search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.36k stars 1.28k forks source link

linux_check_fop: this is a bug or rootkit clues ? #543

Open fpusersuggest opened 6 years ago

fpusersuggest commented 6 years ago

As I understand all the output of linux_check_fop means hooks something. I have the following output on kernel 4.4.0-116 and ubuntu 16.04

# ./vol.py -f ../SAMPLES/sBOX.lime --profile=Linuxlxle1604x64  linux_check_fop
Volatility Foundation Volatility Framework 2.6
Symbol Name                                Member                                    Address
------------------------------------------ ------------------------------ ------------------
systemd 37 []                              compat_ioctl                   0xffffffffc0140860
systemd 37 []                              unlocked_ioctl                 0xffffffffc0140840
/proc/net/ip_tables_names                  open                           0xffffffffc041dec0
/proc/net/ip_tables_matches                open                           0xffffffffc041dc20
/proc/net/ip6_tables_names                 open                           0xffffffffc041dec0
/proc/net/ip6_tables_matches               open                           0xffffffffc041dc20
/proc/net/ip_tables_targets                open                           0xffffffffc041dbd0
/proc/net/ip6_tables_targets               open                           0xffffffffc041dbd0
/proc/net/pppoe                            open                           0xffffffffc060f600
/proc/net/netfilter/nfnetlink_log          open                           0xffffffffc0730160
/proc/net/netfilter/nfnetlink_queue        open                           0xffffffffc069e6d0
/proc/net/ip_tables_names                  open                           0xffffffffc041dec0
/proc/net/ip_tables_matches                open                           0xffffffffc041dc20
/proc/net/ip6_tables_names                 open                           0xffffffffc041dec0
/proc/net/ip6_tables_matches               open                           0xffffffffc041dc20
/proc/net/ip_tables_targets                open                           0xffffffffc041dbd0
/proc/net/ip6_tables_targets               open                           0xffffffffc041dbd0
/proc/net/pppoe                            open                           0xffffffffc060f600
/proc/net/netfilter/nfnetlink_log          open                           0xffffffffc0730160
/proc/net/netfilter/nfnetlink_queue        open                           0xffffffffc069e6d0
/proc/net/ip_tables_names                  open                           0xffffffffc041dec0
/proc/net/ip_tables_matches                open                           0xffffffffc041dc20
/proc/net/ip6_tables_names                 open                           0xffffffffc041dec0
/proc/net/ip6_tables_matches               open                           0xffffffffc041dc20
/proc/net/ip_tables_targets                open                           0xffffffffc041dbd0
/proc/net/netfilter/nfnetlink_log          open                           0xffffffffc0730160
/proc/net/netfilter/nfnetlink_queue        open                           0xffffffffc069e6d0
/proc/net/ip_tables_names                  open                           0xffffffffc041dec0
/proc/net/ip_tables_matches                open                           0xffffffffc041dc20
/proc/net/ip6_tables_names                 open                           0xffffffffc041dec0
/proc/net/ip6_tables_matches               open                           0xffffffffc041dc20
/proc/net/ip_tables_targets                open                           0xffffffffc041dbd0
/proc/net/ip6_tables_targets               open                           0xffffffffc041dbd0
/proc/net/pppoe                            open                           0xffffffffc060f600
/proc/net/netfilter/nfnetlink_log          open                           0xffffffffc0730160
/proc/net/netfilter/nfnetlink_queue        open                           0xffffffffc069e6d0
/proc/net/ip_tables_names                  open                           0xffffffffc041dec0
/proc/net/ip_tables_matches                open                           0xffffffffc041dc20
/proc/net/ip6_tables_names                 open                           0xffffffffc041dec0
/proc/net/ip6_tables_matches               open                           0xffffffffc041dc20
/proc/net/ip_tables_targets                open                           0xffffffffc041dbd0
/proc/net/ip6_tables_targets               open                           0xffffffffc041dbd0
WARNING : volatility.debug    : NoneObject as string: Invalid Address 0x00000000, instantiating String

and --debug:

# ./vol.py -f ../SAMPLES/sBOX.lime --profile=Linuxlxle1604x64  --debug linux_check_fop
Volatility Foundation Volatility Framework 2.6
DEBUG   : volatility.debug    : lxle1604: Found dwarf file boot/System.map-4.4.0-116-generic with 755 symbols
DEBUG   : volatility.debug    : lxle1604: Found system file boot/System.map-4.4.0-116-generic with 1 symbols
DEBUG   : volatility.debug    : Applying modification from BashHashTypes
DEBUG   : volatility.debug    : Applying modification from BashTypes
DEBUG   : volatility.debug    : Applying modification from BasicObjectClasses
DEBUG   : volatility.debug    : Applying modification from ELF32Modification
DEBUG   : volatility.debug    : Applying modification from ELF64Modification
DEBUG   : volatility.debug    : Applying modification from ELFModification
DEBUG   : volatility.debug    : Applying modification from HPAKVTypes
DEBUG   : volatility.debug    : Applying modification from LimeTypes
DEBUG   : volatility.debug    : Applying modification from LinuxIDTTypes
DEBUG   : volatility.debug    : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.debug    : Applying modification from MachoModification
DEBUG   : volatility.debug    : Applying modification from MachoTypes
DEBUG   : volatility.debug    : Applying modification from MbrObjectTypes
DEBUG   : volatility.debug    : Applying modification from VMwareVTypesModification
DEBUG   : volatility.debug    : Applying modification from VirtualBoxModification
DEBUG   : volatility.debug    : Applying modification from LinuxGate64Overlay
DEBUG   : volatility.debug    : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.debug    : Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.debug    : Applying modification from LinuxMountOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxObjectClasses
DEBUG   : volatility.debug    : Applying modification from LinuxOverlay
DEBUG   : volatility.debug    : Applying modification from Win10ObjectClasses
DEBUG   : volatility.debug    : lxle1604: Found dwarf file boot/System.map-4.4.0-116-generic with 755 symbols
DEBUG   : volatility.debug    : lxle1604: Found system file boot/System.map-4.4.0-116-generic with 1 symbols
DEBUG   : volatility.debug    : Applying modification from BashHashTypes
DEBUG   : volatility.debug    : Applying modification from BashTypes
DEBUG   : volatility.debug    : Applying modification from BasicObjectClasses
DEBUG   : volatility.debug    : Applying modification from ELF32Modification
DEBUG   : volatility.debug    : Applying modification from ELF64Modification
DEBUG   : volatility.debug    : Applying modification from ELFModification
DEBUG   : volatility.debug    : Applying modification from HPAKVTypes
DEBUG   : volatility.debug    : Applying modification from LimeTypes
DEBUG   : volatility.debug    : Applying modification from LinuxIDTTypes
DEBUG   : volatility.debug    : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.debug    : Applying modification from MachoModification
DEBUG   : volatility.debug    : Applying modification from MachoTypes
DEBUG   : volatility.debug    : Applying modification from MbrObjectTypes
DEBUG   : volatility.debug    : Applying modification from VMwareVTypesModification
DEBUG   : volatility.debug    : Applying modification from VirtualBoxModification
DEBUG   : volatility.debug    : Applying modification from LinuxGate64Overlay
DEBUG   : volatility.debug    : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.debug    : Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.debug    : Applying modification from LinuxMountOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxObjectClasses
DEBUG   : volatility.debug    : Applying modification from LinuxOverlay
DEBUG   : volatility.debug    : Applying modification from Win10ObjectClasses
Symbol Name                                Member                                    Address
------------------------------------------ ------------------------------ ------------------
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f93d4120a50>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f93d4120a10>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory object at 0x7f93d4120fd0>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f93d412b650>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f93d412b610>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory object at 0x7f93d412b690>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f93d412bd50>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f93d412bc90>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory object at 0x7f93d412bc50>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f93d412bd90>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f93d413b0d0>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory object at 0x7f93d413b090>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
systemd 37 []                              compat_ioctl                   0xffffffffc0140860
systemd 37 []                              unlocked_ioctl                 0xffffffffc0140840
DEBUG   : volatility.debug    : Requested symbol proc_mnt not found in module kernel

/proc/net/ip_tables_names                  open                           0xffffffffc041dec0
/proc/net/ip_tables_matches                open                           0xffffffffc041dc20
/proc/net/ip6_tables_names                 open                           0xffffffffc041dec0
/proc/net/ip6_tables_matches               open                           0xffffffffc041dc20
/proc/net/ip_tables_targets                open                           0xffffffffc041dbd0
/proc/net/ip6_tables_targets               open                           0xffffffffc041dbd0
/proc/net/pppoe                            open                           0xffffffffc060f600
/proc/net/netfilter/nfnetlink_log          open                           0xffffffffc0730160
/proc/net/netfilter/nfnetlink_queue        open                           0xffffffffc069e6d0
/proc/net/ip_tables_names                  open                           0xffffffffc041dec0
/proc/net/ip_tables_matches                open                           0xffffffffc041dc20
/proc/net/ip6_tables_names                 open                           0xffffffffc041dec0
/proc/net/ip6_tables_matches               open                           0xffffffffc041dc20
/proc/net/ip_tables_targets                open                           0xffffffffc041dbd0
/proc/net/ip6_tables_targets               open                           0xffffffffc041dbd0
/proc/net/pppoe                            open                           0xffffffffc060f600
/proc/net/netfilter/nfnetlink_log          open                           0xffffffffc0730160
/proc/net/netfilter/nfnetlink_queue        open                           0xffffffffc069e6d0
/proc/net/ip_tables_names                  open                           0xffffffffc041dec0
/proc/net/ip_tables_matches                open                           0xffffffffc041dc20
/proc/net/ip6_tables_names                 open                           0xffffffffc041dec0
/proc/net/ip6_tables_matches               open                           0xffffffffc041dc20
/proc/net/ip_tables_targets                open                           0xffffffffc041dbd0
/proc/net/netfilter/nfnetlink_log          open                           0xffffffffc0730160
/proc/net/netfilter/nfnetlink_queue        open                           0xffffffffc069e6d0
/proc/net/ip_tables_names                  open                           0xffffffffc041dec0
/proc/net/ip_tables_matches                open                           0xffffffffc041dc20
/proc/net/ip6_tables_names                 open                           0xffffffffc041dec0
/proc/net/ip6_tables_matches               open                           0xffffffffc041dc20
/proc/net/ip_tables_targets                open                           0xffffffffc041dbd0
/proc/net/ip6_tables_targets               open                           0xffffffffc041dbd0
/proc/net/pppoe                            open                           0xffffffffc060f600
/proc/net/netfilter/nfnetlink_log          open                           0xffffffffc0730160
/proc/net/netfilter/nfnetlink_queue        open                           0xffffffffc069e6d0
/proc/net/ip_tables_names                  open                           0xffffffffc041dec0
/proc/net/ip_tables_matches                open                           0xffffffffc041dc20
/proc/net/ip6_tables_names                 open                           0xffffffffc041dec0
/proc/net/ip6_tables_matches               open                           0xffffffffc041dc20
/proc/net/ip_tables_targets                open                           0xffffffffc041dbd0
/proc/net/ip6_tables_targets               open                           0xffffffffc041dbd0
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f93d413b710>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f93d413bbd0>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory object at 0x7f93d413b650>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f93d4142e90>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f93d4142d10>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory object at 0x7f93d4147390>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
WARNING : volatility.debug    : NoneObject as string: Invalid Address 0x00000000, instantiating String
fpusersuggest commented 6 years ago

With a new lime dump I have a different output:

# ./vol.py -f /root/sources/SAMPLES/sBOX_23082018.lime --profile=Linuxlxle1604x64 linux_check_fop
Volatility Foundation Volatility Framework 2.6
Symbol Name                                Member                                    Address
------------------------------------------ ------------------------------ ------------------
proc_mnt: ffff880116c08240:299             lock                                        0x223
proc_mnt: ffff880116c08240:299             compat_ioctl                   0xffff880036a05000
proc_mnt: ffff880116c08240:299             llseek                         0xffff880116c53250
proc_mnt: ffff880116c08240:299             flock                                      0x1000
proc_mnt: ffff880116c08240:299             poll                           0xffffffffffff0000
proc_mnt: ffff880116c08240:299             mmap                           0xffff880116c29a00
proc_mnt: ffff880116c08240:299             sendpage                       0xffff880116c532d8
proc_mnt: ffff880116c08240:299             write_iter                     0xffff880116c53270
proc_mnt: ffff880116c08240:299             read_iter                                   0x223
proc_mnt: ffff880116c08240:299             splice_read                    0xffff880116c29a00
proc_mnt: ffff880116c08240:299             show_fdinfo                    0xffff880116c53320
proc_mnt: ffff880116c08240:299             iterate                        0xffffea0000da8140
proc_mnt: ffff880116c08240:299             splice_write                   0xffff880036a06000
proc_mnt: ffff880116c08240:299             unlocked_ioctl                             0x1000
proc_mnt: ffff880116c08240:299             fsync                          0xffff880116c532b8
proc_mnt: ffff880116c08240:299             get_unmapped_area              0xffffea0000da8180
proc_mnt: ffff880116c08240:299             release                        0xffff880116c532b8
proc_mnt: ffff880116c08240:299             check_flags                    0xffffffffffff0000
/var/lib/333/fd/16                         lock                                        0x223
/var/lib/333/fd/16                         compat_ioctl                   0xffff8800368af000
/var/lib/333/fd/16                         llseek                         0xffff880116c7b250
/var/lib/333/fd/16                         flock                                      0x1000
/var/lib/333/fd/16                         poll                           0xffffffffffff0000
/var/lib/333/fd/16                         mmap                           0xffff880116c29a00
/var/lib/333/fd/16                         sendpage                       0xffff880116c7b2d8
/var/lib/333/fd/16                         write_iter                     0xffff880116c7b270
/var/lib/333/fd/16                         read_iter                                   0x223
/var/lib/333/fd/16                         splice_read                    0xffff880116c29a00
/var/lib/333/fd/16                         show_fdinfo                    0xffff880116c7b320
/var/lib/333/fd/16                         iterate                        0xffffea0000da2bc0
/var/lib/333/fd/16                         splice_write                   0xffff8800368b0000
/var/lib/333/fd/16                         unlocked_ioctl                             0x1000
/var/lib/333/fd/16                         fsync                          0xffff880116c7b2b8
/var/lib/333/fd/16                         get_unmapped_area              0xffffea0000da2c00
/var/lib/333/fd/16                         release                        0xffff880116c7b2b8
/var/lib/333/fd/16                         check_flags                    0xffffffffffff0000
/var/lib/333/fd/15                         lock                                        0x223
/var/lib/333/fd/15                         compat_ioctl                   0xffff8800368b5000
/var/lib/333/fd/15                         llseek                         0xffff880116c7b4c0
/var/lib/333/fd/15                         flock                                      0x1000
/var/lib/333/fd/15                         poll                           0xffffffffffff0000
/var/lib/333/fd/15                         mmap                           0xffff880116c29a00
/var/lib/333/fd/15                         sendpage                       0xffff880116c7b548
/var/lib/333/fd/15                         write_iter                     0xffff880116c7b4e0
/var/lib/333/fd/15                         read_iter                                   0x223
/var/lib/333/fd/15                         splice_read                    0xffff880116c29a00
/var/lib/333/fd/15                         show_fdinfo                    0xffff880116c7b590
/var/lib/333/fd/15                         iterate                        0xffffea0000da2d40
/var/lib/333/fd/15                         splice_write                   0xffff8800368b6000
/var/lib/333/fd/15                         unlocked_ioctl                             0x1000
/var/lib/333/fd/15                         fsync                          0xffff880116c7b528
/var/lib/333/fd/15                         get_unmapped_area              0xffffea0000da2d80
/var/lib/333/fd/15                         release                        0xffff880116c7b528
/var/lib/333/fd/15                         check_flags                    0xffffffffffff0000
/var/lib/333/fd/14                         lock                                        0x223
/var/lib/333/fd/14                         compat_ioctl                   0xffff8800368bb000
/var/lib/333/fd/14                         llseek                         0xffff880116c7b730
/var/lib/333/fd/14                         flock                                      0x1000
/var/lib/333/fd/14                         poll                           0xffffffffffff0000
/var/lib/333/fd/14                         mmap                           0xffff880116c29a00
/var/lib/333/fd/14                         sendpage                       0xffff880116c7b7b8
/var/lib/333/fd/14                         write_iter                     0xffff880116c7b750
/var/lib/333/fd/14                         read_iter                                   0x223
/var/lib/333/fd/14                         splice_read                    0xffff880116c29a00
/var/lib/333/fd/14                         show_fdinfo                    0xffff880116c7b800
/var/lib/333/fd/14                         iterate                        0xffffea0000da2ec0
/var/lib/333/fd/14                         splice_write                   0xffff8800368bc000
/var/lib/333/fd/14                         unlocked_ioctl                             0x1000
/var/lib/333/fd/14                         fsync                          0xffff880116c7b798
/var/lib/333/fd/14                         get_unmapped_area              0xffffea0000da2f00
/var/lib/333/fd/14                         release                        0xffff880116c7b798
/var/lib/333/fd/14                         check_flags                    0xffffffffffff0000
/var/lib/333/fd/13                         lock                                        0x223
/var/lib/333/fd/13                         compat_ioctl                   0xffff8800368c1000
/var/lib/333/fd/13                         llseek                         0xffff880116c7b9a0
/var/lib/333/fd/13                         flock                                      0x1000
/var/lib/333/fd/13                         poll                           0xffffffffffff0000
/var/lib/333/fd/13                         mmap                           0xffff880116c29a00
/var/lib/333/fd/13                         sendpage                       0xffff880116c7ba28
/var/lib/333/fd/13                         write_iter                     0xffff880116c7b9c0
/var/lib/333/fd/13                         read_iter                                   0x223
/var/lib/333/fd/13                         splice_read                    0xffff880116c29a00
/var/lib/333/fd/13                         show_fdinfo                    0xffff880116c7ba70
/var/lib/333/fd/13                         iterate                        0xffffea0000da3040
/var/lib/333/fd/13                         splice_write                   0xffff8800368c2000
/var/lib/333/fd/13                         unlocked_ioctl                             0x1000
/var/lib/333/fd/13                         fsync                          0xffff880116c7ba08
/var/lib/333/fd/13                         get_unmapped_area              0xffffea0000da3080
/var/lib/333/fd/13                         release                        0xffff880116c7ba08
/var/lib/333/fd/13                         check_flags                    0xffffffffffff0000
/var/lib/333/fd/12                         lock                                        0x223
/var/lib/333/fd/12                         compat_ioctl                   0xffff8800368c7000
/var/lib/333/fd/12                         llseek                         0xffff880116c7bc10
/var/lib/333/fd/12                         flock                                      0x1000
/var/lib/333/fd/12                         poll                           0xffffffffffff0000
/var/lib/333/fd/12                         mmap                           0xffff880116c29a00
/var/lib/333/fd/12                         sendpage                       0xffff880116c7bc98
/var/lib/333/fd/12                         write_iter                     0xffff880116c7bc30
/var/lib/333/fd/12                         read_iter                                   0x223
/var/lib/333/fd/12                         splice_read                    0xffff880116c29a00
/var/lib/333/fd/12                         show_fdinfo                    0xffff880116c7bce0
/var/lib/333/fd/12                         iterate                        0xffffea0000da31c0
/var/lib/333/fd/12                         splice_write                   0xffff8800368c8000
/var/lib/333/fd/12                         unlocked_ioctl                             0x1000
/var/lib/333/fd/12                         fsync                          0xffff880116c7bc78
/var/lib/333/fd/12                         get_unmapped_area              0xffffea0000da3200
/var/lib/333/fd/12                         release                        0xffff880116c7bc78
/var/lib/333/fd/12                         check_flags                    0xffffffffffff0000
/var/lib/333/fd/11                         lock                                        0x223
/var/lib/333/fd/11                         compat_ioctl                   0xffff8800368cd000
/var/lib/333/fd/11                         llseek                         0xffff880116c7be80
/var/lib/333/fd/11                         flock                                      0x1000
/var/lib/333/fd/11                         poll                           0xffffffffffff0000
/var/lib/333/fd/11                         mmap                           0xffff880116c29a00
/var/lib/333/fd/11                         sendpage                       0xffff880116c7bf08
/var/lib/333/fd/11                         write_iter                     0xffff880116c7bea0
/var/lib/333/fd/11                         read_iter                                   0x223
/var/lib/333/fd/11                         splice_read                    0xffff880116c29a00
/var/lib/333/fd/11                         show_fdinfo                    0xffff880116c7bf50
/var/lib/333/fd/11                         iterate                        0xffffea0000da3340
/var/lib/333/fd/11                         splice_write                   0xffff8800368ce000
/var/lib/333/fd/11                         unlocked_ioctl                             0x1000
/var/lib/333/fd/11                         fsync                          0xffff880116c7bee8
/var/lib/333/fd/11                         get_unmapped_area              0xffffea0000da3380
/var/lib/333/fd/11                         release                        0xffff880116c7bee8
/var/lib/333/fd/11                         check_flags                    0xffffffffffff0000
/var/lib/299                               lock                                        0x223
/var/lib/299                               compat_ioctl                   0xffff880036a05000
/var/lib/299                               llseek                         0xffff880116c53250
/var/lib/299                               flock                                      0x1000
/var/lib/299                               poll                           0xffffffffffff0000
/var/lib/299                               mmap                           0xffff880116c29a00
/var/lib/299                               sendpage                       0xffff880116c532d8
/var/lib/299                               write_iter                     0xffff880116c53270
/var/lib/299                               read_iter                                   0x223
/var/lib/299                               splice_read                    0xffff880116c29a00
/var/lib/299                               show_fdinfo                    0xffff880116c53320
/var/lib/299                               iterate                        0xffffea0000da8140
/var/lib/299                               splice_write                   0xffff880036a06000
/var/lib/299                               unlocked_ioctl                             0x1000
/var/lib/299                               fsync                          0xffff880116c532b8
/var/lib/299                               get_unmapped_area              0xffffea0000da8180
/var/lib/299                               release                        0xffff880116c532b8
/var/lib/299                               check_flags                    0xffffffffffff0000
/var/lib/94/stat                           lock                                        0x223
/var/lib/94/stat                           compat_ioctl                   0xffff880036a11000
/var/lib/94/stat                           llseek                         0xffff880116c53730
/var/lib/94/stat                           flock                                      0x1000
/var/lib/94/stat                           poll                           0xffffffffffff0000
/var/lib/94/stat                           mmap                           0xffff880116c29a00
/var/lib/94/stat                           sendpage                       0xffff880116c537b8
/var/lib/94/stat                           write_iter                     0xffff880116c53750
/var/lib/94/stat                           read_iter                                   0x223
/var/lib/94/stat                           splice_read                    0xffff880116c29a00
/var/lib/94/stat                           show_fdinfo                    0xffff880116c53800
/var/lib/94/stat                           iterate                        0xffffea0000da8440
/var/lib/94/stat                           splice_write                   0xffff880036a12000
/var/lib/94/stat                           unlocked_ioctl                             0x1000
/var/lib/94/stat                           fsync                          0xffff880116c53798
/var/lib/94/stat                           get_unmapped_area              0xffffea0000da8480
/var/lib/94/stat                           release                        0xffff880116c53798
/var/lib/94/stat                           check_flags                    0xffffffffffff0000
/var/lib/93/exe                            lock                                        0x223
/var/lib/93/exe                            compat_ioctl                   0xffff880036a23000
/var/lib/93/exe                            llseek                         0xffff880116c53e80
/var/lib/93/exe                            flock                                      0x1000
/var/lib/93/exe                            poll                           0xffffffffffff0000
/var/lib/93/exe                            mmap                           0xffff880116c29a00
/var/lib/93/exe                            sendpage                       0xffff880116c53f08
/var/lib/93/exe                            write_iter                     0xffff880116c53ea0
/var/lib/93/exe                            read_iter                                   0x223
/var/lib/93/exe                            splice_read                    0xffff880116c29a00
/var/lib/93/exe                            show_fdinfo                    0xffff880116c53f50
/var/lib/93/exe                            iterate                        0xffffea0000da88c0
/var/lib/93/exe                            splice_write                   0xffff880036a24000
/var/lib/93/exe                            unlocked_ioctl                             0x1000
/var/lib/93/exe                            fsync                          0xffff880116c53ee8
/var/lib/93/exe                            get_unmapped_area              0xffffea0000da8900
/var/lib/93/exe                            release                        0xffff880116c53ee8
/var/lib/93/exe                            check_flags                    0xffffffffffff0000
/var/lib/93/stat                           lock                                        0x223
/var/lib/93/stat                           compat_ioctl                   0xffff880036a1d000
/var/lib/93/stat                           llseek                         0xffff880116c53c10
/var/lib/93/stat                           flock                                      0x1000
/var/lib/93/stat                           poll                           0xffffffffffff0000
/var/lib/93/stat                           mmap                           0xffff880116c29a00
/var/lib/93/stat                           sendpage                       0xffff880116c53c98
/var/lib/93/stat                           write_iter                     0xffff880116c53c30
/var/lib/93/stat                           read_iter                                   0x223
/var/lib/93/stat                           splice_read                    0xffff880116c29a00
/var/lib/93/stat                           show_fdinfo                    0xffff880116c53ce0
/var/lib/93/stat                           iterate                        0xffffea0000da8740
/var/lib/93/stat                           splice_write                   0xffff880036a1e000
/var/lib/93/stat                           unlocked_ioctl                             0x1000
/var/lib/93/stat                           fsync                          0xffff880116c53c78
/var/lib/93/stat                           get_unmapped_area              0xffffea0000da8780
/var/lib/93/stat                           release                        0xffff880116c53c78
/var/lib/93/stat                           check_flags                    0xffffffffffff0000
/var/lib/92/exe                            lock                                        0x223
/var/lib/92/exe                            compat_ioctl                   0xffff880036a17000
/var/lib/92/exe                            llseek                         0xffff880116c539a0
/var/lib/92/exe                            flock                                      0x1000
/var/lib/92/exe                            poll                           0xffffffffffff0000
/var/lib/92/exe                            mmap                           0xffff880116c29a00
/var/lib/92/exe                            sendpage                       0xffff880116c53a28
/var/lib/92/exe                            write_iter                     0xffff880116c539c0
/var/lib/92/exe                            read_iter                                   0x223
/var/lib/92/exe                            splice_read                    0xffff880116c29a00
/var/lib/92/exe                            show_fdinfo                    0xffff880116c53a70
/var/lib/92/exe                            iterate                        0xffffea0000da85c0
/var/lib/92/exe                            splice_write                   0xffff880036a18000
/var/lib/92/exe                            unlocked_ioctl                             0x1000
/var/lib/92/exe                            fsync                          0xffff880116c53a08
/var/lib/92/exe                            get_unmapped_area              0xffffea0000da8600
/var/lib/92/exe                            release                        0xffff880116c53a08
/var/lib/92/exe                            check_flags                    0xffffffffffff0000
/proc/333/fd/16                            lock                                        0x223
/proc/333/fd/16                            compat_ioctl                   0xffff8800368af000
/proc/333/fd/16                            llseek                         0xffff880116c7b250
/proc/333/fd/16                            flock                                      0x1000
/proc/333/fd/16                            poll                           0xffffffffffff0000
/proc/333/fd/16                            mmap                           0xffff880116c29a00
/proc/333/fd/16                            sendpage                       0xffff880116c7b2d8
/proc/333/fd/16                            write_iter                     0xffff880116c7b270
/proc/333/fd/16                            read_iter                                   0x223
/proc/333/fd/16                            splice_read                    0xffff880116c29a00
/proc/333/fd/16                            show_fdinfo                    0xffff880116c7b320
/proc/333/fd/16                            iterate                        0xffffea0000da2bc0
/proc/333/fd/16                            splice_write                   0xffff8800368b0000
/proc/333/fd/16                            unlocked_ioctl                             0x1000
/proc/333/fd/16                            fsync                          0xffff880116c7b2b8
/proc/333/fd/16                            get_unmapped_area              0xffffea0000da2c00
/proc/333/fd/16                            release                        0xffff880116c7b2b8
/proc/333/fd/16                            check_flags                    0xffffffffffff0000
/proc/333/fd/15                            lock                                        0x223
/proc/333/fd/15                            compat_ioctl                   0xffff8800368b5000
/proc/333/fd/15                            llseek                         0xffff880116c7b4c0
/proc/333/fd/15                            flock                                      0x1000
/proc/333/fd/15                            poll                           0xffffffffffff0000
/proc/333/fd/15                            mmap                           0xffff880116c29a00
/proc/333/fd/15                            sendpage                       0xffff880116c7b548
/proc/333/fd/15                            write_iter                     0xffff880116c7b4e0
/proc/333/fd/15                            read_iter                                   0x223
/proc/333/fd/15                            splice_read                    0xffff880116c29a00
/proc/333/fd/15                            show_fdinfo                    0xffff880116c7b590
/proc/333/fd/15                            iterate                        0xffffea0000da2d40
/proc/333/fd/15                            splice_write                   0xffff8800368b6000
/proc/333/fd/15                            unlocked_ioctl                             0x1000
/proc/333/fd/15                            fsync                          0xffff880116c7b528
/proc/333/fd/15                            get_unmapped_area              0xffffea0000da2d80
/proc/333/fd/15                            release                        0xffff880116c7b528
/proc/333/fd/15                            check_flags                    0xffffffffffff0000
/proc/333/fd/14                            lock                                        0x223
/proc/333/fd/14                            compat_ioctl                   0xffff8800368bb000
/proc/333/fd/14                            llseek                         0xffff880116c7b730
/proc/333/fd/14                            flock                                      0x1000
/proc/333/fd/14                            poll                           0xffffffffffff0000
/proc/333/fd/14                            mmap                           0xffff880116c29a00
/proc/333/fd/14                            sendpage                       0xffff880116c7b7b8
/proc/333/fd/14                            write_iter                     0xffff880116c7b750
/proc/333/fd/14                            read_iter                                   0x223
/proc/333/fd/14                            splice_read                    0xffff880116c29a00
/proc/333/fd/14                            show_fdinfo                    0xffff880116c7b800
/proc/333/fd/14                            iterate                        0xffffea0000da2ec0
/proc/333/fd/14                            splice_write                   0xffff8800368bc000
/proc/333/fd/14                            unlocked_ioctl                             0x1000
/proc/333/fd/14                            fsync                          0xffff880116c7b798
/proc/333/fd/14                            get_unmapped_area              0xffffea0000da2f00
/proc/333/fd/14                            release                        0xffff880116c7b798
/proc/333/fd/14                            check_flags                    0xffffffffffff0000
/proc/333/fd/13                            lock                                        0x223
/proc/333/fd/13                            compat_ioctl                   0xffff8800368c1000
/proc/333/fd/13                            llseek                         0xffff880116c7b9a0
/proc/333/fd/13                            flock                                      0x1000
/proc/333/fd/13                            poll                           0xffffffffffff0000
/proc/333/fd/13                            mmap                           0xffff880116c29a00
/proc/333/fd/13                            sendpage                       0xffff880116c7ba28
/proc/333/fd/13                            write_iter                     0xffff880116c7b9c0
/proc/333/fd/13                            read_iter                                   0x223
/proc/333/fd/13                            splice_read                    0xffff880116c29a00
/proc/333/fd/13                            show_fdinfo                    0xffff880116c7ba70
/proc/333/fd/13                            iterate                        0xffffea0000da3040
/proc/333/fd/13                            splice_write                   0xffff8800368c2000
/proc/333/fd/13                            unlocked_ioctl                             0x1000
/proc/333/fd/13                            fsync                          0xffff880116c7ba08
/proc/333/fd/13                            get_unmapped_area              0xffffea0000da3080
/proc/333/fd/13                            release                        0xffff880116c7ba08
/proc/333/fd/13                            check_flags                    0xffffffffffff0000
/proc/333/fd/12                            lock                                        0x223
/proc/333/fd/12                            compat_ioctl                   0xffff8800368c7000
/proc/333/fd/12                            llseek                         0xffff880116c7bc10
/proc/333/fd/12                            flock                                      0x1000
/proc/333/fd/12                            poll                           0xffffffffffff0000
/proc/333/fd/12                            mmap                           0xffff880116c29a00
/proc/333/fd/12                            sendpage                       0xffff880116c7bc98
/proc/333/fd/12                            write_iter                     0xffff880116c7bc30
/proc/333/fd/12                            read_iter                                   0x223
/proc/333/fd/12                            splice_read                    0xffff880116c29a00
/proc/333/fd/12                            show_fdinfo                    0xffff880116c7bce0
/proc/333/fd/12                            iterate                        0xffffea0000da31c0
/proc/333/fd/12                            splice_write                   0xffff8800368c8000
/proc/333/fd/12                            unlocked_ioctl                             0x1000
/proc/333/fd/12                            fsync                          0xffff880116c7bc78
/proc/333/fd/12                            get_unmapped_area              0xffffea0000da3200
/proc/333/fd/12                            release                        0xffff880116c7bc78
/proc/333/fd/12                            check_flags                    0xffffffffffff0000
/proc/333/fd/11                            lock                                        0x223
/proc/333/fd/11                            compat_ioctl                   0xffff8800368cd000
/proc/333/fd/11                            llseek                         0xffff880116c7be80
/proc/333/fd/11                            flock                                      0x1000
/proc/333/fd/11                            poll                           0xffffffffffff0000
/proc/333/fd/11                            mmap                           0xffff880116c29a00
/proc/333/fd/11                            sendpage                       0xffff880116c7bf08
/proc/333/fd/11                            write_iter                     0xffff880116c7bea0
/proc/333/fd/11                            read_iter                                   0x223
/proc/333/fd/11                            splice_read                    0xffff880116c29a00
/proc/333/fd/11                            show_fdinfo                    0xffff880116c7bf50
/proc/333/fd/11                            iterate                        0xffffea0000da3340
/proc/333/fd/11                            splice_write                   0xffff8800368ce000
/proc/333/fd/11                            unlocked_ioctl                             0x1000
/proc/333/fd/11                            fsync                          0xffff880116c7bee8
/proc/333/fd/11                            get_unmapped_area              0xffffea0000da3380
/proc/333/fd/11                            release                        0xffff880116c7bee8
/proc/333/fd/11                            check_flags                    0xffffffffffff0000
/proc/299                                  lock                                        0x223
/proc/299                                  compat_ioctl                   0xffff880036a05000
/proc/299                                  llseek                         0xffff880116c53250
/proc/299                                  flock                                      0x1000
/proc/299                                  poll                           0xffffffffffff0000
/proc/299                                  mmap                           0xffff880116c29a00
/proc/299                                  sendpage                       0xffff880116c532d8
/proc/299                                  write_iter                     0xffff880116c53270
/proc/299                                  read_iter                                   0x223
/proc/299                                  splice_read                    0xffff880116c29a00
/proc/299                                  show_fdinfo                    0xffff880116c53320
/proc/299                                  iterate                        0xffffea0000da8140
/proc/299                                  splice_write                   0xffff880036a06000
/proc/299                                  unlocked_ioctl                             0x1000
/proc/299                                  fsync                          0xffff880116c532b8
/proc/299                                  get_unmapped_area              0xffffea0000da8180
/proc/299                                  release                        0xffff880116c532b8
/proc/299                                  check_flags                    0xffffffffffff0000
/proc/94/stat                              lock                                        0x223
/proc/94/stat                              compat_ioctl                   0xffff880036a11000
/proc/94/stat                              llseek                         0xffff880116c53730
/proc/94/stat                              flock                                      0x1000
/proc/94/stat                              poll                           0xffffffffffff0000
/proc/94/stat                              mmap                           0xffff880116c29a00
/proc/94/stat                              sendpage                       0xffff880116c537b8
/proc/94/stat                              write_iter                     0xffff880116c53750
/proc/94/stat                              read_iter                                   0x223
/proc/94/stat                              splice_read                    0xffff880116c29a00
/proc/94/stat                              show_fdinfo                    0xffff880116c53800
/proc/94/stat                              iterate                        0xffffea0000da8440
/proc/94/stat                              splice_write                   0xffff880036a12000
/proc/94/stat                              unlocked_ioctl                             0x1000
/proc/94/stat                              fsync                          0xffff880116c53798
/proc/94/stat                              get_unmapped_area              0xffffea0000da8480
/proc/94/stat                              release                        0xffff880116c53798
/proc/94/stat                              check_flags                    0xffffffffffff0000
/proc/93/exe                               lock                                        0x223
/proc/93/exe                               compat_ioctl                   0xffff880036a23000
/proc/93/exe                               llseek                         0xffff880116c53e80
/proc/93/exe                               flock                                      0x1000
/proc/93/exe                               poll                           0xffffffffffff0000
/proc/93/exe                               mmap                           0xffff880116c29a00
/proc/93/exe                               sendpage                       0xffff880116c53f08
/proc/93/exe                               write_iter                     0xffff880116c53ea0
/proc/93/exe                               read_iter                                   0x223
/proc/93/exe                               splice_read                    0xffff880116c29a00
/proc/93/exe                               show_fdinfo                    0xffff880116c53f50
/proc/93/exe                               iterate                        0xffffea0000da88c0
/proc/93/exe                               splice_write                   0xffff880036a24000
/proc/93/exe                               unlocked_ioctl                             0x1000
/proc/93/exe                               fsync                          0xffff880116c53ee8
/proc/93/exe                               get_unmapped_area              0xffffea0000da8900
/proc/93/exe                               release                        0xffff880116c53ee8
/proc/93/exe                               check_flags                    0xffffffffffff0000
/proc/93/stat                              lock                                        0x223
/proc/93/stat                              compat_ioctl                   0xffff880036a1d000
/proc/93/stat                              llseek                         0xffff880116c53c10
/proc/93/stat                              flock                                      0x1000
/proc/93/stat                              poll                           0xffffffffffff0000
/proc/93/stat                              mmap                           0xffff880116c29a00
/proc/93/stat                              sendpage                       0xffff880116c53c98
/proc/93/stat                              write_iter                     0xffff880116c53c30
/proc/93/stat                              read_iter                                   0x223
/proc/93/stat                              splice_read                    0xffff880116c29a00
/proc/93/stat                              show_fdinfo                    0xffff880116c53ce0
/proc/93/stat                              iterate                        0xffffea0000da8740
/proc/93/stat                              splice_write                   0xffff880036a1e000
/proc/93/stat                              unlocked_ioctl                             0x1000
/proc/93/stat                              fsync                          0xffff880116c53c78
/proc/93/stat                              get_unmapped_area              0xffffea0000da8780
/proc/93/stat                              release                        0xffff880116c53c78
/proc/93/stat                              check_flags                    0xffffffffffff0000
/proc/92/exe                               lock                                        0x223
/proc/92/exe                               compat_ioctl                   0xffff880036a17000
/proc/92/exe                               llseek                         0xffff880116c539a0
/proc/92/exe                               flock                                      0x1000
/proc/92/exe                               poll                           0xffffffffffff0000
/proc/92/exe                               mmap                           0xffff880116c29a00
/proc/92/exe                               sendpage                       0xffff880116c53a28
/proc/92/exe                               write_iter                     0xffff880116c539c0
/proc/92/exe                               read_iter                                   0x223
/proc/92/exe                               splice_read                    0xffff880116c29a00
/proc/92/exe                               show_fdinfo                    0xffff880116c53a70
/proc/92/exe                               iterate                        0xffffea0000da85c0
/proc/92/exe                               splice_write                   0xffff880036a18000
/proc/92/exe                               unlocked_ioctl                             0x1000
/proc/92/exe                               fsync                          0xffff880116c53a08
/proc/92/exe                               get_unmapped_area              0xffffea0000da8600
/proc/92/exe                               release                        0xffff880116c53a08
/proc/92/exe                               check_flags                    0xffffffffffff0000
# ls -l /root/sources/SAMPLES/*.lime
-r--r--r-- 1 root root 4185128608 ago 23 08:59 /root/sources/SAMPLES/sBOX_23082018.lime
-r--r--r-- 1 root root 4185128608 ago 20 15:59 /root/sources/SAMPLES/sBOX.lime