search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.38k stars 1.29k forks source link

Linux memory dump gives error "No suitable address space mapping found" #757

Open krunal-dm opened 4 years ago

krunal-dm commented 4 years ago

I have a Linux Ubuntu x64 memory dump named "username_memory_dump.bin". I have installed volatility latest version and created custom profile for LinuxUbuntux64 as show below:

$ volatility --plugins=plugins/ --info | grep Linux
Volatility Foundation Volatility Framework 2.6.1
LinuxUbuntux64        - A Profile for Linux Ubuntu x64
LinuxAMD64PagedMemory          - Linux-specific AMD 64-bit address space.
linux_aslr_shift            - Automatically detect the Linux ASLR shift
linux_banner                - Prints the Linux banner information
linux_yarascan              - A shell in the Linux memory image
linuxgetprofile             - Scan to try to determine the Linux profile

However every time I run any plugin it gives me error saying that "No suitable address space mapping found" as shown below:

$ vol.py -f '/home/sansforensics/Desktop/evidence/sansforensics_memory_dump.bin' --profile=LinuxUbuntux64 linux_pslist
Volatility Foundation Volatility Framework 2.6.1
Offset             Name                 Pid             PPid            Uid             Gid    DTB                Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 VMotionMigrationAddressSpace: VMotionMigration requires a base
 WindowsCrashDumpSpace64BitMap: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
and so on...

What is it that I'm doing wrong? Kindly help. Thanks in advance!

atcuno commented 4 years ago

Can you copy/paste the process you used to generate the profile?

Can you also run the following and paste the result?

$ strings -a "path to memory sample" | grep gcc | grep Linux | head -30

ttoon123001 commented 3 years ago

@atcuno I had the same problem。

./vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.6.1
LinuxUbuntu1404x64    - A Profile for Linux Ubuntu1404 x64
linux_aslr_shift           - Automatically detect the Linux ASLR shift
linux_banner               - Prints the Linux banner information
linux_yarascan             - A shell in the Linux memory image
LinuxAMD64PagedMemory          - Linux-specific AMD 64-bit address space.
root@ubuntu:/usr/volatility-2.6.1# ./vol.py -f /root/mem.lime --profile=LinuxUbuntu1404x64 linux_banner
Volatility Foundation Volatility Framework 2.6.1
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 SkipDuplicatesAMD64PagedMemory: No base Address Space
 WindowsAMD64PagedMemory: No base Address Space
 LinuxAMD64PagedMemory: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
...
strings -a /root/mem.lime | grep gcc | grep Linux |head -30
Linux version 4.2.0-42-generic (buildd@lgw01-55) (gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3) ) #49~14.04.1-Ubuntu SMP Wed Jun 29 20:22:11 UTC 2016 (Ubuntu 4.2.0-42.49~14.04.1-generic 4.2.8-ckt12)
Linux version 4.2.0-42-generic (buildd@lgw01-55) (gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3) ) #49~14.04.1-Ubuntu SMP Wed Jun 29 20:22:11 UTC 2016 (Ubuntu 4.2.0-42.49~14.04.1-generic 4.2.8-ckt12)
ttoon123001 commented 3 years ago

operating steps:

root@ubuntu:/usr/volatility-2.6.1/tools/linux# ls
kcore  Makefile  Makefile.enterprise  module.c
root@ubuntu:/usr/volatility-2.6.1/tools/linux# make
make -C //lib/modules/4.2.0-42-generic/build CONFIG_DEBUG_INFO=y M="/usr/volatility-2.6.1/tools/linux" modules
make[1]: Entering directory `/usr/src/linux-headers-4.2.0-42-generic'
  CC [M]  /usr/volatility-2.6.1/tools/linux/module.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /usr/volatility-2.6.1/tools/linux/module.mod.o
  LD [M]  /usr/volatility-2.6.1/tools/linux/module.ko
make[1]: Leaving directory `/usr/src/linux-headers-4.2.0-42-generic'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/4.2.0-42-generic/build M="/usr/volatility-2.6.1/tools/linux" clean
make[1]: Entering directory `/usr/src/linux-headers-4.2.0-42-generic'
  CLEAN   /usr/volatility-2.6.1/tools/linux/.tmp_versions
  CLEAN   /usr/volatility-2.6.1/tools/linux/Module.symvers
make[1]: Leaving directory `/usr/src/linux-headers-4.2.0-42-generic'
root@ubuntu:/usr/volatility-2.6.1/tools/linux# cp /boot/System.map-4.2.0-42-generic ./System.map

root@ubuntu:/usr/volatility-2.6.1/tools/linux# zip /usr/volatility-2.6.1/volatility/plugins/overlays/linux/Ubuntu1404.zip ./module.dwarf ./System.map
  adding: module.dwarf (deflated 89%)
  adding: System.map (deflated 79%)
atcuno commented 3 years ago

@atcuno I had the same problem。

./vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.6.1
LinuxUbuntu1404x64    - A Profile for Linux Ubuntu1404 x64
linux_aslr_shift           - Automatically detect the Linux ASLR shift
linux_banner               - Prints the Linux banner information
linux_yarascan             - A shell in the Linux memory image
LinuxAMD64PagedMemory          - Linux-specific AMD 64-bit address space.
root@ubuntu:/usr/volatility-2.6.1# ./vol.py -f /root/mem.lime --profile=LinuxUbuntu1404x64 linux_banner
Volatility Foundation Volatility Framework 2.6.1
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 SkipDuplicatesAMD64PagedMemory: No base Address Space
 WindowsAMD64PagedMemory: No base Address Space
 LinuxAMD64PagedMemory: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
...
strings -a /root/mem.lime | grep gcc | grep Linux |head -30
Linux version 4.2.0-42-generic (buildd@lgw01-55) (gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3) ) #49~14.04.1-Ubuntu SMP Wed Jun 29 20:22:11 UTC 2016 (Ubuntu 4.2.0-42.49~14.04.1-generic 4.2.8-ckt12)
Linux version 4.2.0-42-generic (buildd@lgw01-55) (gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3) ) #49~14.04.1-Ubuntu SMP Wed Jun 29 20:22:11 UTC 2016 (Ubuntu 4.2.0-42.49~14.04.1-generic 4.2.8-ckt12)

how did you acquire the memory sample? And can you paste uname -a output from the system?

ttoon123001 commented 3 years ago 
root@ubuntu:/usr/volatility-2.6.1/tools/linux# uname -a
Linux ubuntu 4.2.0-42-generic #49~14.04.1-Ubuntu SMP Wed Jun 29 20:22:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

I'm using LiME to get the memory sample.

root@ubuntu:~# /sbin/insmod /usr/share/LiME/LiME-1.7.5/src/lime-4.2.0-42-generic.ko path=/root/mem.lime format=lime