search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

Error when using a profile for Redhat 5.10 #497

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hey all,

first of all, thanks for volatility, it really is a useful tool :)

I have a problem with generating a profile for Redhat 5.10

I've used libdwarf-20140208, lime-forensics-1.1-r17 and the kernel Version 
redhat-2.6.18-371.el5.x86_64 with volatility 3.2.1 and I've also tried the 
latest SVN version

make -C //lib/modules/2.6.18-371.4.1.el5/build CONFIG_DEBUG_INFO=y 
M=/root/volatility/volatility-2.3.1/tools/linux modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-371.4.1.el5-x86_64'
  CC [M]  /root/volatility/volatility-2.3.1/tools/linux/module.o
/root/volatility/volatility-2.3.1/tools/linux/module.c:303:5: Warnung: 
»STATS« ist nicht definiert
/root/volatility/volatility-2.3.1/tools/linux/module.c:319:5: Warnung: 
»DEBUG« ist nicht definiert
  Building modules, stage 2.
  MODPOST
  CC      /root/volatility/volatility-2.3.1/tools/linux/module.mod.o
  LD [M]  /root/volatility/volatility-2.3.1/tools/linux/module.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.18-371.4.1.el5-x86_64'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/2.6.18-371.4.1.el5/build 
M=/root/volatility/volatility-2.3.1/tools/linux clean
make[1]: Entering directory `/usr/src/kernels/2.6.18-371.4.1.el5-x86_64'
  CLEAN   /root/volatility/volatility-2.3.1/tools/linux/.tmp_versions
make[1]: Leaving directory `/usr/src/kernels/2.6.18-371.4.1.el5-x86_64'

Only noteworthy output:
/root/volatility/volatility-2.3.1/tools/linux/module.c:303:5: Warnung: 
»STATS« ist nicht definiert
/root/volatility/volatility-2.3.1/tools/linux/module.c:319:5: Warnung: 
»DEBUG« ist nicht definiert

Found this for reference: 
https://code.google.com/p/volatility/issues/detail?id=432 but shouldn't be 
related.

I've successfully compiled a profile for Centos 6.5 kernel version 
2.6.32-431.11.2.el6.x86_64. The memory dump is processed without any problems, 
so it shouldn't be a problem with the workflow for compiling a profile (I guess)

I found this entry: 
http://lists.volatilesystems.com/pipermail/vol-users/2013-February/000743.html
Maybe it's a similiar problem?

When I try to load the redhat memory dump in volatility I get the following:

python vol.py -v -f /mnt/lime.dd  --profile=Linuxredhat-2_6_18-371_4_1_el5x64 
-dd linux_netstat
Volatility Foundation Volatility Framework 2.3.1
DEBUG   : volatility.plugins.overlays.linux.linux: redhat-2.6.18-371.4.1.el5: 
Found dwarf file boot/System.map-2.6.18-371.4.1.el5 with 378 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: redhat-2.6.18-371.4.1.el5: 
Found system file boot/System.map-2.6.18-371.4.1.el5 with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from 
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from 
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.obj      : Applying modification from Linux64ObjectClasses
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.plugins.overlays.linux.linux: redhat-2.6.18-371.4.1.el5: 
Found dwarf file boot/System.map-2.6.18-371.4.1.el5 with 378 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: redhat-2.6.18-371.4.1.el5: 
Found system file boot/System.map-2.6.18-371.4.1.el5 with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from 
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from 
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.obj      : Applying modification from Linux64ObjectClasses
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x5bfd710>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid 
magic found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: 
Invalid VMware signature: 0x0
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: Failed 
valid Address Space check
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: 
Incompatible profile Linuxredhat-2_6_18-371_4_1_el5x64 selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: 
Incompatible profile Linuxredhat-2_6_18-371_4_1_el5x64 selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be 
first Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: Could not 
read_long_phys at offset 0x3ffffffff00cL
DEBUG1  : volatility.obj      : None object instantiated: Could not 
read_long_phys at offset 0x3ffffffff000L
DEBUG1  : volatility.obj      : None object instantiated: No suggestions 
available
DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Failed 
valid Address Space check
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0x0
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Incompatible profile Linuxredhat-2_6_18-371_4_1_el5x64 selected
 IA32PagedMemory: Incompatible profile Linuxredhat-2_6_18-371_4_1_el5x64 selected
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check

Has anyone had similar problems and maybe already a solution?

Original issue reported on code.google.com by nor...@cure53.de on 29 Apr 2014 at 9:47

Attachments:

GoogleCodeExporter commented 9 years ago 
Ok I've tried the patch again from: 
http://lists.volatilesystems.com/pipermail/vol-users/2013-February/000743.html, 
now it works with a lime formatted memory dump

Maybe this should be better documented :) seems to apply for older redhat 
centos systems 5.3-5.10 from what was reported in different threads.

Original comment by nor...@cure53.de on 29 Apr 2014 at 11:10

GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 29 Apr 2014 at 1:31

GoogleCodeExporter commented 9 years ago 
Not sure if this is an issue, if so please file at: 
https://github.com/volatilityfoundation/volatility/issues

Original comment by jamie.l...@gmail.com on 20 Nov 2014 at 8:31