I'm trying to integrate the libvmi Python bindings with the Volatility project. I created a CentOS Stream 8 virtual machine using libvirt, and I can access it normally through libvmi:
$ virsh list
Id Name State
---------------------------------------
1 centosStream8_default running
DEBUG : volatility.debug : centos8Stream: Found dwarf file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1007 symbols
DEBUG : volatility.debug : centos8Stream: Found system file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
DEBUG : volatility.debug : centos8Stream: Found dwarf file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1007 symbols
DEBUG : volatility.debug : centos8Stream: Found system file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
Offset Name Pid PPid Uid Gid DTB Start Time
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Location is not of file scheme
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareMetaAddressSpace: Location is not of file scheme
VMWareAddressSpace: Invalid VMware signature: -
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxcentos8Streamx64 selected
WindowsAMD64PagedMemory: Incompatible profile Linuxcentos8Streamx64 selected
LinuxAMD64PagedMemory: Failed valid Address Space check
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile Linuxcentos8Streamx64 selected
IA32PagedMemory: Incompatible profile Linuxcentos8Streamx64 selected
OSXPmemELF: ELF Header signature invalid
VMIAddressSpace: Must be first Address Space
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
I'm trying to integrate the libvmi Python bindings with the Volatility project. I created a CentOS Stream 8 virtual machine using libvirt, and I can access it normally through libvmi:
DEBUG : volatility.debug : centos8Stream: Found dwarf file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1007 symbols DEBUG : volatility.debug : centos8Stream: Found system file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1 symbols DEBUG : volatility.debug : Applying modification from BashHashTypes DEBUG : volatility.debug : Applying modification from BashTypes DEBUG : volatility.debug : Applying modification from BasicObjectClasses DEBUG : volatility.debug : Applying modification from ELF32Modification DEBUG : volatility.debug : Applying modification from ELF64Modification DEBUG : volatility.debug : Applying modification from ELFModification DEBUG : volatility.debug : Applying modification from HPAKVTypes DEBUG : volatility.debug : Applying modification from LimeTypes DEBUG : volatility.debug : Applying modification from LinuxIDTTypes DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification DEBUG : volatility.debug : Applying modification from MachoModification DEBUG : volatility.debug : Applying modification from MachoTypes DEBUG : volatility.debug : Applying modification from MbrObjectTypes DEBUG : volatility.debug : Applying modification from VMwareVTypesModification DEBUG : volatility.debug : Applying modification from VirtualBoxModification DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay DEBUG : volatility.debug : Applying modification from LinuxObjectClasses DEBUG : volatility.debug : Applying modification from LinuxOverlay DEBUG : volatility.debug : centos8Stream: Found dwarf file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1007 symbols DEBUG : volatility.debug : centos8Stream: Found system file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1 symbols DEBUG : volatility.debug : Applying modification from BashHashTypes DEBUG : volatility.debug : Applying modification from BashTypes DEBUG : volatility.debug : Applying modification from BasicObjectClasses DEBUG : volatility.debug : Applying modification from ELF32Modification DEBUG : volatility.debug : Applying modification from ELF64Modification DEBUG : volatility.debug : Applying modification from ELFModification DEBUG : volatility.debug : Applying modification from HPAKVTypes DEBUG : volatility.debug : Applying modification from LimeTypes DEBUG : volatility.debug : Applying modification from LinuxIDTTypes DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification DEBUG : volatility.debug : Applying modification from MachoModification DEBUG : volatility.debug : Applying modification from MachoTypes DEBUG : volatility.debug : Applying modification from MbrObjectTypes DEBUG : volatility.debug : Applying modification from VMwareVTypesModification DEBUG : volatility.debug : Applying modification from VirtualBoxModification DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay DEBUG : volatility.debug : Applying modification from LinuxObjectClasses DEBUG : volatility.debug : Applying modification from LinuxOverlay Offset Name Pid PPid Uid Gid DTB Start Time
DEBUG : volatility.debug : Voting round DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmi.VMIAddressSpace'> DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.vmi.VMIAddressSpace object at 0x7d793dfc7e50> DEBUG : volatility.debug : Voting round DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmi.VMIAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG : volatility.debug : Requested symbol do_fork not found in module kernel
No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space QemuCoreDumpElf: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareMetaAddressSpace: No base Address Space VMWareAddressSpace: No base Address Space WindowsCrashDumpSpace32: No base Address Space SkipDuplicatesAMD64PagedMemory: No base Address Space WindowsAMD64PagedMemory: No base Address Space LinuxAMD64PagedMemory: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64BitMap: Header signature invalid QemuCoreDumpElf: ELF Header signature invalid WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Location is not of file scheme VirtualBoxCoreDumpElf64: ELF Header signature invalid VMWareMetaAddressSpace: Location is not of file scheme VMWareAddressSpace: Invalid VMware signature: - WindowsCrashDumpSpace32: Header signature invalid SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxcentos8Streamx64 selected WindowsAMD64PagedMemory: Incompatible profile Linuxcentos8Streamx64 selected LinuxAMD64PagedMemory: Failed valid Address Space check AMD64PagedMemory: Failed valid Address Space check IA32PagedMemoryPae: Incompatible profile Linuxcentos8Streamx64 selected IA32PagedMemory: Incompatible profile Linuxcentos8Streamx64 selected OSXPmemELF: ELF Header signature invalid VMIAddressSpace: Must be first Address Space FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check