Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

issues encountered when integrating Volatility with libvmi-python #90

Open
sttru3 opened this issue Mar 18, 2024 · 0 comments
Open

issues encountered when integrating Volatility with libvmi-python #90

sttru3 opened this issue Mar 18, 2024 · 0 comments

Comments

@sttru3
Copy link

sttru3 commented Mar 18, 2024
edited
Loading

I'm trying to integrate the libvmi Python bindings with the Volatility project. I created a CentOS Stream 8 virtual machine using libvirt, and I can access it normally through libvmi:

$ virsh list
 Id   Name                    State
---------------------------------------
 1    centosStream8_default   running

DEBUG : volatility.debug : centos8Stream: Found dwarf file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1007 symbols
DEBUG : volatility.debug : centos8Stream: Found system file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel

DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
DEBUG : volatility.debug : centos8Stream: Found dwarf file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1007 symbols
DEBUG : volatility.debug : centos8Stream: Found system file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel

DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
Offset Name Pid PPid Uid Gid DTB Start Time

DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmi.VMIAddressSpace'>
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.vmi.VMIAddressSpace object at 0x7d793dfc7e50>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmi.VMIAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG : volatility.debug : Requested symbol do_fork not found in module kernel

No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Location is not of file scheme
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareMetaAddressSpace: Location is not of file scheme
VMWareAddressSpace: Invalid VMware signature: -
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxcentos8Streamx64 selected
WindowsAMD64PagedMemory: Incompatible profile Linuxcentos8Streamx64 selected
LinuxAMD64PagedMemory: Failed valid Address Space check
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile Linuxcentos8Streamx64 selected
IA32PagedMemory: Incompatible profile Linuxcentos8Streamx64 selected
OSXPmemELF: ELF Header signature invalid
VMIAddressSpace: Must be first Address Space
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sttru3