search

tthtlc / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

create CentOS 5.8 profile error #432

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I have to create CentOS 5.8 linux profile to analyze memory dump.

product : volatility 2.2 
kernel : 2.6.18-348.6.1.el5
os : CentOS 5.8

in volatility2-2/tool/linux/ run make and error messages return below.

--------------------------------
[root@cent58_x86 linux]# make
make -C //lib/modules/2.6.18-348.6.1.el5/build CONFIG_DEBUG_INFO=y 
M=/root/volatility-2.2/tools/linux modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-348.6.1.el5-i686'
  CC [M]  /root/volatility-2.2/tools/linux/module.o
/root/volatility-2.2/tools/linux/module.c:291:5: warning: "STATS" is not defined
/root/volatility-2.2/tools/linux/module.c:307:5: warning: "DEBUG" is not defined
  CC [M]  /root/volatility-2.2/tools/linux/pmem.o
/root/volatility-2.2/tools/linux/pmem.c: In function ??pmem_read_partial??:
/root/volatility-2.2/tools/linux/pmem.c:144: warning: comparison of distinct 
pointer types lacks a cast
/root/volatility-2.2/tools/linux/pmem.c: At top level:
/root/volatility-2.2/tools/linux/pmem.c:205: warning: ??struct vm_fault?? 
declared inside parameter list
/root/volatility-2.2/tools/linux/pmem.c:205: warning: its scope is only this 
definition or declaration, which is probably not what you want
/root/volatility-2.2/tools/linux/pmem.c: In function ??pmem_vma_fault??:
/root/volatility-2.2/tools/linux/pmem.c:207: error: dereferencing pointer to 
incomplete type
/root/volatility-2.2/tools/linux/pmem.c:208: error: dereferencing pointer to 
incomplete type
/root/volatility-2.2/tools/linux/pmem.c:220: error: dereferencing pointer to 
incomplete type
/root/volatility-2.2/tools/linux/pmem.c: At top level:
/root/volatility-2.2/tools/linux/pmem.c:225: error: unknown field ??fault?? 
specified in initializer
/root/volatility-2.2/tools/linux/pmem.c:225: warning: initialization from 
incompatible pointer type
/root/volatility-2.2/tools/linux/pmem.c: In function ??pmem_mmap??:
/root/volatility-2.2/tools/linux/pmem.c:236: error: ??VM_CAN_NONLINEAR?? 
undeclared (first use in this function)
/root/volatility-2.2/tools/linux/pmem.c:236: error: (Each undeclared identifier 
is reported only once
/root/volatility-2.2/tools/linux/pmem.c:236: error: for each function it 
appears in.)
make[2]: *** [/root/volatility-2.2/tools/linux/pmem.o] Error 1
make[1]: *** [_module_/root/volatility-2.2/tools/linux] Error 2
make[1]: Leaving directory `/usr/src/kernels/2.6.18-348.6.1.el5-i686'
make: *** [dwarf] Error 2
--------------------------------

dwarf package is libdwarf-20110612.tar.gz 
(http://reality.sgiweb.org/davea/dwarf.html#releases)

I find this error is due to mm.h has no VM_CAN_NONLINEAR.
In my Ubuntu(3.0.0-20-generic kernel) mm.h has VM_CAN_NONLINEAR.

So, I cannot creating CentOS 5.8 linux profile?

regards

Original issue reported on code.google.com by deman...@gmail.com on 10 Jul 2013 at 7:40

GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 10 Jul 2013 at 12:52

GoogleCodeExporter commented 9 years ago 
Hello,

Can you please use Volatility 2.3 (svn trunk) or at the very least use the 
tools/linux directory from svn trunk? We fixed some issues with pmem.c since 
2.2 and your issue appears to be one of them.

Let me know how that works out.

Original comment by atc...@gmail.com on 10 Jul 2013 at 1:06

GoogleCodeExporter commented 9 years ago 
I download 2.3_beta using svn trunk and in tools/linux directory two Makefile 
exists.
One is compile module.c another is compile pmem.c
I run "make" only in tools/linux directory and zip dwarf, System.map.
But that profile is not work.
Below is my sequencial command.

--------------------------------------------------------------------------------
----------------
[root@cent58_x86 ~]# svn checkout http://volatility.googlecode.com/svn/trunk/ 
volatility-read-only
[root@cent58_x86 ~]# cd volatility-read-only/tools/linux
[root@cent58_x86 linux]# ll
total 24
-rw-r--r-- 1 root root   378 Jul 10 16:24 Makefile
-rw-r--r-- 1 root root 13831 Jul 10 16:24 module.c
drwxr-xr-x 3 root root  4096 Jul 10 16:24 pmem
[root@cent58_x86 linux]# make
make -C //lib/modules/2.6.18-348.6.1.el5/build CONFIG_DEBUG_INFO=y 
M=/root/volatility-read-only/tools/linux modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-348.6.1.el5-i686'
  CC [M]  /root/volatility-read-only/tools/linux/module.o
/root/volatility-read-only/tools/linux/module.c:303:5: warning: "STATS" is not 
defined
/root/volatility-read-only/tools/linux/module.c:319:5: warning: "DEBUG" is not 
defined
  Building modules, stage 2.
  MODPOST
  CC      /root/volatility-read-only/tools/linux/module.mod.o
  LD [M]  /root/volatility-read-only/tools/linux/module.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.18-348.6.1.el5-i686'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/2.6.18-348.6.1.el5/build 
M=/root/volatility-read-only/tools/linux clean
make[1]: Entering directory `/usr/src/kernels/2.6.18-348.6.1.el5-i686'
  CLEAN   /root/volatility-read-only/tools/linux/.tmp_versions
make[1]: Leaving directory `/usr/src/kernels/2.6.18-348.6.1.el5-i686'
[root@cent58_x86 linux]# ll
total 1256
-rw-r--r-- 1 root root     378 Jul 10 16:24 Makefile
-rw-r--r-- 1 root root   13831 Jul 10 16:24 module.c
-rw-r--r-- 1 root root 1254189 Jul 10 16:25 module.dwarf
-rw-r--r-- 1 root root       0 Jul 10 16:25 Module.markers
-rw-r--r-- 1 root root       0 Jul 10 16:25 Module.symvers
drwxr-xr-x 3 root root    4096 Jul 10 16:24 pmem
[root@cent58_x86 linux]# zip CentOS58.zip module.dwarf 
/boot/System.map-2.6.18-348.6.1.el5 
  adding: module.dwarf (deflated 90%)
  adding: boot/System.map-2.6.18-348.6.1.el5 (deflated 73%)
[root@cent58_x86 linux]# ll
total 1644
-rw-r--r-- 1 root root  390843 Jul 10 16:26 CentOS58.zip
-rw-r--r-- 1 root root     378 Jul 10 16:24 Makefile
-rw-r--r-- 1 root root   13831 Jul 10 16:24 module.c
-rw-r--r-- 1 root root 1254189 Jul 10 16:25 module.dwarf
-rw-r--r-- 1 root root       0 Jul 10 16:25 Module.markers
-rw-r--r-- 1 root root       0 Jul 10 16:25 Module.symvers
drwxr-xr-x 3 root root    4096 Jul 10 16:24 pmem
[root@cent58_x86 linux]# scp CentOS58.zip root@20.20.20.62:/data/forensics
root@20.20.20.62's password: 
CentOS58.zip                                                                    
                                         100%  382KB 381.7KB/s   00:00
--------------------------------------------------------------------------------
----------------

In my Ubuntu(20.20.20.62) download volatility again from svn trunk and copy 
CentOS 5.8 profile to newly downloaded volatility directory.
Run volatiltiry.

--------------------------------------------------------------------------------
----------------
root@LUCKYSTRIKE:/data/forensics/volatility-read-only# python vol.py --info
Volatile Systems Volatility Framework 2.3_beta

Profiles
--------
LinuxCentOS58x86 - A Profile for Linux CentOS58 x86
VistaSP0x64      - A Profile for Windows Vista SP0 x64
VistaSP0x86      - A Profile for Windows Vista SP0 x86
VistaSP1x64      - A Profile for Windows Vista SP1 x64
VistaSP1x86      - A Profile for Windows Vista SP1 x86
VistaSP2x64      - A Profile for Windows Vista SP2 x64
VistaSP2x86      - A Profile for Windows Vista SP2 x86
Win2003SP0x86    - A Profile for Windows 2003 SP0 x86
...snip...

root@LUCKYSTRIKE:/data/forensics/volatility-read-only# python vol.py -f 
/data/forensics/dump/cent5.8.memdump imageinfo
Volatile Systems Volatility Framework 2.3_beta
Determining profile based on KDBG search...

          Suggested Profile(s) : No suggestion (Instantiated with LinuxCentOS58x86)
                     AS Layer1 : FileAddressSpace (/data/forensics/dump/cent5.8.memdump)
                      PAE type : No PAE
                           DTB : 0x752000L
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "/data/forensics/volatility-read-only/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/data/forensics/volatility-read-only/volatility/plugins/imageinfo.py", line 34, in render_text
    for k, v in data:
  File "/data/forensics/volatility-read-only/volatility/plugins/imageinfo.py", line 91, in calculate
    kdbgoffset = volmagic.KDBG.v()
  File "/data/forensics/volatility-read-only/volatility/obj.py", line 735, in __getattr__
    return self.m(attr)
  File "/data/forensics/volatility-read-only/volatility/obj.py", line 717, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG

--------------------------------------------------------------------------------
----------------

Please tell me what is my problem.

Regards

Original comment by deman...@gmail.com on 11 Jul 2013 at 1:13

GoogleCodeExporter commented 9 years ago 
For one you didn't actually add --profile=LinuxCentOS58x86 to your command line 
after creating it. Also you used imageinfo which is a Windows-only plugin. Try 
linux_pslist or one of the other Linux plugins.

Original comment by michael.hale@gmail.com on 11 Jul 2013 at 2:01

GoogleCodeExporter commented 9 years ago 
Thank for advanced but it did not work.

root@LUCKYSTRIKE:/data/forensics/volatility-read-only# python vol.py -f 
/data/forensics/dump/cent5.8.memdump --profile=LinuxCentOS58x86 linux_pslist
Volatile Systems Volatility Framework 2.3_beta
Offset     Name                 Pid             Uid             Gid    DTB      
  Start Time
---------- -------------------- --------------- --------------- ------ 
---------- ----------
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0x0
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile LinuxCentOS58x86 selected
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check

Original comment by deman...@gmail.com on 12 Jul 2013 at 5:10

GoogleCodeExporter commented 9 years ago 
Hello - can you attach the profile CentOS58.zip so we can take a look? Also, 
what tool did you use to acquire the memory dump?

Original comment by michael.hale@gmail.com on 13 Jul 2013 at 2:00

GoogleCodeExporter commented 9 years ago 

Process of creating profile is above comment which Jul 10
I attach a file and memory dump program is lime 1.1-r17
I using raw and lime dump format.

Regards

Original comment by deman...@gmail.com on 14 Jul 2013 at 11:25

Attachments:

GoogleCodeExporter commented 9 years ago 
Could you please run this command:

python vol.py -f /data/forensics/dump/cent5.8.memdump 
--profile=LinuxCentOS58x86 -dd linux_pslist

and paste the output?

Original comment by atc...@gmail.com on 17 Jul 2013 at 2:47

GoogleCodeExporter commented 9 years ago 
Hi project member

-dd option is print debug message?

Here is it.

--------------------------------------------------------------------------------
--------------------
root@LUCKYSTRIKE:/data/forensics/volatility-read-only# python vol.py -f 
/data/forensics/dump/cent5.8.memdump --profile=LinuxCentOS58x86 -dd linux_pslist
Volatile Systems Volatility Framework 2.3_beta
DEBUG   : volatility.plugins.overlays.linux.linux: CentOS58: Found dwarf file 
boot/System.map-2.6.18-348.6.1.el5 with 383 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: CentOS58: Found system file 
boot/System.map-2.6.18-348.6.1.el5 with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from 
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from 
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
Offset     Name                 Pid             Uid             Gid    DTB      
  Start Time
---------- -------------------- --------------- --------------- ------ 
---------- ----------
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0xbd3656c>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid 
magic found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: 
Invalid VMware signature: 0x0
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: 
Incompatible profile LinuxCentOS58x86 selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Failed 
valid Address Space check
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Failed 
valid Address Space check
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be 
first Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: No suggestions 
available
DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Failed 
valid Address Space check
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0x0
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile LinuxCentOS58x86 selected
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check
--------------------------------------------------------------------------------
--------------------

regards

Original comment by deman...@gmail.com on 22 Jul 2013 at 2:19

GoogleCodeExporter commented 9 years ago 
Could you please send the -dd output when you run against a memory capture 
taken with lime in the lime format?

Original comment by atc...@gmail.com on 25 Jul 2013 at 5:06

GoogleCodeExporter commented 9 years ago 
Hi

I upgrade kernel to 2.6.18-348.12.1.el5 (before upgrade kernel is 
2.6.18-348.6.1.el5)
and memory dump with lime format.

Here is error message.

--------------------------------------------------------------------------------
--------------------
root@LUCKYSTRIKE:~/volatility# python vol.py -f 
/data/forensics/dump/centos_2.6.18-348.12.1.el5.dd 
--profile=LinuxCentOS58_2_6_18-348_12_1_el5x86 -dd linux_pslist
Volatile Systems Volatility Framework 2.3_beta
DEBUG   : volatility.plugins.overlays.linux.linux: 
CentOS58_2.6.18-348.12.1.el5: Found dwarf file 
boot/System.map-2.6.18-348.12.1.el5 with 383 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: 
CentOS58_2.6.18-348.12.1.el5: Found system file 
boot/System.map-2.6.18-348.12.1.el5 with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from 
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from 
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
Offset     Name                 Pid             Uid             Gid    DTB      
  Start Time
---------- -------------------- --------------- --------------- ------ 
---------- ----------
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0xacef8ec>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid 
magic found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: 
Invalid VMware signature: 0x0
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: 
Incompatible profile LinuxCentOS58_2_6_18-348_12_1_el5x86 selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Failed 
valid Address Space check
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Failed 
valid Address Space check
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be 
first Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: No suggestions 
available
DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Failed 
valid Address Space check
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0x0
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile LinuxCentOS58_2_6_18-348_12_1_el5x86 selected
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check
--------------------------------------------------------------------------------
--------------------

I hope to clear this error.

Using same method in RHEL5 with kernel 2.6.18-164.el5PAE, it works but CentOS 
did not work.

Regards

Original comment by deman...@gmail.com on 25 Jul 2013 at 6:37

GoogleCodeExporter commented 9 years ago 
Hi project member

I found something one..

In tools/linux directory run 'make' below messages printed.

--------------------------------------------------------------------------------
--------------------
[root@cent58_x86 linux]# make
make -C //lib/modules/2.6.18-348.12.1.el5/build CONFIG_DEBUG_INFO=y 
M=/root/volatility-read-only/tools/linux modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-348.12.1.el5-i686'
  CC [M]  /root/volatility-read-only/tools/linux/module.o
/root/volatility-read-only/tools/linux/module.c:303:5: warning: "STATS" is not 
defined
/root/volatility-read-only/tools/linux/module.c:319:5: warning: "DEBUG" is not 
defined
  Building modules, stage 2.
  MODPOST
  CC      /root/volatility-read-only/tools/linux/module.mod.o
  LD [M]  /root/volatility-read-only/tools/linux/module.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.18-348.12.1.el5-i686'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/2.6.18-348.12.1.el5/build 
M=/root/volatility-read-only/tools/linux clean
make[1]: Entering directory `/usr/src/kernels/2.6.18-348.12.1.el5-i686'
  CLEAN   /root/volatility-read-only/tools/linux/.tmp_versions
make[1]: Leaving directory `/usr/src/kernels/2.6.18-348.12.1.el5-i686'
--------------------------------------------------------------------------------
--------------------

In other linux has no warning message that "STATS" is not defined and "DEBUG" 
is not defined.

This warning messages is point of my error?

Regards

Original comment by deman...@gmail.com on 26 Jul 2013 at 5:18

GoogleCodeExporter commented 9 years ago 
Hi project member

I install OS and make profile ans test again it works.
Sorry for waste your time.
I find out that linux profile is depends on kernel version, 
So I made many linux profile frequently used linux in Korea.

Now I test on CentOS profile i686 and x64 version.
When my test is done, I send you profiles.

Regards

Original comment by deman...@gmail.com on 30 Jul 2013 at 1:22

GoogleCodeExporter commented 9 years ago

Original comment by atc...@gmail.com on 18 Sep 2013 at 3:04