search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.16k stars 1.27k forks source link

ARM address space issue #620

Open canance opened 5 years ago

canance commented 5 years ago

Hi,

I have a custom ARM kernel that I created a profile for; however, I'm unable to get any plugins to work correctly.

The kernel that I created the profile for was cross compiled using the musl compiler. I cross compiled the kernel module in the same environment, used dwarfdump to create the module.dwarf file, and then created a zip containing module.dwarf and the System.map that was generated when I compiled the kernel.

To capture the memory, I used qemu's dump-guest-memory command. Next, I tried to use the linux_pslist plugin to verify that my profile was working correctly. I have attached the debug output from that command below.

I see that it gets successfully identified as a QemuCoreDumpElf but then fails the ArmAddressSpace check.

I am relatively new to volatility, so any advice or suggestions on how to fix this would be greatly appreciated!

Thanks,

Cory

Debug output

root@0f7ae90f46d8:/app# vol.py --plugins=plugins --profile=Linuxarm_kernel-4_17ARM -f firmware_mem_dump1 --debug linux_pslist
Volatility Foundation Volatility Framework 2.6.1
DEBUG   : volatility.debug    : arm_kernel-4.17: Found dwarf file boot/System.map-4.1.17+ with 556 symbols
DEBUG   : volatility.debug    : arm_kernel-4.17: Found system file boot/System.map-4.1.17+ with 1 symbols
DEBUG   : volatility.debug    : Applying modification from BashHashTypes
DEBUG   : volatility.debug    : Applying modification from BashTypes
DEBUG   : volatility.debug    : Applying modification from BasicObjectClasses
DEBUG   : volatility.debug    : Applying modification from ELF32Modification
DEBUG   : volatility.debug    : Applying modification from ELF64Modification
DEBUG   : volatility.debug    : Applying modification from ELFModification
DEBUG   : volatility.debug    : Applying modification from HPAKVTypes
DEBUG   : volatility.debug    : Applying modification from LimeTypes
DEBUG   : volatility.debug    : Applying modification from LinuxIDTTypes
DEBUG   : volatility.debug    : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.debug    : Applying modification from MachoModification
DEBUG   : volatility.debug    : Applying modification from MachoTypes
DEBUG   : volatility.debug    : Applying modification from MbrObjectTypes
DEBUG   : volatility.debug    : Applying modification from VMwareVTypesModification
DEBUG   : volatility.debug    : Applying modification from VirtualBoxModification
DEBUG   : volatility.debug    : Applying modification from LinuxGate64Overlay
DEBUG   : volatility.debug    : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.debug    : Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.debug    : Applying modification from LinuxMountOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxObjectClasses
DEBUG   : volatility.debug    : Applying modification from LinuxOverlay
DEBUG   : volatility.debug    : arm_kernel-4.17: Found dwarf file boot/System.map-4.1.17+ with 556 symbols
DEBUG   : volatility.debug    : arm_kernel-4.17: Found system file boot/System.map-4.1.17+ with 1 symbols
DEBUG   : volatility.debug    : Applying modification from BashHashTypes
DEBUG   : volatility.debug    : Applying modification from BashTypes
DEBUG   : volatility.debug    : Applying modification from BasicObjectClasses
DEBUG   : volatility.debug    : Applying modification from ELF32Modification
DEBUG   : volatility.debug    : Applying modification from ELF64Modification
DEBUG   : volatility.debug    : Applying modification from ELFModification
DEBUG   : volatility.debug    : Applying modification from HPAKVTypes
DEBUG   : volatility.debug    : Applying modification from LimeTypes
DEBUG   : volatility.debug    : Applying modification from LinuxIDTTypes
DEBUG   : volatility.debug    : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.debug    : Applying modification from MachoModification
DEBUG   : volatility.debug    : Applying modification from MachoTypes
DEBUG   : volatility.debug    : Applying modification from MbrObjectTypes
DEBUG   : volatility.debug    : Applying modification from VMwareVTypesModification
DEBUG   : volatility.debug    : Applying modification from VirtualBoxModification
DEBUG   : volatility.debug    : Applying modification from LinuxGate64Overlay
DEBUG   : volatility.debug    : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.debug    : Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.debug    : Applying modification from LinuxMountOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxObjectClasses
DEBUG   : volatility.debug    : Applying modification from LinuxOverlay
Offset     Name                 Pid             PPid            Uid             Gid    DTB        Start Time
---------- -------------------- --------------- --------------- --------------- ------ ---------- ----------
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f278fa22610>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf object at 0x7f278fa22b10>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 SkipDuplicatesAMD64PagedMemory: No base Address Space
 WindowsAMD64PagedMemory: No base Address Space
 LinuxAMD64PagedMemory: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VMWareMetaAddressSpace: VMware metadata file is not available
 VirtualBoxCoreDumpElf64: ELF error: did not find any PT_NOTE segment with VBCORE
 VMWareAddressSpace: Invalid VMware signature: 0x464c457f
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VMWareMetaAddressSpace: VMware metadata file is not available
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: -
 QemuCoreDumpElf: ELF Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxarm_kernel-4_17ARM selected
 WindowsAMD64PagedMemory: Incompatible profile Linuxarm_kernel-4_17ARM selected
 LinuxAMD64PagedMemory: Incompatible profile Linuxarm_kernel-4_17ARM selected
 AMD64PagedMemory: Incompatible profile Linuxarm_kernel-4_17ARM selected
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check
canance commented 5 years ago

I got a little further and wanted to provide an update. In QEMU, I used the info mtree command to get the physical address of RAM and then used pmemsave 0x40000000 0x0fffffff pmemsave_ramonly to dump just that region.

Running volatility on that dump allows for the correct identification of the ARM address space; however, it doesn't display any processes when using the linux_pslist plugin. I have provided the mtree output from QEMU and volatility debug output below.

info mtree

(qemu) info mtree
address-space: memory
  0000000000000000-ffffffffffffffff (prio 0, RW): system
    0000000000000000-0000000003ffffff (prio 0, R-): virt.flash0
    0000000004000000-0000000007ffffff (prio 0, R-): virt.flash1
    0000000008000000-0000000008000fff (prio 0, RW): gic_dist
    0000000008010000-0000000008011fff (prio 0, RW): gic_cpu
    0000000008020000-0000000008020fff (prio 0, RW): gicv2m
    0000000009000000-0000000009000fff (prio 0, RW): pl011
    0000000009010000-0000000009010fff (prio 0, RW): pl031
    0000000009020000-0000000009020007 (prio 0, RW): fwcfg.data
    0000000009020008-0000000009020009 (prio 0, RW): fwcfg.ctl
    0000000009020010-0000000009020017 (prio 0, RW): fwcfg.dma
    0000000009030000-0000000009030fff (prio 0, RW): pl061
    000000000a000000-000000000a0001ff (prio 0, RW): virtio-mmio
    000000000a000200-000000000a0003ff (prio 0, RW): virtio-mmio
    000000000a000400-000000000a0005ff (prio 0, RW): virtio-mmio
    000000000a000600-000000000a0007ff (prio 0, RW): virtio-mmio
    000000000a000800-000000000a0009ff (prio 0, RW): virtio-mmio
    000000000a000a00-000000000a000bff (prio 0, RW): virtio-mmio
    000000000a000c00-000000000a000dff (prio 0, RW): virtio-mmio
    000000000a000e00-000000000a000fff (prio 0, RW): virtio-mmio
    000000000a001000-000000000a0011ff (prio 0, RW): virtio-mmio
    000000000a001200-000000000a0013ff (prio 0, RW): virtio-mmio
    000000000a001400-000000000a0015ff (prio 0, RW): virtio-mmio
    000000000a001600-000000000a0017ff (prio 0, RW): virtio-mmio
    000000000a001800-000000000a0019ff (prio 0, RW): virtio-mmio
    000000000a001a00-000000000a001bff (prio 0, RW): virtio-mmio
    000000000a001c00-000000000a001dff (prio 0, RW): virtio-mmio
    000000000a001e00-000000000a001fff (prio 0, RW): virtio-mmio
    000000000a002000-000000000a0021ff (prio 0, RW): virtio-mmio
    000000000a002200-000000000a0023ff (prio 0, RW): virtio-mmio
    000000000a002400-000000000a0025ff (prio 0, RW): virtio-mmio
    000000000a002600-000000000a0027ff (prio 0, RW): virtio-mmio
    000000000a002800-000000000a0029ff (prio 0, RW): virtio-mmio
    000000000a002a00-000000000a002bff (prio 0, RW): virtio-mmio
    000000000a002c00-000000000a002dff (prio 0, RW): virtio-mmio
    000000000a002e00-000000000a002fff (prio 0, RW): virtio-mmio
    000000000a003000-000000000a0031ff (prio 0, RW): virtio-mmio
    000000000a003200-000000000a0033ff (prio 0, RW): virtio-mmio
    000000000a003400-000000000a0035ff (prio 0, RW): virtio-mmio
    000000000a003600-000000000a0037ff (prio 0, RW): virtio-mmio
    000000000a003800-000000000a0039ff (prio 0, RW): virtio-mmio
    000000000a003a00-000000000a003bff (prio 0, RW): virtio-mmio
    000000000a003c00-000000000a003dff (prio 0, RW): virtio-mmio
    000000000a003e00-000000000a003fff (prio 0, RW): virtio-mmio
    000000000c000000-000000000dffffff (prio 0, RW): platform bus
    0000000010000000-000000003efeffff (prio 0, RW): alias pcie-mmio @gpex_mmio 0000000010000000-000000003efeffff
    000000003eff0000-000000003effffff (prio 0, RW): gpex_ioport
    000000003f000000-000000003fffffff (prio 0, RW): alias pcie-ecam @pcie-mmcfg-mmio 0000000000000000-0000000000ffffff
    0000000040000000-000000004fffffff (prio 0, RW): mach-virt.ram
    0000008000000000-000000ffffffffff (prio 0, RW): alias pcie-mmio-high @gpex_mmio 0000008000000000-000000ffffffffff

vol.py --debug

root@0f7ae90f46d8:/app# vol.py --plugins=plugins --profile=Linuxlinux-4_17ARM -f pmemsave_ramonly --debug linux_pslist
Volatility Foundation Volatility Framework 2.6.1
DEBUG   : volatility.debug    : linux-4.17: Found dwarf file boot/System.map-4.1.17+ with 556 symbols
DEBUG   : volatility.debug    : linux-4.17: Found system file boot/System.map-4.1.17+ with 1 symbols
DEBUG   : volatility.debug    : Applying modification from BashHashTypes
DEBUG   : volatility.debug    : Applying modification from BashTypes
DEBUG   : volatility.debug    : Applying modification from BasicObjectClasses
DEBUG   : volatility.debug    : Applying modification from ELF32Modification
DEBUG   : volatility.debug    : Applying modification from ELF64Modification
DEBUG   : volatility.debug    : Applying modification from ELFModification
DEBUG   : volatility.debug    : Applying modification from HPAKVTypes
DEBUG   : volatility.debug    : Applying modification from LimeTypes
DEBUG   : volatility.debug    : Applying modification from LinuxIDTTypes
DEBUG   : volatility.debug    : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.debug    : Applying modification from MachoModification
DEBUG   : volatility.debug    : Applying modification from MachoTypes
DEBUG   : volatility.debug    : Applying modification from MbrObjectTypes
DEBUG   : volatility.debug    : Applying modification from VMwareVTypesModification
DEBUG   : volatility.debug    : Applying modification from VirtualBoxModification
DEBUG   : volatility.debug    : Applying modification from LinuxGate64Overlay
DEBUG   : volatility.debug    : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.debug    : Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.debug    : Applying modification from LinuxMountOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxObjectClasses
DEBUG   : volatility.debug    : Applying modification from LinuxOverlay
DEBUG   : volatility.debug    : linux-4.17: Found dwarf file boot/System.map-4.1.17+ with 556 symbols
DEBUG   : volatility.debug    : linux-4.17: Found system file boot/System.map-4.1.17+ with 1 symbols
DEBUG   : volatility.debug    : Applying modification from BashHashTypes
DEBUG   : volatility.debug    : Applying modification from BashTypes
DEBUG   : volatility.debug    : Applying modification from BasicObjectClasses
DEBUG   : volatility.debug    : Applying modification from ELF32Modification
DEBUG   : volatility.debug    : Applying modification from ELF64Modification
DEBUG   : volatility.debug    : Applying modification from ELFModification
DEBUG   : volatility.debug    : Applying modification from HPAKVTypes
DEBUG   : volatility.debug    : Applying modification from LimeTypes
DEBUG   : volatility.debug    : Applying modification from LinuxIDTTypes
DEBUG   : volatility.debug    : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.debug    : Applying modification from MachoModification
DEBUG   : volatility.debug    : Applying modification from MachoTypes
DEBUG   : volatility.debug    : Applying modification from MbrObjectTypes
DEBUG   : volatility.debug    : Applying modification from VMwareVTypesModification
DEBUG   : volatility.debug    : Applying modification from VirtualBoxModification
DEBUG   : volatility.debug    : Applying modification from LinuxGate64Overlay
DEBUG   : volatility.debug    : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.debug    : Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.debug    : Applying modification from LinuxMountOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxObjectClasses
DEBUG   : volatility.debug    : Applying modification from LinuxOverlay
Offset     Name                 Pid             PPid            Uid             Gid    DTB        Start Time
---------- -------------------- --------------- --------------- --------------- ------ ---------- ----------
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7fd5e8b40610>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x7fd5e8b40d90>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7fd5e86acf10>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x7fd5e8b36250>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>