Can't make linux mem dump analysis

GoogleCodeExporter commented 9 years ago

Hi all
I would be very happy if somebody of you explain me what is wrong(or mayby I'm 
doing sth wrong) with my volatility setup and how to fix it.

I would like to analyze MEM(RAM) dump of linux box.
I've made checkout of volatility svn. Now I'm using: Framework 2.2_alpha.
I've also compiled add tools such: Distorm3, Yara 1.4 and Yara-Python 1.4a, 
Malware Plugins, libdwarf-20091012.tar.gz
I've also created the profile for opensuse12.1x86 and added it the volatility.

My linux box:
kernel: 3.1.10-1.16-desktop #1 SMP PREEMPT Wed Jun 27 05:21:40 UTC 2012 
(d016078) i686 i686 i386 GNU/Linux
openSUSE 12.1 "Asparagus" x86

I've tried to make a memory dump on linux box using following command:

###I. using fmem kernel module###

I've used fmem kernel module: http://hysteria.sk/~niekt0/fmem/fmem_current.tgz

then I've made a dump:
dd if=/dev/fmem count=1526488 bs=1kB conv=sync,noerror iflag=noatime 
of=opensuse12.1-x60s-RAM-dd-noatime.dd

I've tried to usue volatility to analyze this image:

python vol.py -f ~/opensuse12.1-x60s-RAM-dd-noatime.dd imageinfo

and received folllowing error:
Volatile Systems Volatility Framework 2.2_alpha
Determining profile based on KDBG search...

          Suggested Profile(s) : No suggestion (Instantiated with LinuxopenSUSE12_1x86x86)
                     AS Layer1 : JKIA32PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (opensuse12.1-x60s-RAM-dd-noatime.dd)
                      PAE type : No PAE
                           DTB : 0xb61000L
Traceback (most recent call last):
  File "vol.py", line 185, in <module>
    main()
  File "vol.py", line 176, in main
    command.execute()
  File "volatility/SVN/volatility/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "volatility/SVN/volatility/volatility/plugins/imageinfo.py", line 34, in render_text
    for k, v in data:
  File "volatility/SVN/volatility/volatility/plugins/imageinfo.py", line 91, in calculate
    kdbgoffset = volmagic.KDBG.v()
  File "volatility/SVN/volatility/volatility/obj.py", line 746, in __getattr__
    return self.m(attr)
  File "volatility/SVN/volatility/volatility/obj.py", line 728, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG

###II using /dev/mem as a souce of memory dump###
dd if=/dev/mem conv=sync,noerror iflag=noatime 
of=opensuse12.1-x60s-RAM[mem]-dd-noatime.dd

then:

python vol.py -f ~/opensuse12.1-x60s-RAM\[mem\]-dd-noatime.dd imageinfo

and received following error:
Volatile Systems Volatility Framework 2.2_alpha                                 

Determining profile based on KDBG search...                                     

          Suggested Profile(s) : No suggestion (Instantiated with LinuxopenSUSE12_1x86x86)                                                 
                     AS Layer1 : JKIA32PagedMemory (Kernel AS)                                                                             
                     AS Layer2 : FileAddressSpace (opensuse12.1-x60s-RAM[mem]-dd-noatime.dd)                     
                      PAE type : No PAE                                                                                                    
                           DTB : 0xb61000L                                                                                                 
Traceback (most recent call last):                                              

  File "vol.py", line 185, in <module>                                                                                                     
    main()                                                                                                                                 
  File "vol.py", line 176, in main                                                                                                         
    command.execute()                                                                                                                      
  File "volatility/SVN/volatility/volatility/commands.py", line 111, in execute                                  
    func(outfd, data)                                                                                                                      
  File "volatility/SVN/volatility/volatility/plugins/imageinfo.py", line 34, in render_text                      
    for k, v in data:
  File "volatility/SVN/volatility/volatility/plugins/imageinfo.py", line 91, in calculate
    kdbgoffset = volmagic.KDBG.v()
  File "volatility/SVN/volatility/volatility/obj.py", line 746, in __getattr__
    return self.m(attr)
  File "volatility/SVN/volatility/volatility/obj.py", line 728, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG

###III. using LiME kernel module as source of memory dump###
python vol.py -f ~/opensuse12.1-x60s-RAM.lime imageinfo

and received following error:

Volatile Systems Volatility Framework 2.2_alpha
Determining profile based on KDBG search...

          Suggested Profile(s) : No suggestion (Instantiated with LinuxopenSUSE12_1x86x86)
                     AS Layer1 : JKIA32PagedMemory (Kernel AS)
                     AS Layer2 : LimeAddressSpace (Unnamed AS)
                     AS Layer3 : FileAddressSpace (opensuse12.1-x60s-RAM.lime)
                      PAE type : No PAE
                           DTB : 0xb61000L
Traceback (most recent call last):
  File "vol.py", line 185, in <module>
    main()
  File "vol.py", line 176, in main
    command.execute()
  File "volatility/SVN/volatility/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "volatility/SVN/volatility/volatility/plugins/imageinfo.py", line 34, in render_text
    for k, v in data:
  File "volatility/SVN/volatility/volatility/plugins/imageinfo.py", line 91, in calculate
    kdbgoffset = volmagic.KDBG.v()
  File "volatility/SVN/volatility/volatility/obj.py", line 746, in __getattr__
    return self.m(attr)
  File "volatility/SVN/volatility/volatility/obj.py", line 728, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG

Thanks
Peter

Original issue reported on code.google.com by piotr.sa...@gmail.com on 22 Aug 2012 at 4:45

GoogleCodeExporter commented 9 years ago

Hey Peter, the imageinfo command is only for windows memory dumps. All Linux 
commands are prefixed with linux_ for example linux_pslist. You can python 
vol.py --info | grep linux_ to see commands which are valid for Linux or just 
take a peek at the LinuxMemoryForensics wiki for instructions.

Original comment by michael.hale@gmail.com on 22 Aug 2012 at 7:05

GoogleCodeExporter commented 9 years ago

W dniu 22.08.2012 21:05, volatility@googlecode.com pisze:

Hello
I've tried to run vol.py analysis with linux_pslist but another error
show up.

I've tried to analyze mem dump created by using LiME kernel module.

Output received:

piter@pacer:~/volatility/SVN/volatility> python vol.py -f
../../../opensuse12.1-x60s-RAM.lime linux_pslist
Volatile Systems Volatility Framework 2.2_alpha
No suitable address space mapping found
Tried to open image as:
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 JKIA32PagedMemory: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: No xpress signature found
 WindowsCrashDumpSpace64: Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
 JKIA32PagedMemory: No valid DTB found
 JKIA32PagedMemoryPae: No valid DTB found
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace: Must be first Address Space

Still don't know what is wrong:(

Original comment by piotr.sa...@gmail.com on 22 Aug 2012 at 10:36

GoogleCodeExporter commented 9 years ago

[deleted comment]

GoogleCodeExporter commented 9 years ago

You need to specify the profile that you created. Run this command:

python vol.py --info | grep Linux

This should shown you the available profiles and should have part of whatever 
you needed your zip.

The use this profile name to the --profile command line option.

Original comment by atc...@gmail.com on 23 Aug 2012 at 1:14

GoogleCodeExporter commented 9 years ago

Thanks again for your answer but still it doesn't work:(

I've created the profile for openSUSE 12.1 x86: LinuxopenSUSE12_1x86x86

The profile is in the attachment.
This profile is also available for volatility:

piter@pacer:~/volatility/SVN/volatility> python vol.py --info | grep Linux
Volatile Systems Volatility Framework 2.2_alpha
LinuxDebian2632_zipx86  - A Profile for Linux Debian2632.zip x86
LinuxDebian2632x86      - A Profile for Linux Debian2632 x86
LinuxopenSUSE12_1x86x86 - A Profile for Linux openSUSE12.1x86 x86
piter@pacer:~/G4G-forensics/volatility/SVN/volatility>

I've launched several command but none of them returned any output:

piter@pacer:~/volatility/SVN/volatility> python vol.py -f
../../../opensuse12.1-x60s-RAM.lime --profile LinuxopenSUSE12_1x86x86
linux_pslist
Volatile Systems Volatility Framework 2.2_alpha
Offset   Name                 Pid             Uid             Start Time

piter@pacer:~/volatility/SVN/volatility> python vol.py -f
../../../opensuse12.1-x60s-RAM.lime --profile LinuxopenSUSE12_1x86x86
linux_lsof
Volatile Systems Volatility Framework 2.2_alpha
piter@pacer:~/volatility/SVN/volatility> python vol.py -f
../../../opensuse12.1-x60s-RAM.lime --profile LinuxopenSUSE12_1x86x86
linux_cpuinfo
Volatile Systems Volatility Framework 2.2_alpha
Processor    Vendor           Model

0            ----------------
----------------------------------------------------------------
piter@pacer:~/volatility/SVN/volatility> python vol.py -f
../../../opensuse12.1-x60s-RAM --profile LinuxopenSUSE12_1x86x86
linux_cpuinfo
opensuse12.1-x60s-RAM-dd-noatime.dd         opensuse12.1-x60s-RAM.lime

opensuse12.1-x60s-RAM[kcore]-dd-noatime.dd
opensuse12.1-x60s-RAM[mem]-dd-noatime.dd
piter@pacer:~/volatility/SVN/volatility> python vol.py -f
../../../opensuse12.1-x60s-RAM-dd-noatime.dd --profile
LinuxopenSUSE12_1x86x86 linux_cpuinfo
Volatile Systems Volatility Framework 2.2_alpha
Processor    Vendor           Model

0            ----------------
----------------------------------------------------------------
piter@pacer:~/volatility/SVN/volatility> python vol.py -f
../../../opensuse12.1-x60s-RAM-dd-noatime.dd --profile
LinuxopenSUSE12_1x86x86 linux_dmesg
Volatile Systems Volatility Framework 2.2_alpha
-
piter@pacer:~/volatility/SVN/volatility>

Do you have any idea what could be a reason for that  volatility behavior?

Thanks again for your explanations:)
Peter

Original comment by piotr.sa...@gmail.com on 23 Aug 2012 at 8:02

Attachments:

openSUSE12.1x86.zip

GoogleCodeExporter commented 9 years ago

Hello,

Could you please run this command?

python vol.py -f ../../../opensuse12.1-x60s-RAM.lime 
--profile=LinuxopenSUSE12_1x86x86 -dd linux_pslist

and paste the output?

Also which version and branch of SVN are you using?

Original comment by atc...@gmail.com on 24 Aug 2012 at 11:17

GoogleCodeExporter commented 9 years ago

Hi Peter, 

Did you have any trouble building LiME on your opensuse 12.1 x86 box? Did you 
need to install any special packages or issue any modified make commands?

Original comment by michael.hale@gmail.com on 25 Aug 2012 at 2:59

GoogleCodeExporter commented 9 years ago

Hello,

We have been adding a number of new features and fixes to Linux in the last 
couple days. Could you please svn update and delete all *.pyc files and then 
run again?

Original comment by atc...@gmail.com on 27 Aug 2012 at 8:39

GoogleCodeExporter commented 9 years ago

Give 1 day to test your suggestions.

Original comment by psasak.n...@gmail.com on 28 Aug 2012 at 9:29

GoogleCodeExporter commented 9 years ago

Btw Peter, no need to reply to my question about building LiME on OpenSuSE, I 
got that figured out. I believe @atcuno is working on some fixes for the suse 
plugins.

Original comment by michael.hale@gmail.com on 29 Aug 2012 at 12:17

GoogleCodeExporter commented 9 years ago

Hi
Sorry for the delay in answering.

The output of the requested command:

piter@pacer:~/volatility/SVN/volatility> python vol.py -f 
../../../opensuse12.1-x60s-RAM.lime --profile=LinuxopenSUSE12_1x86x86 -dd 
linux_pslist                                                                    
Volatile Systems Volatility Framework 2.2_alpha                                 

DEBUG   : volatility.utils    : Voting round                                    

DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>             
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: 
need base                           
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0xa47f94c>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0x3F65F040, instantiating lime_header
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0xa63e5cc>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: 
Incompatible profile LinuxopenSUSE12_1x86x86 selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.intel.JKIA32PagedMemory object at 0xa47f98c>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: Could not read_chunks 
from addr 0x0 of size 0x4
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.obj      : None object instantiated: Could not read_chunks 
from addr 0x0 of size 0x8
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.obj      : None object instantiated: Could not read_chunks 
from addr 0x0 of size 0x8
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: 
Incompatible profile LinuxopenSUSE12_1x86x86 selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemory: Can not 
stack over another paging address space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemoryPae: Can 
not stack over another paging address space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be 
first Address Space
Offset   Name                 Pid             Uid             Start Time        

DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0xC0A90FA0, instantiating task_struct
piter@pacer:~/volatility/SVN/volatility> 

SVN version of the volatility code:
piter@pacer:~/volatility/SVN/volatility> svn info
Ścieżka: .
URL: http://volatility.googlecode.com/svn/trunk
Katalog główny repozytorium: http://volatility.googlecode.com/svn
UUID repozytorium: 8d5d6628-2090-11de-9909-f37ff7dbbc12
Wersja: 2211
Rodzaj obiektu: katalog
Zlecenie: normalne
Autor ostatniej zmiany: mike.auty@gmail.com
Ostatnio zmieniona wersja: 2211
Data ostatniej zmiany: 2012-08-19 12:16:20 +0200 (nie)

I've no need to install any special packages in openSUSE before compilation.
I add logs grabed durring launching fmem kernel module:

pacer-x60s:/home/piter/fmem_1.6-0 # ./run.sh 
Module: insmod fmem.ko a1=0xc0250660 : OK
Device: /dev/fmem
----Memory areas: -----
reg00: base=0x000000000 (    0MB), size= 1024MB, count=1: write-back
reg01: base=0x03f700000 ( 1015MB), size=    1MB, count=1: uncachable
reg02: base=0x03f800000 ( 1016MB), size=    8MB, count=1: uncachable
reg03: base=0x0d0000000 ( 3328MB), size=  256MB, count=1: write-combining
-----------------------
!!! Don't forget add "count=" to dd !!!
pacer-x60s:/home/piter/fmem_1.6-0 # 

#tail -f /var/log/messages
Aug 20 10:49:26 pacer-x60s kernel: [ 1633.223432] fmem init_module 449: init
Aug 20 10:49:26 pacer-x60s kernel: [ 1633.223441] fmem find_symbols 439: set 
guess_page_is_ram: c0250660

I've recreate fmem module once more and grab the logs:
pacer-x60s:/home/piter/fmem_1.6-0 # make clean
rm -f *.o *.ko *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd 
\.*.ko.cmd \.*.o.d
rm -rf \.tmp_versions
pacer-x60s:/home/piter/fmem_1.6-0 # make
rm -f *.o *.ko *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd 
\.*.ko.cmd \.*.o.d
rm -rf \.tmp_versions
make -C /lib/modules/`uname -r`/build SUBDIRS=`pwd` modules
make[1]: Wejście do katalogu `/usr/src/linux-3.1.10-1.16-obj/i386/desktop'
  CC [M]  /home/piter/fmem_1.6-0/lkm.o
  LD [M]  /home/piter/fmem_1.6-0/fmem.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/piter/fmem_1.6-0/fmem.mod.o
  LD [M]  /home/piter/fmem_1.6-0/fmem.ko
make[1]: Opuszczenie katalogu `/usr/src/linux-3.1.10-1.16-obj/i386/desktop'
pacer-x60s:/home/piter/fmem_1.6-0 #

Original comment by psasak.n...@gmail.com on 29 Aug 2012 at 1:06

GoogleCodeExporter commented 9 years ago

Can you please svn update and run again? It seems like you are running on 
revision 2211 which is a bit dated now

Original comment by atc...@gmail.com on 29 Aug 2012 at 1:15

GoogleCodeExporter commented 9 years ago

I've made svn update to the version 2262 but it doesn't help:

piter@pacer:~/volatility/SVN/volatility> python vol.py 
../../../opensuse12.1-x60s-RAM.lime linux_pslist
Volatile Systems Volatility Framework 2.2_alpha
No suitable address space mapping found
Tried to open image as:
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 JKIA32PagedMemory: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace - EXCEPTION: 'NoneType' object has no attribute 'startswith'

piter@pacer:~/volatility/SVN/volatility> 
piter@pacer:~/volatility/SVN/volatility> 
piter@pacer:~/volatility/SVN/volatility> python vol.py -f 
../../../opensuse12.1-x60s-RAM.lime --profile LinuxopenSUSE12_1x86x86 
linux_pslist
Volatile Systems Volatility Framework 2.2_alpha
Offset   Name                 Pid             Uid             Start Time        

piter@pacer:~/volatility/SVN/volatility>

Original comment by psasak.n...@gmail.com on 29 Aug 2012 at 1:19

GoogleCodeExporter commented 9 years ago

I've made once more debug command:

piter@pacer:~/volatility/SVN/volatility> python vol.py -f 
../../../opensuse12.1-x60s-RAM.lime --profile=LinuxopenSUSE12_1x86x86 -dd 
linux_pslist
Volatile Systems Volatility Framework 2.2_alpha
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.plugins.overlays.linux.linux: openSUSE12.1x86: Found dwarf 
file System.map-3.1.10-1.16-desktop with 514 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: openSUSE12.1x86: Found 
system file System.map-3.1.10-1.16-desktop with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x98711cc>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0x3F65F040, instantiating lime_header
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x986b8ec>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: 
Incompatible profile LinuxopenSUSE12_1x86x86 selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.intel.JKIA32PagedMemory object at 0x987118c>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: Could not read_chunks 
from addr 0x0 of size 0x4
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.obj      : None object instantiated: Could not read_chunks 
from addr 0x0 of size 0x8
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.obj      : None object instantiated: Could not read_chunks 
from addr 0x0 of size 0x8
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: 
Incompatible profile LinuxopenSUSE12_1x86x86 selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemory: Can not 
stack over another paging address space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemoryPae: Can 
not stack over another paging address space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be 
first Address Space
Offset   Name                 Pid             Uid             Start Time        

DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0xC0A90FA0, instantiating task_struct
piter@pacer:~/volatility/SVN/volatility> 

Maybe it will be useful for you.

Original comment by psasak.n...@gmail.com on 29 Aug 2012 at 1:41

GoogleCodeExporter commented 9 years ago

Hello,

Can you please svn update again and run? I just committed a fix that should 
handle it for you. I tested on the same suse version as you.

Original comment by atc...@gmail.com on 1 Sep 2012 at 5:28

GoogleCodeExporter commented 9 years ago

Hi
I've just updated volatility to the 2273 version and it doesn't help:(

1. Updating volatility repo

piter@pacer:~/volatility/SVN/volatility> svn info
Ścieżka: .
URL: http://volatility.googlecode.com/svn/trunk
Katalog główny repozytorium: http://volatility.googlecode.com/svn
UUID repozytorium: 8d5d6628-2090-11de-9909-f37ff7dbbc12
Wersja: 2273
Rodzaj obiektu: katalog
Zlecenie: normalne
Autor ostatniej zmiany: atcuno@gmail.com
Ostatnio zmieniona wersja: 2273
Data ostatniej zmiany: 2012-09-01 08:35:22 +0200 (sob)

2. deleting all *.pyc files in volatility directory

3. doing some volatility tests:

piter@pacer:~/volatility/SVN/volatility> python vol.py 
../../../opensuse12.1-x60s-RAM.lime --profile LinuxopenSUSE12_1x86x86 
linux_pslist
Volatile Systems Volatility Framework 2.2_alpha
No suitable address space mapping found
Tried to open image as:
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 JKIA32PagedMemory: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace - EXCEPTION: 'NoneType' object has no attribute 'startswith'

piter@pacer:~/volatility/SVN/volatility> 

piter@pacer:~/volatility/SVN/volatility> python vol.py 
../../../opensuse12.1-x60s-RAM.lime --profile LinuxopenSUSE12_1x86x86 -dd 
linux_pslist
Volatile Systems Volatility Framework 2.2_alpha
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.plugins.overlays.linux.linux: openSUSE12.1x86: Found dwarf 
file System.map-3.1.10-1.16-desktop with 514 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: openSUSE12.1x86: Found 
system file System.map-3.1.10-1.16-desktop with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.utils    : Failed instantiating (exception): 'NoneType' 
object has no attribute 'startswith'
No suitable address space mapping found
Tried to open image as:
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 JKIA32PagedMemory: No base Address Space
 IA32PagedMemoryPae: Module disabled
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: Module disabled
 FileAddressSpace - EXCEPTION: 'NoneType' object has no attribute 'startswith'

piter@pacer:~/volatility/SVN/volatility> 

#dd dump from /dev/mem
piter@pacer:~/volatility/SVN/volatility> python vol.py 
../../../opensuse12.1-x60s-RAM\[mem\]-dd-noatime.dd --profile 
LinuxopenSUSE12_1x86x86 linux_pslist
Volatile Systems Volatility Framework 2.2_alpha
No suitable address space mapping found
Tried to open image as:
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 JKIA32PagedMemory: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace - EXCEPTION: 'NoneType' object has no attribute 'startswith'

piter@pacer:~/volatility/SVN/volatility>

piter@pacer:~/volatility/SVN/volatility> python vol.py 
../../../opensuse12.1-x60s-RAM\[mem\]-dd-noatime.dd --profile 
LinuxopenSUSE12_1x86x86 -dd linux_pslist
Volatile Systems Volatility Framework 2.2_alpha
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.plugins.overlays.linux.linux: openSUSE12.1x86: Found dwarf 
file System.map-3.1.10-1.16-desktop with 514 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: openSUSE12.1x86: Found 
system file System.map-3.1.10-1.16-desktop with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.utils    : Failed instantiating (exception): 'NoneType' 
object has no attribute 'startswith'
No suitable address space mapping found
Tried to open image as:
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 JKIA32PagedMemory: No base Address Space
 IA32PagedMemoryPae: Module disabled
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: Module disabled
 FileAddressSpace - EXCEPTION: 'NoneType' object has no attribute 'startswith'

piter@pacer:~/volatility/SVN/volatility>

Original comment by psasak.n...@gmail.com on 1 Sep 2012 at 9:37

GoogleCodeExporter commented 9 years ago

You've mentioned about doing some test on the same openSuSE version. If the 
latest fix is working on your box maybe there is something wrong with my memory 
dumps or volatility profile for openSuSE?

Can you add to this issue your openSuSE12.1 x86 profile(I assume the profile is 
for the same kernel version as mine) and detailed info how did you make mem 
dump?

Original comment by psasak.n...@gmail.com on 1 Sep 2012 at 9:47

GoogleCodeExporter commented 9 years ago

Hey Peter, sorry for the delay. Yes, I built an OpenSuSE 12.1 x86 system to 
verify with yours. Basically I installed the base OS (kernel 
3.1.0-1.2-desktop), and used yast to get the kernel-headers and libdwarf-tools 
packages. Then I used lime to acquire the memory image and built the 
module.dwarf (no special commands there, just "make" in the tools/linux 
directory). 

I've attached the profile here. I can say it definitely it works with the 
latest svn code. Here are some example commands: http://pastebin.com/Xr6V22EC

Original comment by michael.hale@gmail.com on 6 Sep 2012 at 1:28

Attachments:

OpenSuSE12.zip

GoogleCodeExporter commented 9 years ago

Hi Michael thx for the answer. I will check it till monday.

Original comment by piotr.sa...@gmail.com on 20 Sep 2012 at 5:51

GoogleCodeExporter commented 9 years ago

Hi Peter, any updates?

Original comment by michael.hale@gmail.com on 5 Oct 2012 at 2:06

GoogleCodeExporter commented 9 years ago

Hey Peter, I'm gonna go ahead and close this since we were able to build and 
use profiles for the same distro/kernel version as you had. Please feel free to 
reopen the issue if you find that it still gives you trouble - also make sure 
to use the Volatility 2.2 release since that's available now and should be more 
stable than prior builds you were using. Thanks!

Original comment by michael.hale@gmail.com on 8 Oct 2012 at 9:59

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

Hi
Sorry for missing my update. In e few days l'll update this case.
BR,
Piotr
05-10-2012 04:06 u�ytkownik <volatility@googlecode.com> napisa�:

Original comment by piotr.sa...@gmail.com on 13 Oct 2012 at 10:03

timmerk / volatility

Can't make linux mem dump analysis #326