How to integrate libvmi with Volatility

Xianchun Guan

unread,

Jun 2, 2015, 4:04:35 AM6/2/15

to vmit...@googlegroups.com

I want to integrate libvmi with Volatility,but I don't know how to do it.Who can tell me to do?

Xianchun Guan

unread,

Jun 2, 2015, 4:08:45 AM6/2/15

to vmit...@googlegroups.com

The hypervisor is KVM

在 2015年6月2日星期二 UTC+8下午4:04:35，Xianchun Guan写道：

Bryan D. Payne

unread,

Jun 2, 2015, 12:53:03 PM6/2/15

to vmit...@googlegroups.com

See the notes here:

https://github.com/libvmi/libvmi/tree/master/tools/pyvmi

Let me know if you have further questions.

Cheers,

-bryan

--
You received this message because you are subscribed to the Google Groups "vmitools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vmitools+u...@googlegroups.com.
To post to this group, send email to vmit...@googlegroups.com.
Visit this group at http://groups.google.com/group/vmitools.
For more options, visit https://groups.google.com/d/optout.

Xianchun Guan

unread,

Jun 2, 2015, 8:55:17 PM6/2/15

to vmit...@googlegroups.com

Thanks

在 2015年6月2日星期二 UTC+8下午4:04:35，Xianchun Guan写道：

I want to integrate libvmi with Volatility,but I don't know how to do it.Who can tell me to do?

Xianchun Guan

unread,

Jun 3, 2015, 12:43:00 AM6/3/15

to vmit...@googlegroups.com

The result is follow when I run command python vol.py -l vmi://centos6.4 pslist

root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py -l vmi://centos6.4 pslist

Volatility Foundation Volatility Framework 2.4

*** Failed to import volatility.plugins.linux.netscan (ImportError: libyara.so.0: cannot open shared object file: No such file or directory)

*** Failed to import volatility.plugins.dumpcerts (NameError: name 'yara' is not defined)

No suitable address space mapping found

Tried to open image as:

MachOAddressSpace: mac: need base

LimeAddressSpace: lime: need base

WindowsHiberFileSpace32: No base Address Space

WindowsCrashDumpSpace64BitMap: No base Address Space

VMWareMetaAddressSpace: No base Address Space

WindowsCrashDumpSpace64: No base Address Space

HPAKAddressSpace: No base Address Space

VirtualBoxCoreDumpElf64: No base Address Space

QemuCoreDumpElf: No base Address Space

VMWareAddressSpace: No base Address Space

WindowsCrashDumpSpace32: No base Address Space

AMD64PagedMemory: No base Address Space

IA32PagedMemoryPae: No base Address Space

IA32PagedMemory: No base Address Space

OSXPmemELF: No base Address Space

FileAddressSpace: Location is not of file scheme

ArmAddressSpace: No base Address Space

The /etc/libvmi.conf is :

Can you give me a example how to write a memory introspection programs in python,and should I put the programs in what position.thanks

--
You received this message because you are subscribed to a topic in the Google Groups "vmitools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vmitools/bipJJew8m6o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vmitools+u...@googlegroups.com.

Bryan D. Payne

unread,

Jun 3, 2015, 1:07:50 AM6/3/15

to vmit...@googlegroups.com

A few things to check:

1) Do the LibVMI examples work? For example, can you run ./examples/process-list centos6.4?

2) Does the pyvmi example work? For examples, can you run ./tools/pyvmi/examples/process-list.py centos6.4?

3) Does volatility work by itself? For example, can you run it on a raw memory dump file? If you don't have one, you can always download the example images at https://code.google.com/p/volatility/wiki/SampleMemoryImages.

4) Did you remember to add a symbolic link from the pyvmi address space into the volatility source tree?

-bryan

--

You received this message because you are subscribed to the Google Groups "vmitools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vmitools+u...@googlegroups.com.

Xianchun Guan

unread,

Jun 3, 2015, 2:08:06 AM6/3/15

to vmit...@googlegroups.com

I check the steps that you gives. the step 2 is not works.

I get the win_tasks,win_pname,win_pid info form by the steps :https://github.com/libvmi/libvmi/blob/master/tools/linux-offset-finder/README

Xianchun Guan

unread,

Jun 3, 2015, 2:13:32 AM6/3/15

to vmit...@googlegroups.com

The steps to get the win_tasks,win_pname,win_pid info as follow:

Xianchun Guan

unread,

Jun 3, 2015, 5:08:02 AM6/3/15

to vmit...@googlegroups.com

Hi Bryan Payne

1) Do the LibVMI examples work? For example, can you run ./examples/process-list centos6.4?

I switch to windows-xp,it works.

2) Does the pyvmi example work? For examples, can you run ./tools/pyvmi/examples/process-list.py centos6.4?

I switch to windows-xp,it works.

3) Does volatility work by itself? For example, can you run it on a raw memory dump file? If you don't have one, you can always download the example images at https://code.google.com/p/volatility/wiki/SampleMemoryImages.

4) Did you remember to add a symbolic link from the pyvmi address space into the volatility source tree?

I have copyed the pyvmiaddressspace.py to /volatility/plugins/address/

I run the command python vol.py -l vmi;//windows-xp pslist that works.

root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py -l vmi://windows-xp pslist

Volatility Foundation Volatility Framework 2.4

Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit

---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------

0x821b7a00 System 4 0 55 1066 ------ 0

0x82136d78 smss.exe 424 4 3 19 ------ 0 2015-06-01 13:00:31 UTC+0000

0x82013020 csrss.exe 480 424 10 359 0 0 2015-06-01 13:00:33 UTC+0000

0x8201cb28 winlogon.exe 504 424 18 498 0 0 2015-06-01 13:00:33 UTC+0000

0x820208b0 services.exe 548 504 15 261 0 0 2015-06-01 13:00:33 UTC+0000

0x82148020 lsass.exe 560 504 20 345 0 0 2015-06-01 13:00:33 UTC+0000

0x81f3e020 svchost.exe 728 548 17 194 0 0 2015-06-01 13:00:34 UTC+0000

0x820ba318 svchost.exe 776 548 8 233 0 0 2015-06-01 13:00:35 UTC+0000

0x81f29c68 svchost.exe 840 548 69 1363 0 0 2015-06-01 13:00:35 UTC+0000

0x81fd9c10 svchost.exe 900 548 4 58 0 0 2015-06-01 13:00:35 UTC+0000

0x81f291b0 svchost.exe 964 548 13 192 0 0 2015-06-01 13:00:35 UTC+0000

0x81f2a878 spoolsv.exe 1048 548 10 108 0 0 2015-06-01 13:00:39 UTC+0000

0x81f17a10 msdtc.exe 1596 548 15 167 0 0 2015-06-01 13:00:45 UTC+0000

0x820bc6f0 snmp.exe 1728 548 5 162 0 0 2015-06-01 13:00:46 UTC+0000

0x82080370 mqsvc.exe 1956 548 25 189 0 0 2015-06-01 13:00:51 UTC+0000

0x81e7c868 mqtgsvc.exe 328 548 9 119 0 0 2015-06-01 13:00:53 UTC+0000

0x81e62020 alg.exe 484 548 5 104 0 0 2015-06-01 13:00:54 UTC+0000

0x81efb328 wscntfy.exe 696 840 1 31 0 0 2015-06-02 17:31:19 UTC+0000

0x81f0a020 explorer.exe 1172 1256 10 312 0 0 2015-06-02 17:31:20 UTC+0000

0x81e43da0 ctfmon.exe 1716 1172 1 71 0 0 2015-06-02 17:31:23 UTC+0000

0x81e40740 rundll32.exe 832 1172 2 129 0 0 2015-06-02 17:31:27 UTC+0000

0x820cada0 logon.scr 1436 504 1 30 0 0 2015-06-02 17:41:49 UTC+0000

在 2015年6月2日星期二 UTC+8下午4:04:35，Xianchun Guan写道：

I want to integrate libvmi with Volatility,but I don't know how to do it.Who can tell me to do?

Bryan D. Payne

unread,

Jun 3, 2015, 1:58:09 PM6/3/15

to vmit...@googlegroups.com

Glad to hear that this is working with the windows image. I'm left wondering if there is a problem with the VM name having a period in it. Would it be possible to rename the centos VM to test this theory?

Thanks,

-bryan

--

Xianchun Guan

unread,

Jun 4, 2015, 12:29:07 AM6/4/15

to vmit...@googlegroups.com

Hi Bryan Payne

Unfortunately, to tell you the error is still the same, when I create a new virtual machine named centos6

在 2015年6月2日星期二 UTC+8下午4:04:35，Xianchun Guan写道：

I want to integrate libvmi with Volatility,but I don't know how to do it.Who can tell me to do?

Bryan D. Payne

unread,

Jun 4, 2015, 12:34:41 AM6/4/15

to vmit...@googlegroups.com

Thanks for checking. I'm not sure why this would have trouble then. Any chance you could run it with libvmi debug enabled?

-bryan

--

Xianchun Guan

unread,

Jun 4, 2015, 3:10:59 AM6/4/15

to vmit...@googlegroups.com

Hi Bryan,

I find the problem in the proccess-list.py, the contents are follows:

.........

import pyvmi

import sys

def get_processes(vmi):

tasks_offset = vmi.get_offset("win_tasks")

name_offset = vmi.get_offset("win_pname") - tasks_offset

pid_offset = vmi.get_offset("win_pid") - tasks_offset

.............

The key is to win rather than to linux as a prefix prefix. I think this is a bug.

在 2015年6月2日星期二 UTC+8下午4:04:35，Xianchun Guan写道：

I want to integrate libvmi with Volatility,but I don't know how to do it.Who can tell me to do?

Bryan D. Payne

unread,

Jun 4, 2015, 3:20:19 AM6/4/15

to vmit...@googlegroups.com

Ah yes, this does appear to be a bug. In fact, given this, there may be other issues running that script with linux VMs. I've filed a new bug for this:

https://github.com/libvmi/libvmi/issues/273

Thanks,

-bryan

--

Xianchun Guan

unread,

Jun 4, 2015, 4:44:08 AM6/4/15

to vmit...@googlegroups.com

Hi Bryan,

Thanks for your reply. I modified the ./pyvmi/example/proccess-list.py file, and then it works, but After running python vol.py -l vmi://centos6 pslist output is as follows:

Volatility Foundation Volatility Framework 2.4

No suitable address space mapping found

Tried to open image as:

MachOAddressSpace: mac: need base

LimeAddressSpace: lime: need base

WindowsHiberFileSpace32: No base Address Space

WindowsCrashDumpSpace64BitMap: No base Address Space

WindowsCrashDumpSpace64: No base Address Space

HPAKAddressSpace: No base Address Space

VMWareMetaAddressSpace: No base Address Space

VirtualBoxCoreDumpElf64: No base Address Space

VMWareAddressSpace: No base Address Space

QemuCoreDumpElf: No base Address Space

WindowsCrashDumpSpace32: No base Address Space

AMD64PagedMemory: No base Address Space

IA32PagedMemoryPae: No base Address Space

IA32PagedMemory: No base Address Space

MachOAddressSpace: MachO Header signature invalid

LimeAddressSpace: Invalid Lime header signature

WindowsHiberFileSpace32: No xpress signature found

WindowsCrashDumpSpace64BitMap: Header signature invalid

WindowsCrashDumpSpace64: Header signature invalid

HPAKAddressSpace: Location is not of file scheme

VMWareMetaAddressSpace: Location is not of file scheme

VirtualBoxCoreDumpElf64: ELF Header signature invalid

VMWareAddressSpace: Invalid VMware signature: -

QemuCoreDumpElf: ELF Header signature invalid

WindowsCrashDumpSpace32: Header signature invalid

AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected

IA32PagedMemoryPae: Failed valid Address Space check

IA32PagedMemory: Failed valid Address Space check

PyVmiAddressSpace: Must be first Address Space

OSXPmemELF: ELF Header signature invalid

FileAddressSpace: Must be first Address Space

ArmAddressSpace: Profile does not have valid Address Space check

Currently, does pyvmi only supports windows? if the pyvmi support linux, I should to pay attention to what I use volalitity.

psyche1...@gmail.com

--
You received this message because you are subscribed to a topic in the Google Groups "vmitools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vmitools/bipJJew8m6o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vmitools+u...@googlegroups.com.

Tamas K Lengyel

unread,

Jun 4, 2015, 4:48:46 AM6/4/15

to vmit...@googlegroups.com

Be advised that in order to be able to run Volatility on a Linux guest you will need to create a Volatility profile for it. Take a look at https://code.google.com/p/volatility/wiki/LinuxMemoryForensics, section "Creating a profile". Running pslist without this profile won't work with Volatility.

Cheers,

Tamas

Bryan D. Payne

unread,

Jun 4, 2015, 12:49:02 PM6/4/15

to vmit...@googlegroups.com

Also, yes, pyvmi supports linux. It is just that example that was windows specific.

-bryan

Xianchun Guan

unread,

Jun 5, 2015, 3:05:43 AM6/5/15

to vmit...@googlegroups.com

Hi Tamas,

Thanks for your reply.After done the following, still does not work.

1. kvm vm:

--download lime resource code

root@ubuntu-gxc:/opt# git clone https://github.com/504ensicsLabs/LiME.git

root@ubuntu-gxc:/opt# cd LiME

root@ubuntu-gxc:/opt/LiME# git tag

v1.4

root@ubuntu-gxc:/opt/LiME# git checkout -b v1.4

Switched to a new branch 'v1.4'

root@ubuntu-gxc:/opt/LiME# cd src/

root@ubuntu-gxc:/opt/LiME/src# make

make -C /lib/modules/2.6.32-21-generic/build M=/opt/LiME/src modules

make[1]: Entering directory `/usr/src/linux-headers-2.6.32-21-generic'

CC [M] /opt/LiME/src/tcp.o

CC [M] /opt/LiME/src/disk.o

CC [M] /opt/LiME/src/main.o

LD [M] /opt/LiME/src/lime.o

Building modules, stage 2.

MODPOST 1 modules

CC /opt/LiME/src/lime.mod.o

LD [M] /opt/LiME/src/lime.ko

make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-21-generic'

strip --strip-unneeded lime.ko

mv lime.ko lime-2.6.32-21-generic.ko

root@ubuntu-gxc:/opt/LiME/src# insmod lime-2.6.32-21-generic.ko "path=/opt/ubuntu.lime format=lime"

root@ubuntu-gxc:/opt/LiME/src# ls -alh /opt/ubuntu.lime

-r--r--r-- 1 root root 1.0G 2015-06-05 14:24 /opt/ubuntu.lime

--copy ubuntu.lime to kvm host

root@ubuntu-gxc:/opt/LiME/src# scp /opt/ubuntu.lime ro...@172.19.106.245:/mnt/sdb1/forensics/images/

2. kvm Host:

--Making the profile

root@ubuntu:/mnt/sdb1/git/volatility/volatility# zip volatility/plugins/overlays/linux/ubuntu1004.zip tools/linux/module.dwarf ../../../sysmaps/System.map-2.6.32-21-generic

adding: tools/linux/module.dwarf (deflated 90%)

adding: ../../../sysmaps/System.map-2.6.32-21-generic (deflated 74%)

--using the profile

root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --info |grep Linux

Volatility Foundation Volatility Framework 2.4

Linuxubuntu1004i386x86 - A Profile for Linux ubuntu1004i386 x86

Linuxubuntu1004x86 - A Profile for Linux ubuntu1004 x86

linux_banner - Prints the Linux banner information

linux_yarascan - A shell in the Linux memory image

--using the plugin

root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --debug -f /mnt/sdb1/forensics/images/ubuntu.lime --profile=Linuxubuntu1004x86 linux_pslist

Volatility Foundation Volatility Framework 2.4

DEBUG : volatility.plugins.overlays.linux.linux: ubuntu1004: Found dwarf file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols

DEBUG : volatility.plugins.overlays.linux.linux: ubuntu1004: Found system file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols

DEBUG : volatility.obj : Applying modification from BashHashTypes

DEBUG : volatility.obj : Applying modification from BashTypes

DEBUG : volatility.obj : Applying modification from BasicObjectClasses

DEBUG : volatility.obj : Applying modification from ELF32Modification

DEBUG : volatility.obj : Applying modification from ELF64Modification

DEBUG : volatility.obj : Applying modification from ELFModification

DEBUG : volatility.obj : Applying modification from HPAKVTypes

DEBUG : volatility.obj : Applying modification from LimeTypes

DEBUG : volatility.obj : Applying modification from LinuxTruecryptModification

DEBUG : volatility.obj : Applying modification from MachoModification

DEBUG : volatility.obj : Applying modification from MachoTypes

DEBUG : volatility.obj : Applying modification from MbrObjectTypes

DEBUG : volatility.obj : Applying modification from VMwareVTypesModification

DEBUG : volatility.obj : Applying modification from VirtualBoxModification

DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay

DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay

DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel

DEBUG : volatility.obj : Applying modification from LinuxMountOverlay

DEBUG : volatility.obj : Applying modification from LinuxObjectClasses

DEBUG : volatility.obj : Applying modification from LinuxOverlay