Cuckoo on Ubuntu VM - AddrSpaceError: No suitable address space mapping found

[sandyboxy]

Hello, I've correctly configured Volatility 2.5 to work with Cuckoo 2.0.7 on Ubuntu host. Memory dump works with Windows guest.

I added an Ubuntu guest VM on cuckoo and I created a new volatility profile for my kernel version (directly on guest machine) following this tutorial. Finally, I copied new plugin to volatility and it is correctly loaded.

Now, when I try to analyze a malicious elf file, this is the output I obtaing:

Failed to run the processing module "Memory" for task #23:
Traceback (most recent call last):
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 246, in process
    data = current.run()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1118, in run
    return VolatilityManager(self.memory_path, osprofile).run()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1000, in __init__
    self.vol = VolatilityAPI(self.memfile, self.osprofile)
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 79, in __init__
    self.init_config()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 149, in init_config
    if self.get_dtb():
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 85, in get_dtb
    for ep in ps.calculate():
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/filescan.py", line 354, in calculate
    addr_space = utils.load_as(self._config, astype = 'physical')
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/utils.py", line 65, in load_as
    raise error
AddrSpaceError: No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 FileAddressSpace - EXCEPTION: 'DW_AT_byte_size'
 ArmAddressSpace: No base Address Space

How can I solve this issue?

[nrrpinto]

Did you try to analyze a memory dump using your created volatility profile out of cuckoo automatic execution?

The message you get there "AddrSpaceError: No suitable address space mapping found" normally appears when the volatility profile is not correct.

[sandyboxy]

I tried to run this command $ vol.py -f /opt/cuckoo/storage/analyses/23/memory.dmp --profile=LinuxUbuntu_4_15_0-122-generic_profilex64 linux_dmesg but I have this error:

Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
  File "/home/cuckoo/venv/bin/vol.py", line 4, in <module>
    __import__('pkg_resources').run_script('volatility==2.5', 'vol.py')
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 658, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1438, in run_script
    exec(code, namespace, namespace)
  File "/home/cuckoo/venv/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in <module>
    main()
  File "/home/cuckoo/venv/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
    command.execute()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/linux/common.py", line 63, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 115, in execute
    if not self.is_valid_profile(profs[self._config.PROFILE]()):
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/linux/linux.py", line 214, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/obj.py", line 859, in __init__
    self.reset()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/linux/linux.py", line 224, in reset
    self.load_vtypes()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/linux/linux.py", line 261, in load_vtypes
    vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/dwarf.py", line 71, in __init__
    self.feed_line(line)
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/dwarf.py", line 162, in feed_line
    self.process_statement(**parsed) #pylint: disable-msg=W0142
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/dwarf.py", line 204, in process_statement
    self.vtypes[name] = [ int(data['DW_AT_byte_size'], self.base), {} ]
KeyError: 'DW_AT_byte_size'

[sandyboxy]

I did another test with volatility 2.6.1 and distorm3 3.4.4 with command vol.py -f /opt/cuckoo/storage/analyses/23/memory.dmp --profile=LinuxUbuntu_4_15_0-122-generic_profilex64 linux_malfind and all works. If I try the same command with volatility 2.5 and distorm3 3.4.4 it fails as shown above. So, it seems a volatility version, but I don't think 2.6.1 version is supported from cuckoo 2.0.7

EDIT Using volatility 2.6.1I have an other error:

Failed to run the processing module "Memory" for task #26:
Traceback (most recent call last):
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 246, in process
    data = current.run()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1118, in run
    return VolatilityManager(self.memory_path, osprofile).run()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1039, in run
    results[plugin_name] = getattr(self.vol, plugin_name)()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 172, in pslist
    for process in command.calculate():
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/win32/tasks.py", line 88, in pslist
    for p in get_kdbg(addr_space).processes():
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/win32/tasks.py", line 50, in get_kdbg
    if obj.VolMagic(addr_space).KPCR.value:
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/obj.py", line 751, in __getattr__
    return self.m(attr)
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/obj.py", line 733, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KPCR

[iMHLv2]

The backtrace in your first post mentions filescan.py and the backtrace in your latest post mentions win32/tasks.py. Those are both windows-only plugins. It seems like cuckoo is running windows-only plugins against your linux sample, which is not going to work.