Open fpusersuggest opened 7 years ago
I am struggling with the same issue. Works fine on RHEL but not Ubuntu or Debian
Turns out this is certainly an issue with kernel 4.x
The message Invalid Lime header signature
is kind of misleading. The debug output implies that Volatility detected that the image format is lime. The underlying problem is probably the LinuxAMD64PagedMemory address space validation, i.e. Volatility can not determine the correct DTB or the applied profile doesn't match the exact build of the kernel.
You could try giving the linux_kaslr_shift
plugin in PR volatilityfoundation/volatility#385 a shot and see if it finds the multiple DTBs and try those.
Could you please git pull to update to the latest version of Volatility and then test again? I added support for Linux 4.9+
Are you using a sub-version of 16.04 (e.g. 16.04.2)? This made a difference for me. I had to build the profile manually (easy process), since 16.04.2 is not included in the default.
The message
Invalid Lime header signature
is kind of misleading. The debug output implies that Volatility detected that the image format is lime. The underlying problem is probably the LinuxAMD64PagedMemory address space validation, i.e. Volatility can not determine the correct DTB or the applied profile doesn't match the exact build of the kernel.You could try giving the
linux_kaslr_shift
plugin in PR #385 a shot and see if it finds the multiple DTBs and try those.
Looks like meets the same issue. tried PR #385 but won't work.
uname -a Linux xxx 4.18.0-326.el8.x86_64 #1 SMP Wed Jul 28 21:21:05 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/redhat-release
CentOS Stream release 8
git log |head -3
commit 1e2f7ca441e20e257590a8b0b404f4a3602cbd18
Author: Bastian Neuburger <b.neuburger@gsi.de>
Date: Thu Apr 6 07:56:14 2017 +0200
python2 ./vol.py -d -f ../ram.lime --profile=LinuxCurrentLinuxx64 linux_psaux 2>&1|tee out.debug
EDIT: won't work with linux_kaslr_shift. Looks the same.
python2 ./vol.py -d -f ../ram.lime --profile=LinuxCurrentLinuxx64 linux_kaslr_shift 2>&1 |tee debug2.txt
Hi, I am on ubuntu 16.04 LTS and
and the following is the problem:
As I understand the following is the header: