mrm415 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Error [No suitable address space mapping found] at CentOS_X64_2.6.18-194.el5 _use volatility v2.3.1 #503

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Hey all,

I have a problem with generating a profile for CentOS 5.10
I'm not sure that is the cause of the profile or dump memory file.
I've used libdwarf-20140519.tar.gz, lime-forensics-1.1-r17 and the kernel 
Version CentOS 2.6.18-371.9.1.el5.x86_64 with volatility 3.2.1  

What is the expected output? What do you see instead?

# vol -f /tmp/centos.lime -dd --profile=LinuxCentOS510x64 linux_netstat
Volatility Foundation Volatility Framework 2.3.1
DEBUG   : volatility.plugins.overlays.linux.linux: CentOS510: Found dwarf file 
boot/System.map-2.6.18-371.9.1.el5 with 378 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: CentOS510: Found system file 
boot/System.map-2.6.18-371.9.1.el5 with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from 
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from 
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.obj      : Applying modification from Linux64ObjectClasses
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.plugins.overlays.linux.linux: CentOS510: Found dwarf file 
boot/System.map-2.6.18-371.9.1.el5 with 378 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: CentOS510: Found system file 
boot/System.map-2.6.18-371.9.1.el5 with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from 
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from 
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.obj      : Applying modification from Linux64ObjectClasses
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 
0x2b38c270a590>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0x3FF7F860, instantiating lime_header
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x2b38bcd46710>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid 
magic found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: 
Invalid VMware signature: 0x11063
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: Failed 
valid Address Space check
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: 
Incompatible profile LinuxCentOS510x64 selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: 
Incompatible profile LinuxCentOS510x64 selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be 
first Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1  : volatility.obj      : None object instantiated: Could not 
read_long_phys at offset 0x3ffffffff00cL
DEBUG1  : volatility.obj      : None object instantiated: Could not 
read_long_phys at offset 0x3ffffffff000L
DEBUG1  : volatility.obj      : None object instantiated: No suggestions 
available
DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Failed 
valid Address Space check
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0x11063
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Incompatible profile LinuxCentOS510x64 selected
 IA32PagedMemory: Incompatible profile LinuxCentOS510x64 selected
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check

# strings /tmp/centos.lime |more
EMiL
cq}?
4[^_]
QWVP
PSVh@
[^_]
Sj@j
PPhx
,PPhx
2$Pj
[^_]
PPVS
[^_]
[^_]
0RPhX
>_MP_
WWVhy
F       Y[
;PCMPu
:F      t
VPh>
SSPhi
tHRj
SVh
++@%-------=--=--=-=-=--=-=---=-*@@@@%%@%@%@%@@@@@%@%@@@@@%@@@@%@@@@@%@@
"OOoOOOOOOOO+OO++O++O+++OOO+O++O+OO+O+O+++++++++++++@++@@+++@++++++++@+
@+@@++@+@@@+@+@@@@%@@@@@+@@@@@@@@@@+@@@@@@@+@+@+@+@+@@@++@+++@@+++++@++@
OOO+OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOoOOoOOOOOOOOOOOOOooOoOOOOoOOOOOOO+O
OooOooOOOOooOOOOOOO+O+OOO+OOO+O+++O+OO+O+++O+O+OOO++OOOOOOOOOO+OOOOOOOOO
+++O@++@==-=-=-=--=-=----=-=--=-=--=-*%@%@@%@@%%@%%%@@%%@@%@@%@%%%@@@%%%
=-",
"OOOoOOOOOOO+OOOOO+O+O+O++O+OOOO++O++++O+O+O+O+++++++@++++++++++@+@
+@@@@@@@@@@@+@@@@@@@@+@@@@@@+@@@@@@@@@@@@@+@+@@@@+@+@+@@@+@@@+@@+@@@+@++
OOOO+O+OO+O+OOOOOOOOOOOOOOOOOOOOOOOOOOOOoOooOOOOOOOOOOOOOOOoOOOOOOOOOOOO
ooooOoOoOoOoOOOOOOOOO+O+O++OOO+OOO+O+O+O+++O+O+O+OOO+O+O++OOOO+OOOOOOOOO
-&++++++++++@-=---=--=---=-=--=--=--=-=---=%@%@%@%@%%@@%@@@%%@%@@@@@@%%%
-=-=--",
"OoOOOOOOOOOO+O+O+O+O++O+O+O+++OOO+O+O+O++O++++++++++@+@+++++++++++++@+@@@@@+++@
+@@+@@+@@@

 ---------
 [root@centos-5 volatility-2.3.1]# strings /tmp/centos.fmem |more
/vmlinuz-2.6.18-371.9.1.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
fXfSf
tLf1
pPf1
Loading stage2
Geom
Read
 Error
0.97
(hd0,0)/grub/grub.conf
Ou=<
^_[]
USWV
MPuW
^_[]
USWV
PAMS
f=PAMSfu
^_[]
t)PS
USQR
ZY[]
UPSQRf
ZY[X]
Rj#j
tLPjRj
[^_]
[^_]
^<au
U<bu
L<cu
@<du
7<Du
+<gu
.PPh
t2PS
[^_]
/~*f
HdrS
SPhv
HdrSu
RjuP
umRR
RSVh
t>PPSV
tBWWS
u+QQ
[^_]
[^_]
0PhN
QQShh
PPShh
QHP)
[^_]
PPRh
[^_]
hPhC
aPhN
[^_]
t&@9
t:PP
YSSj
PShx
[^_]
PPRh
WWVj
……

What version of the product are you using? On what operating system?
# uname -a
Linux centos-5.5-X64 2.6.18-371.9.1.el5 #1 SMP 
Volatility  2.3.1
lime-forensics-1.1-r17 /fmem_1.6-1   

Please provide any additional information below.

create a profile
1 create module.dwarf
#make
make -C //lib/modules/2.6.18-371.9.1.el5/build CONFIG_DEBUG_INFO=y 
M=/pentoo/volatility-2.3.1/tools/linux modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-371.9.1.el5-x86_64'
  CC [M]  /pentoo/volatility-2.3.1/tools/linux/module.o
/pentoo/volatility-2.3.1/tools/linux/module.c:303:5: warning: "STATS" is not 
defined
/pentoo/volatility-2.3.1/tools/linux/module.c:319:5: warning: "DEBUG" is not 
defined
  Building modules, stage 2.
  MODPOST
  CC      /pentoo/volatility-2.3.1/tools/linux/module.mod.o
  LD [M]  /pentoo/volatility-2.3.1/tools/linux/module.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.18-371.9.1.el5-x86_64'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/2.6.18-371.9.1.el5/build 
M=/pentoo/volatility-2.3.1/tools/linux clean
make[1]: Entering directory `/usr/src/kernels/2.6.18-371.9.1.el5-x86_64'
  CLEAN   /pentoo/volatility-2.3.1/tools/linux/.tmp_versions
make[1]: Leaving directory `/usr/src/kernels/2.6.18-371.9.1.el5-x86_64'

2
#pwd
/pentoo/volatility-2.3.1/tools/linux
#zip volatility/plugins/overlays/linux/CentOS510.zip tools/linux/module.dwarf 
/boot/System.map-2.6.18-371.9.1.el5

3
# vol --info |grep Linux
Volatility Foundation Volatility Framework 2.3.1
LinuxCentOS510x64 - A Profile for Linux CentOS510 x64
linux_banner            - Prints the Linux banner information
linux_yarascan          - A shell in the Linux memory image

#cat /boot/grub/grub.conf

title CentOS (2.6.18-371.9.1.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-371.9.1.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
        initrd /initrd-2.6.18-371.9.1.el5.img
title CentOS (2.6.18-371.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-371.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet crashkerne
l=128M@16M
        initrd /initrd-2.6.18-371.el5.img

---------------------
dump   physical memory
#insmod lime.ko path=/tmp/centos.lime format=lime
#dd if=/dev/fmem of=/tmp/centos.fmem bs=1MB count=1024

[root@centos-5 volatility-2.3.1]# ls -alh /tmp
-rw-r--r--  1 root root 977M Jun 15 22:58 centos.fmem
-r--r--r--  1 root root 1.0G Jun 16 00:06 centos.lime

=========================================
Can anyone tell me why ???

Original issue reported on code.google.com by po1e3...@gmail.com on 15 Jun 2014 at 4:38

Attachments:

GoogleCodeExporter commented 9 years ago
Oh,I found it.
# grep init_level4_pgt /boot/System.map-2.6.18-371.9.1.el5
ffffffff80001000 T init_level4_pgt
ffffffff802f2b00 r __ksymtab_init_level4_pgt
ffffffff803007d8 r __kcrctab_init_level4_pgt
ffffffff80307870 r __kstrtab_init_level4_pgt

Please, what do I need to do?

Original comment by po1e3...@gmail.com on 15 Jun 2014 at 5:14

GoogleCodeExporter commented 9 years ago

Original comment by michael.hale@gmail.com on 15 Jun 2014 at 7:01

GoogleCodeExporter commented 9 years ago
Please close the issue 503.
the issue has fixed by 
[http://lists.volatilesystems.com/pipermail/vol-users/2013-February/000743.html]
---------------------------
I'm sorry to say michael.hale.
work overtime for days,i feel very tired,so did't see this article.
--------------------------------------------------------
Simple solution:
cd ../volatility/plugins/overlays/linux/
vi linux.py
In the 1000th row , replace' shift = 0xffffffff80000000 ' with 'shift = 
0xffffffff7fe00000'
vi linux.64py
In the 38h row 
 replace' shift = 0xffffffff80000000 ' with 'shift = 0xffffffff7fe00000'

Original comment by po1e3...@gmail.com on 17 Jun 2014 at 2:57

GoogleCodeExporter commented 9 years ago
No worries, glad that takes care of it. Thanks...

Original comment by michael.hale@gmail.com on 29 Jun 2014 at 5:18