Closed GoogleCodeExporter closed 9 years ago
Could you should your full command-line when invoking volatility and also:
1) hexdump the first 512 bytes of the .vmem and .vmsn and paste the output
2) run the vmwareinfo plugin on the .vmem and .vmsn files and paste the output
Thanks!
Original comment by michael.hale@gmail.com
on 7 Oct 2013 at 1:14
I'm going to close this issue due to lack of detail/information required to
investigate the bug. Feel free to re-open if you decide to pursue this further.
Original comment by michael.hale@gmail.com
on 25 Oct 2013 at 12:27
there are two formats of vmware snapshot file. one use vmsn to encapsulate the
memory along with the meta data, the other format .vmsn only has the metadata
and .vmem has the raw dump of vm memory. i think the current
plugins/address/vmware.py can only handle the monolithic one.
if you can convince volatility that vmem is a raw dump of memory, you might can
get the desired result.
> python $VOL_BASE/vol.py --filename="Ubuntu13.10_64bit-Snapshot2.vmem"
--profile=LinuxUbuntu1310_3_12_0-7-genericx64 --debug linux_banner
>
> DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x10cf1f5d0>
> DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x10ca09f50>
but
> python $VOL_BASE/vol.py --filename="Ubuntu13.10_64bit-Snapshot2.vmem"
--debug volshell
>
> DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x10bf96790>
can only recognize FileAddressSpace, so i believe it might has something to do
with the profile.
Original comment by dyno.fu
on 10 Jan 2014 at 7:55
yes, dyno.fu, you must specify the correct profile in order to get Volatility
to realize that it is a Linux memory sample and process it correctly. The raw
.vmem file can be processed by Volatility in this case without the vmware
address space since it's just a 1:1 representation of RAM.
It's not entirely clear if qianfeng04161001 specified the profile in their
commandline or not because they never wrote back with an answer to MHL's
request.
Original comment by jamie.l...@gmail.com
on 10 Jan 2014 at 8:01
Original issue reported on code.google.com by
qianfeng...@gmail.com
on 3 Oct 2013 at 10:18