How to integrate libvmi with Volatility

648 views
Skip to first unread message

Xianchun Guan

unread,
Jun 2, 2015, 4:04:35 AM6/2/15
to vmit...@googlegroups.com
I want to integrate libvmi with Volatility,but I don't know how to do it.Who can tell me to do? 

Xianchun Guan

unread,
Jun 2, 2015, 4:08:45 AM6/2/15
to vmit...@googlegroups.com
The hypervisor is KVM

在 2015年6月2日星期二 UTC+8下午4:04:35,Xianchun Guan写道:

Bryan D. Payne

unread,
Jun 2, 2015, 12:53:03 PM6/2/15
to vmit...@googlegroups.com
See the notes here:

Let me know if you have further questions.

Cheers,
-bryan



--
You received this message because you are subscribed to the Google Groups "vmitools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vmitools+u...@googlegroups.com.
To post to this group, send email to vmit...@googlegroups.com.
Visit this group at http://groups.google.com/group/vmitools.
For more options, visit https://groups.google.com/d/optout.

Xianchun Guan

unread,
Jun 2, 2015, 8:55:17 PM6/2/15
to vmit...@googlegroups.com
Thanks


在 2015年6月2日星期二 UTC+8下午4:04:35,Xianchun Guan写道:
I want to integrate libvmi with Volatility,but I don't know how to do it.Who can tell me to do? 

Xianchun Guan

unread,
Jun 3, 2015, 12:43:00 AM6/3/15
to vmit...@googlegroups.com
The result is follow when I run command python vol.py -l vmi://centos6.4 pslist

root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py -l vmi://centos6.4 pslist 
Volatility Foundation Volatility Framework 2.4
*** Failed to import volatility.plugins.linux.netscan (ImportError: libyara.so.0: cannot open shared object file: No such file or directory)
*** Failed to import volatility.plugins.dumpcerts (NameError: name 'yara' is not defined)
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 FileAddressSpace: Location is not of file scheme
 ArmAddressSpace: No base Address Space

The /etc/libvmi.conf is :
内嵌图片 1

内嵌图片 2

Can you give me a example how to write a  memory introspection programs in python,and should I put the programs in what position.thanks


--
You received this message because you are subscribed to a topic in the Google Groups "vmitools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vmitools/bipJJew8m6o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vmitools+u...@googlegroups.com.

Bryan D. Payne

unread,
Jun 3, 2015, 1:07:50 AM6/3/15
to vmit...@googlegroups.com
A few things to check:

1) Do the LibVMI examples work?  For example, can you run ./examples/process-list centos6.4?

2) Does the pyvmi example work?  For examples, can you run ./tools/pyvmi/examples/process-list.py centos6.4?

3) Does volatility work by itself?  For example, can you run it on a raw memory dump file?  If you don't have one, you can always download the example images at https://code.google.com/p/volatility/wiki/SampleMemoryImages.

4) Did you remember to add a symbolic link from the pyvmi address space into the volatility source tree?

-bryan



--
You received this message because you are subscribed to the Google Groups "vmitools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vmitools+u...@googlegroups.com.

Xianchun Guan

unread,
Jun 3, 2015, 2:08:06 AM6/3/15
to vmit...@googlegroups.com
I check the steps that you gives. the step 2 is not works.
内嵌图片 2

I get the win_tasks,win_pname,win_pid info form by the steps :https://github.com/libvmi/libvmi/blob/master/tools/linux-offset-finder/README

Xianchun Guan

unread,
Jun 3, 2015, 2:13:32 AM6/3/15
to vmit...@googlegroups.com
The steps to get  the win_tasks,win_pname,win_pid info as follow:
内嵌图片 1

Xianchun Guan

unread,
Jun 3, 2015, 5:08:02 AM6/3/15
to vmit...@googlegroups.com
Hi Bryan Payne 

1) Do the LibVMI examples work?  For example, can you run ./examples/process-list centos6.4?
     I switch to windows-xp,it works.

2) Does the pyvmi example work?  For examples, can you run ./tools/pyvmi/examples/process-list.py centos6.4?
  I switch to windows-xp,it works.

3) Does volatility work by itself?  For example, can you run it on a raw memory dump file?  If you don't have one, you can always download the example images at https://code.google.com/p/volatility/wiki/SampleMemoryImages.

4) Did you remember to add a symbolic link from the pyvmi address space into the volatility source tree?
     I have copyed the pyvmiaddressspace.py to /volatility/plugins/address/

I run the command python vol.py -l vmi;//windows-xp pslist that works.
root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py -l vmi://windows-xp pslist
Volatility Foundation Volatility Framework 2.4
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x821b7a00 System                    4      0     55     1066 ------      0                                                              
0x82136d78 smss.exe                424      4      3       19 ------      0 2015-06-01 13:00:31 UTC+0000                                 
0x82013020 csrss.exe               480    424     10      359      0      0 2015-06-01 13:00:33 UTC+0000                                 
0x8201cb28 winlogon.exe            504    424     18      498      0      0 2015-06-01 13:00:33 UTC+0000                                 
0x820208b0 services.exe            548    504     15      261      0      0 2015-06-01 13:00:33 UTC+0000                                 
0x82148020 lsass.exe               560    504     20      345      0      0 2015-06-01 13:00:33 UTC+0000                                 
0x81f3e020 svchost.exe             728    548     17      194      0      0 2015-06-01 13:00:34 UTC+0000                                 
0x820ba318 svchost.exe             776    548      8      233      0      0 2015-06-01 13:00:35 UTC+0000                                 
0x81f29c68 svchost.exe             840    548     69     1363      0      0 2015-06-01 13:00:35 UTC+0000                                 
0x81fd9c10 svchost.exe             900    548      4       58      0      0 2015-06-01 13:00:35 UTC+0000                                 
0x81f291b0 svchost.exe             964    548     13      192      0      0 2015-06-01 13:00:35 UTC+0000                                 
0x81f2a878 spoolsv.exe            1048    548     10      108      0      0 2015-06-01 13:00:39 UTC+0000                                 
0x81f17a10 msdtc.exe              1596    548     15      167      0      0 2015-06-01 13:00:45 UTC+0000                                 
0x820bc6f0 snmp.exe               1728    548      5      162      0      0 2015-06-01 13:00:46 UTC+0000                                 
0x82080370 mqsvc.exe              1956    548     25      189      0      0 2015-06-01 13:00:51 UTC+0000                                 
0x81e7c868 mqtgsvc.exe             328    548      9      119      0      0 2015-06-01 13:00:53 UTC+0000                                 
0x81e62020 alg.exe                 484    548      5      104      0      0 2015-06-01 13:00:54 UTC+0000                                 
0x81efb328 wscntfy.exe             696    840      1       31      0      0 2015-06-02 17:31:19 UTC+0000                                 
0x81f0a020 explorer.exe           1172   1256     10      312      0      0 2015-06-02 17:31:20 UTC+0000                                 
0x81e43da0 ctfmon.exe             1716   1172      1       71      0      0 2015-06-02 17:31:23 UTC+0000                                 
0x81e40740 rundll32.exe            832   1172      2      129      0      0 2015-06-02 17:31:27 UTC+0000                                 
0x820cada0 logon.scr              1436    504      1       30      0      0 2015-06-02 17:41:49 UTC+0000

在 2015年6月2日星期二 UTC+8下午4:04:35,Xianchun Guan写道:
I want to integrate libvmi with Volatility,but I don't know how to do it.Who can tell me to do? 

Bryan D. Payne

unread,
Jun 3, 2015, 1:58:09 PM6/3/15
to vmit...@googlegroups.com
Glad to hear that this is working with the windows image.  I'm left wondering if there is a problem with the VM name having a period in it.  Would it be possible to rename the centos VM to test this theory?

Thanks,
-bryan

--

Xianchun Guan

unread,
Jun 4, 2015, 12:29:07 AM6/4/15
to vmit...@googlegroups.com
Hi Bryan Payne
   Unfortunately, to tell you the error is still the same, when I create a new virtual machine named centos6


在 2015年6月2日星期二 UTC+8下午4:04:35,Xianchun Guan写道:
I want to integrate libvmi with Volatility,but I don't know how to do it.Who can tell me to do? 

Bryan D. Payne

unread,
Jun 4, 2015, 12:34:41 AM6/4/15
to vmit...@googlegroups.com
Thanks for checking.  I'm not sure why this would have trouble then.  Any chance you could run it with libvmi debug enabled?

-bryan

--

Xianchun Guan

unread,
Jun 4, 2015, 3:10:59 AM6/4/15
to vmit...@googlegroups.com
Hi Bryan,
    I find the problem in the proccess-list.py, the contents are follows:
.........
import pyvmi
import sys


def get_processes(vmi):
    tasks_offset = vmi.get_offset("win_tasks")
    name_offset = vmi.get_offset("win_pname") - tasks_offset
    pid_offset = vmi.get_offset("win_pid") - tasks_offset
.............
The key is to win rather than to linux as a prefix prefix. I think this is a bug.


在 2015年6月2日星期二 UTC+8下午4:04:35,Xianchun Guan写道:
I want to integrate libvmi with Volatility,but I don't know how to do it.Who can tell me to do? 

Bryan D. Payne

unread,
Jun 4, 2015, 3:20:19 AM6/4/15
to vmit...@googlegroups.com
Ah yes, this does appear to be a bug.  In fact, given this, there may be other issues running that script with linux VMs.  I've filed a new bug for this:


Thanks,
-bryan


--

Xianchun Guan

unread,
Jun 4, 2015, 4:44:08 AM6/4/15
to vmit...@googlegroups.com
Hi Bryan,
     Thanks for your reply. I modified the ./pyvmi/example/proccess-list.py file, and then it works, but After running python vol.py -l vmi://centos6 pslist  output is as follows:
     Volatility Foundation Volatility Framework 2.4
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: No xpress signature found
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Location is not of file scheme
 VMWareMetaAddressSpace: Location is not of file scheme
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: -
 QemuCoreDumpElf: ELF Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 PyVmiAddressSpace: Must be first Address Space
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Profile does not have valid Address Space check
     Currently, does pyvmi only supports windows? if the pyvmi support linux, I should to pay attention to what I use volalitity.



--
You received this message because you are subscribed to a topic in the Google Groups "vmitools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vmitools/bipJJew8m6o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vmitools+u...@googlegroups.com.

Tamas K Lengyel

unread,
Jun 4, 2015, 4:48:46 AM6/4/15
to vmit...@googlegroups.com
Be advised that in order to be able to run Volatility on a Linux guest you will need to create a Volatility profile for it. Take a look at https://code.google.com/p/volatility/wiki/LinuxMemoryForensics, section "Creating a profile". Running pslist without this profile won't work with Volatility.

Cheers,
Tamas

Bryan D. Payne

unread,
Jun 4, 2015, 12:49:02 PM6/4/15
to vmit...@googlegroups.com
Also, yes, pyvmi supports linux.  It is just that example that was windows specific.

-bryan

Xianchun Guan

unread,
Jun 5, 2015, 3:05:43 AM6/5/15
to vmit...@googlegroups.com
Hi Tamas,
     Thanks for your reply.After done the following, still does not work.
1.  kvm vm:
--download lime resource code
  root@ubuntu-gxc:/opt# git clone https://github.com/504ensicsLabs/LiME.git
  root@ubuntu-gxc:/opt# cd LiME
  root@ubuntu-gxc:/opt/LiME# git tag
  v1.4
  root@ubuntu-gxc:/opt/LiME# git checkout -b  v1.4
  Switched to a new branch 'v1.4'
  root@ubuntu-gxc:/opt/LiME# cd src/
  root@ubuntu-gxc:/opt/LiME/src# make
make -C /lib/modules/2.6.32-21-generic/build M=/opt/LiME/src modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-21-generic'
  CC [M]  /opt/LiME/src/tcp.o
  CC [M]  /opt/LiME/src/disk.o
  CC [M]  /opt/LiME/src/main.o
  LD [M]  /opt/LiME/src/lime.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /opt/LiME/src/lime.mod.o
  LD [M]  /opt/LiME/src/lime.ko
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-21-generic'
strip --strip-unneeded lime.ko
mv lime.ko lime-2.6.32-21-generic.ko
 root@ubuntu-gxc:/opt/LiME/src# insmod lime-2.6.32-21-generic.ko "path=/opt/ubuntu.lime format=lime"
 root@ubuntu-gxc:/opt/LiME/src# ls -alh /opt/ubuntu.lime 
 -r--r--r-- 1 root root 1.0G 2015-06-05 14:24 /opt/ubuntu.lime

--copy ubuntu.lime to kvm host
  root@ubuntu-gxc:/opt/LiME/src# scp /opt/ubuntu.lime ro...@172.19.106.245:/mnt/sdb1/forensics/images/
  
2. kvm Host:
--Making the profile
   root@ubuntu:/mnt/sdb1/git/volatility/volatility# zip volatility/plugins/overlays/linux/ubuntu1004.zip tools/linux/module.dwarf ../../../sysmaps/System.map-2.6.32-21-generic 
    adding: tools/linux/module.dwarf (deflated 90%)
     adding: ../../../sysmaps/System.map-2.6.32-21-generic (deflated 74%)
--using the profile
   root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --info |grep Linux
   Volatility Foundation Volatility Framework 2.4
   Linuxubuntu1004i386x86 - A Profile for Linux ubuntu1004i386 x86
   Linuxubuntu1004x86     - A Profile for Linux ubuntu1004 x86
   linux_banner               - Prints the Linux banner information
   linux_yarascan             - A shell in the Linux memory image
--using the plugin
root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --debug -f /mnt/sdb1/forensics/images/ubuntu.lime --profile=Linuxubuntu1004x86 linux_pslist
Volatility Foundation Volatility Framework 2.4
DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found dwarf file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found system file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashHashTypes
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF32Modification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from ELFModification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.obj      : Applying modification from MachoModification
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found dwarf file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: ubuntu1004: Found system file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashHashTypes
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF32Modification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from ELFModification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.obj      : Applying modification from MachoModification
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
Offset     Name                 Pid             Uid             Gid    DTB        Start Time
---------- -------------------- --------------- --------------- ------ ---------- ----------
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.pyvmiaddressspace.PyVmiAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7505790>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7505750>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.pyvmiaddressspace.PyVmiAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG   : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value e82c4c4c
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 PyVmiAddressSpace: Location doesn't start with vmi://
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VMWareMetaAddressSpace: VMware metadata file is not available
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 QemuCoreDumpElf: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile Linuxubuntu1004x86 selected
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 PyVmiAddressSpace: Must be first Address Space
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check
  

Tamas K Lengyel

unread,
Jun 5, 2015, 3:11:10 AM6/5/15
to vmit...@googlegroups.com
FYI:
 PyVmiAddressSpace: Location doesn't start with vmi://

Xianchun Guan

unread,
Jun 5, 2015, 3:22:29 AM6/5/15
to vmit...@googlegroups.com
How can I do to make it works

在 2015年6月2日星期二 UTC+8下午4:04:35,Xianchun Guan写道:
I want to integrate libvmi with Volatility,but I don't know how to do it.Who can tell me to do? 

Xianchun Guan

unread,
Jun 5, 2015, 3:45:45 AM6/5/15
to vmit...@googlegroups.com
Hi Tamas,
      What should I do to make it works,thanks!

--

Bryan D. Payne

unread,
Jun 5, 2015, 2:01:26 PM6/5/15
to vmit...@googlegroups.com
I think you are up to solving Volatility issues.  As such, you can probably get better help on the Volatility mailing list.


Cheers,
-bryan
Reply all
Reply to author
Forward
0 new messages