG : volatility.debug : Applying modification from WinPEObjectClasses DEBUG : volatility.debug : Applying modification from WinPEVTypes DEBUG : volatility.debug : Applying modification from WinXPTrim DEBUG : volatility.debug : Applying modification from WinXPx86Vad DEBUG : volatility.debug : Applying modification from WindowsObjectClasses DEBUG : volatility.debug : Applying modification from XPOverlay DEBUG : volatility.debug : Applying modification from XPx86SessionOverlay DEBUG : volatility.debug : Applying modification from AuditpolTypesXP DEBUG : volatility.debug : Applying modification from CmdHistoryObjectClasses DEBUG : volatility.debug : Applying modification from CmdHistoryVTypesx86 DEBUG : volatility.debug : Applying modification from CrashInfoModification DEBUG : volatility.debug : Applying modification from DumpFilesVTypesx86 DEBUG : volatility.debug : Applying modification from HeapModification DEBUG : volatility.debug : Applying modification from KDBGObjectClass DEBUG : volatility.debug : Applying modification from KPCRProfileModification DEBUG : volatility.debug : Applying modification from MFTTYPES DEBUG : volatility.debug : Applying modification from MalwareDrivers DEBUG : volatility.debug : Applying modification from MalwareIDTGDTx86 DEBUG : volatility.debug : Applying modification from MalwareKthread DEBUG : volatility.debug : Applying modification from ServiceBase DEBUG : volatility.debug : Applying modification from ShellBagsTypesXP DEBUG : volatility.debug : Applying modification from ShimCacheTypesXPx86 DEBUG : volatility.debug : Applying modification from Win10ObjectClasses DEBUG : volatility.debug : Applying modification from Win32KCoreClasses DEBUG : volatility.debug : Applying modification from XPHeapModification DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareMetaAddressSpace: No base Address Space VMWareAddressSpace: No base Address Space QemuCoreDumpElf: No base Address Space WindowsCrashDumpSpace32: No base Address Space SkipDuplicatesAMD64PagedMemory: No base Address Space WindowsAMD64PagedMemory: No base Address Space LinuxAMD64PagedMemory: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space VMIAddressSpace: The LibVMI python bindings must be installed FileAddressSpace: Location is not of file scheme ArmAddressSpace: No base Address Space

[Wenzel]

It's written in the logs: VMIAddressSpace: The LibVMI python bindings must be installed

The libvmi python bindings are not found on your system or in the virtualenv you are using.

[lryzxy]

It's written in the logs: VMIAddressSpace: The LibVMI python bindings must be installed

The libvmi python bindings are not found on your system or in the virtualenv you are using.

I followed the documentation for the bindings, and I put the vmi.py file in the appropriate directory, but again the following error occurred root@ubuntu:/home/ha/Documents/volatility# python vol.py -l vmi://ubuntu18 --profile=LinuxUbuntu1804x64 linux_pslist Volatility Foundation Volatility Framework 2.6.1 Traceback (most recent call last): File "vol.py", line 192, in <module> main() File "vol.py", line 148, in main registry.register_global_options(config, addrspace.BaseAddressSpace) File "/home/ha/Documents/volatility/volatility/registry.py", line 157, in register_global_options for m in get_plugin_classes(cls, True).values(): File "/home/ha/Documents/volatility/volatility/registry.py", line 152, in get_plugin_classes raise Exception("Object {0} has already been defined by {1}".format(name, plugin)) Exception: Object VMIAddressSpace has already been defined by <class 'volatility.plugins.linux.vmi.VMIAddressSpace'>

[Wenzel]

I seems that the python2 VMIAddressSpace might not working anymore.

Python2 itself is deprecated, you should have a look at Volatility3: https://github.com/volatilityfoundation/volatility3/

Also libmicrovmi is another library that already provides a bridge to volatility3, here is a tutorial: https://wenzel.github.io/libmicrovmi/tutorial/volatility3_xen.html

I hope this will help.

[lryzxy]

@Wenzel Thanks