Open sandyboxy opened 3 years ago
Did you try to analyze a memory dump using your created volatility profile out of cuckoo automatic execution?
The message you get there "AddrSpaceError: No suitable address space mapping found" normally appears when the volatility profile is not correct.
I tried to run this command
$ vol.py -f /opt/cuckoo/storage/analyses/23/memory.dmp --profile=LinuxUbuntu_4_15_0-122-generic_profilex64 linux_dmesg
but I have this error:
Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
File "/home/cuckoo/venv/bin/vol.py", line 4, in <module>
__import__('pkg_resources').run_script('volatility==2.5', 'vol.py')
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 658, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1438, in run_script
exec(code, namespace, namespace)
File "/home/cuckoo/venv/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in <module>
main()
File "/home/cuckoo/venv/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
command.execute()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/linux/common.py", line 63, in execute
commands.Command.execute(self, *args, **kwargs)
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 115, in execute
if not self.is_valid_profile(profs[self._config.PROFILE]()):
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/linux/linux.py", line 214, in __init__
obj.Profile.__init__(self, *args, **kwargs)
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/obj.py", line 859, in __init__
self.reset()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/linux/linux.py", line 224, in reset
self.load_vtypes()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/linux/linux.py", line 261, in load_vtypes
vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/dwarf.py", line 71, in __init__
self.feed_line(line)
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/dwarf.py", line 162, in feed_line
self.process_statement(**parsed) #pylint: disable-msg=W0142
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/dwarf.py", line 204, in process_statement
self.vtypes[name] = [ int(data['DW_AT_byte_size'], self.base), {} ]
KeyError: 'DW_AT_byte_size'
I did another test with volatility 2.6.1
and distorm3 3.4.4
with command vol.py -f /opt/cuckoo/storage/analyses/23/memory.dmp --profile=LinuxUbuntu_4_15_0-122-generic_profilex64 linux_malfind
and all works.
If I try the same command with volatility 2.5
and distorm3 3.4.4
it fails as shown above.
So, it seems a volatility version, but I don't think 2.6.1 version is supported from cuckoo 2.0.7
EDIT
Using volatility 2.6.1
I have an other error:
Failed to run the processing module "Memory" for task #26:
Traceback (most recent call last):
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 246, in process
data = current.run()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1118, in run
return VolatilityManager(self.memory_path, osprofile).run()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1039, in run
results[plugin_name] = getattr(self.vol, plugin_name)()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 172, in pslist
for process in command.calculate():
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/win32/tasks.py", line 88, in pslist
for p in get_kdbg(addr_space).processes():
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/win32/tasks.py", line 50, in get_kdbg
if obj.VolMagic(addr_space).KPCR.value:
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/obj.py", line 751, in __getattr__
return self.m(attr)
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/obj.py", line 733, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KPCR
The backtrace in your first post mentions filescan.py and the backtrace in your latest post mentions win32/tasks.py. Those are both windows-only plugins. It seems like cuckoo is running windows-only plugins against your linux sample, which is not going to work.
Hello, I've correctly configured Volatility 2.5 to work with Cuckoo 2.0.7 on Ubuntu host. Memory dump works with Windows guest.
I added an Ubuntu guest VM on cuckoo and I created a new volatility profile for my kernel version (directly on guest machine) following this tutorial. Finally, I copied new plugin to volatility and it is correctly loaded.
Now, when I try to analyze a malicious elf file, this is the output I obtaing:
How can I solve this issue?