search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.19k stars 1.27k forks source link

Loading custom LiME dumps? #486

Open Manouchehri opened 6 years ago

Manouchehri commented 6 years ago

After trying to create a LiME dump from a 32-bit kcore file (kcore2lime), I'm unable to load it in Volatility. I can't figure out what the debug output is complaining about, any tips?

ubuntu140405.zip

kcore.zip

test.2.lime.zip

~ # vol.py -f /samples/test.2.lime --profile=Linuxubuntu140405x86 -dd limeinfo
Volatility Foundation Volatility Framework 2.6
DEBUG   : volatility.debug    : ubuntu140405: Found dwarf file boot/System.map-3.13.0-128-generic with 654 symbols
DEBUG   : volatility.debug    : ubuntu140405: Found system file boot/System.map-3.13.0-128-generic with 1 symbols
DEBUG   : volatility.debug    : Applying modification from BashHashTypes
DEBUG   : volatility.debug    : Applying modification from BashTypes
DEBUG   : volatility.debug    : Applying modification from BasicObjectClasses
DEBUG   : volatility.debug    : Applying modification from ELF32Modification
DEBUG   : volatility.debug    : Applying modification from ELF64Modification
DEBUG   : volatility.debug    : Applying modification from ELFModification
DEBUG   : volatility.debug    : Applying modification from HPAKVTypes
DEBUG   : volatility.debug    : Applying modification from LimeTypes
DEBUG   : volatility.debug    : Applying modification from LinuxIDTTypes
DEBUG   : volatility.debug    : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.debug    : Applying modification from MachoModification
DEBUG   : volatility.debug    : Applying modification from MachoTypes
DEBUG   : volatility.debug    : Applying modification from MbrObjectTypes
DEBUG   : volatility.debug    : Applying modification from VMwareVTypesModification
DEBUG   : volatility.debug    : Applying modification from VirtualBoxModification
DEBUG   : volatility.debug    : Applying modification from LinuxGate64Overlay
DEBUG   : volatility.debug    : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.debug    : Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.debug    : Applying modification from LinuxMountOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxObjectClasses
DEBUG   : volatility.debug    : Applying modification from LinuxOverlay
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.debug    : Failed instantiating MachOAddressSpace: mac: need base
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.debug    : Failed instantiating LimeAddressSpace: lime: need base
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1  : volatility.debug    : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1  : volatility.debug    : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1  : volatility.debug    : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1  : volatility.debug    : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1  : volatility.debug    : Failed instantiating VMWareMetaAddressSpace: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1  : volatility.debug    : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1  : volatility.debug    : Failed instantiating VMWareAddressSpace: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1  : volatility.debug    : Failed instantiating QemuCoreDumpElf: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1  : volatility.debug    : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.Win10AMD64PagedMemory'>
DEBUG1  : volatility.debug    : Failed instantiating Win10AMD64PagedMemory: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1  : volatility.debug    : Failed instantiating WindowsAMD64PagedMemory: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG1  : volatility.debug    : Failed instantiating LinuxAMD64PagedMemory: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1  : volatility.debug    : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1  : volatility.debug    : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1  : volatility.debug    : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1  : volatility.debug    : Failed instantiating OSXPmemELF: No base Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.debug    : ubuntu140405: Found dwarf file boot/System.map-3.13.0-128-generic with 654 symbols
DEBUG   : volatility.debug    : ubuntu140405: Found system file boot/System.map-3.13.0-128-generic with 1 symbols
DEBUG   : volatility.debug    : Applying modification from BashHashTypes
DEBUG   : volatility.debug    : Applying modification from BashTypes
DEBUG   : volatility.debug    : Applying modification from BasicObjectClasses
DEBUG   : volatility.debug    : Applying modification from ELF32Modification
DEBUG   : volatility.debug    : Applying modification from ELF64Modification
DEBUG   : volatility.debug    : Applying modification from ELFModification
DEBUG   : volatility.debug    : Applying modification from HPAKVTypes
DEBUG   : volatility.debug    : Applying modification from LimeTypes
DEBUG   : volatility.debug    : Applying modification from LinuxIDTTypes
DEBUG   : volatility.debug    : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.debug    : Applying modification from MachoModification
DEBUG   : volatility.debug    : Applying modification from MachoTypes
DEBUG   : volatility.debug    : Applying modification from MbrObjectTypes
DEBUG   : volatility.debug    : Applying modification from VMwareVTypesModification
DEBUG   : volatility.debug    : Applying modification from VirtualBoxModification
DEBUG   : volatility.debug    : Applying modification from LinuxGate64Overlay
DEBUG   : volatility.debug    : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.debug    : Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.debug    : Applying modification from LinuxMountOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxObjectClasses
DEBUG   : volatility.debug    : Applying modification from LinuxOverlay
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7efec0d50fd0>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.debug    : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.debug    : None object instantiated: Invalid Address 0x3F3FE040, instantiating lime_header
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7efec0d50610>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.debug    : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.debug    : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1  : volatility.debug    : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1  : volatility.debug    : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1  : volatility.debug    : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1  : volatility.debug    : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1  : volatility.debug    : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1  : volatility.debug    : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1  : volatility.debug    : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0x0
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1  : volatility.debug    : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1  : volatility.debug    : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.Win10AMD64PagedMemory'>
DEBUG1  : volatility.debug    : Failed instantiating Win10AMD64PagedMemory: Incompatible profile Linuxubuntu140405x86 selected
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1  : volatility.debug    : Failed instantiating WindowsAMD64PagedMemory: Incompatible profile Linuxubuntu140405x86 selected
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG1  : volatility.debug    : Failed instantiating LinuxAMD64PagedMemory: Incompatible profile Linuxubuntu140405x86 selected
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1  : volatility.debug    : Failed instantiating AMD64PagedMemory: Incompatible profile Linuxubuntu140405x86 selected
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1  : volatility.debug    : None object instantiated: Unable to read base AS at 0xffffffe0
DEBUG1  : volatility.debug    : None object instantiated: Unable to read base AS at 0xffffffe0
DEBUG1  : volatility.debug    : None object instantiated: Unable to read base AS at 0xffffffe0
DEBUG1  : volatility.debug    : None object instantiated: Unable to read base AS at 0xfffffff8L
DEBUG1  : volatility.debug    : Failed instantiating IA32PagedMemoryPae: Failed valid Address Space check
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1  : volatility.debug    : None object instantiated: Unable to read_long_phys at -0x1
DEBUG1  : volatility.debug    : None object instantiated: Unable to read_long_phys at -0x1
DEBUG1  : volatility.debug    : None object instantiated: Unable to read_long_phys at -0x1
DEBUG1  : volatility.debug    : Failed instantiating IA32PagedMemory: Failed valid Address Space check
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1  : volatility.debug    : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1  : volatility.debug    : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1  : volatility.debug    : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1  : volatility.debug    : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1  : volatility.debug    : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1  : volatility.debug    : None object instantiated: Could not read_long_phys at offset -0x1L
DEBUG1  : volatility.debug    : None object instantiated: Could not read_long_phys at offset -0x1L
DEBUG1  : volatility.debug    : None object instantiated: No suggestions available
DEBUG1  : volatility.debug    : Failed instantiating ArmAddressSpace: Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 Win10AMD64PagedMemory: No base Address Space
 WindowsAMD64PagedMemory: No base Address Space
 LinuxAMD64PagedMemory: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VMWareMetaAddressSpace: VMware metadata file is not available
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: 0x0
 QemuCoreDumpElf: ELF Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 Win10AMD64PagedMemory: Incompatible profile Linuxubuntu140405x86 selected
 WindowsAMD64PagedMemory: Incompatible profile Linuxubuntu140405x86 selected
 LinuxAMD64PagedMemory: Incompatible profile Linuxubuntu140405x86 selected
 AMD64PagedMemory: Incompatible profile Linuxubuntu140405x86 selected
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check
lflish commented 6 years ago

@Manouchehri I have a similar problem to yours,Have you found a solution?

Manouchehri commented 6 years ago

Nope, sorry.

lflish commented 6 years ago

I change a system is ok, but I'm not sure why some systems is error.Get you can try it on a different kernel system

Manouchehri commented 6 years ago

Wait, does kcore2lime work on any system for you? I didn't think I finished it, but maybe my memory is wrong..