Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

I have a problem, I hope you can answer it. #84

Open
lryzxy opened this issue Jul 8, 2022 · 4 comments
Open

I have a problem, I hope you can answer it. #84

lryzxy opened this issue Jul 8, 2022 · 4 comments

Comments

@lryzxy
Copy link

lryzxy commented Jul 8, 2022

root@ubuntu:/home/ha/Documents/volatility# python vol.py -d -l vmi://ubuntu16 pslist
Volatility Foundation Volatility Framework 2.6.1
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from BigPageTableMagic
DEBUG : volatility.debug : Applying modification from ControlAreaModification
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from HandleTableEntryPreWin8
DEBUG : volatility.debug : Applying modification from IEHistoryVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from PoolTagModification
DEBUG : volatility.debug : Applying modification from PoolTrackTagOverlay
DEBUG : volatility.debug : Applying modification from SSLKeyModification
DEBUG : volatility.debug : Applying modification from UnloadedDriverVTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from Win32KGahtiVType
DEBUG : volatility.debug : Applying modification from Win32Kx86VTypes
DEBUG : volatility.debug : Applying modification from WinSyscallsAttribute
DEBUG : volatility.debug : Applying modification from WinXP2003AddressObject
DEBUG : volatility.debug : Applying modification from WinXPSyscalls
DEBUG : volatility.debug : Applying modification from XP2003x86BaseVTypes
DEBUG : volatility.debug : Applying modification from XP2003x86TimerVType
DEBUG : volatility.debug : Applying modification from WindowsVTypes
DEBUG : volatility.debug : Applying modification from AtomTablex86Overlay
DEBUG : volatility.debug : Applying modification from EVTObjectTypes
DEBUG : volatility.debug : Applying modification from ObjectTypeKeyModification
DEBUG : volatility.debug : Applying modification from ProcessAuditVTypes
DEBUG : volatility.debug : Applying modification from WindowsOverlay
DEBUG : volatility.debug : Applying modification from CallbackMods
DEBUG : volatility.debug : Applying modification from MalwarePspCid
DEBUG : volatility.debug : Applying modification from MalwareWSPVTypes
DEBUG : volatility.debug : Applying modification from TimerVTypes
DEBUG : volatility.debug : Applying modification from TokenXP2003
DEBUG : volatility.debug : Applying modification from UserAssistVTypes
DEBUG : volatility.debug : Applying modification from VadFlagsModification
DEBUG : volatility.debug : Applying modification from VadTagModification
DEBUG : volatility.debug : Applying modification from WinAllTime
DEBUG : volatility.debug : Applying modification from WinPEObjectClasses
DEBUG : volatility.debug : Applying modification from WinPEVTypes
DEBUG : volatility.debug : Applying modification from WinXPTrim
DEBUG : volatility.debug : Applying modification from WinXPx86Vad
DEBUG : volatility.debug : Applying modification from WindowsObjectClasses
DEBUG : volatility.debug : Applying modification from XPOverlay
DEBUG : volatility.debug : Applying modification from XPx86SessionOverlay
DEBUG : volatility.debug : Applying modification from AuditpolTypesXP
DEBUG : volatility.debug : Applying modification from CmdHistoryObjectClasses
DEBUG : volatility.debug : Applying modification from CmdHistoryVTypesx86
DEBUG : volatility.debug : Applying modification from CrashInfoModification
DEBUG : volatility.debug : Applying modification from DumpFilesVTypesx86
DEBUG : volatility.debug : Applying modification from HeapModification
DEBUG : volatility.debug : Applying modification from KDBGObjectClass
DEBUG : volatility.debug : Applying modification from KPCRProfileModification
DEBUG : volatility.debug : Applying modification from MFTTYPES
DEBUG : volatility.debug : Applying modification from MalwareDrivers
DEBUG : volatility.debug : Applying modification from MalwareIDTGDTx86
DEBUG : volatility.debug : Applying modification from MalwareKthread
DEBUG : volatility.debug : Applying modification from ServiceBase
DEBUG : volatility.debug : Applying modification from ShellBagsTypesXP
DEBUG : volatility.debug : Applying modification from ShimCacheTypesXPx86
DEBUG : volatility.debug : Applying modification from Win10ObjectClasses
DEBUG : volatility.debug : Applying modification from Win32KCoreClasses
DEBUG : volatility.debug : Applying modification from XPHeapModification
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.linux.vmi.VMIAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from BigPageTableMagic
DEBUG : volatility.debug : Applying modification from ControlAreaModification
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from HandleTableEntryPreWin8
DEBUG : volatility.debug : Applying modification from IEHistoryVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from PoolTagModification
DEBUG : volatility.debug : Applying modification from PoolTrackTagOverlay
DEBUG : volatility.debug : Applying modification from SSLKeyModification
DEBUG : volatility.debug : Applying modification from UnloadedDriverVTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from Win32KGahtiVType
DEBUG : volatility.debug : Applying modification from Win32Kx86VTypes
DEBUG : volatility.debug : Applying modification from WinSyscallsAttribute
DEBUG : volatility.debug : Applying modification from WinXP2003AddressObject
DEBUG : volatility.debug : Applying modification from WinXPSyscalls
DEBUG : volatility.debug : Applying modification from XP2003x86BaseVTypes
DEBUG : volatility.debug : Applying modification from XP2003x86TimerVType
DEBUG : volatility.debug : Applying modification from WindowsVTypes
DEBUG : volatility.debug : Applying modification from AtomTablex86Overlay
DEBUG : volatility.debug : Applying modification from EVTObjectTypes
DEBUG : volatility.debug : Applying modification from ObjectTypeKeyModification
DEBUG : volatility.debug : Applying modification from ProcessAuditVTypes
DEBUG : volatility.debug : Applying modification from WindowsOverlay
DEBUG : volatility.debug : Applying modification from CallbackMods
DEBUG : volatility.debug : Applying modification from MalwarePspCid
DEBUG : volatility.debug : Applying modification from MalwareWSPVTypes
DEBUG : volatility.debug : Applying modification from TimerVTypes
DEBUG : volatility.debug : Applying modification from TokenXP2003
DEBUG : volatility.debug : Applying modification from UserAssistVTypes
DEBUG : volatility.debug : Applying modification from VadFlagsModification
DEBUG : volatility.debug : Applying modification from VadTagModification
DEBUG : volatility.debug : Applying modification from WinAllTime
DEBUG : volatility.debug : Applying modification from WinPEObjectClasses
DEBUG : volatility.debug : Applying modification from WinPEVTypes
DEBUG : volatility.debug : Applying modification from WinXPTrim
DEBUG : volatility.debug : Applying modification from WinXPx86Vad
DEBUG : volatility.debug : Applying modification from WindowsObjectClasses
DEBUG : volatility.debug : Applying modification from XPOverlay
DEBUG : volatility.debug : Applying modification from XPx86SessionOverlay
DEBUG : volatility.debug : Applying modification from AuditpolTypesXP
DEBUG : volatility.debug : Applying modification from CmdHistoryObjectClasses
DEBUG : volatility.debug : Applying modification from CmdHistoryVTypesx86
DEBUG : volatility.debug : Applying modification from CrashInfoModification
DEBUG : volatility.debug : Applying modification from DumpFilesVTypesx86
DEBUG : volatility.debug : Applying modification from HeapModification
DEBUG : volatility.debug : Applying modification from KDBGObjectClass
DEBUG : volatility.debug : Applying modification from KPCRProfileModification
DEBUG : volatility.debug : Applying modification from MFTTYPES
DEBUG : volatility.debug : Applying modification from MalwareDrivers
DEBUG : volatility.debug : Applying modification from MalwareIDTGDTx86
DEBUG : volatility.debug : Applying modification from MalwareKthread
DEBUG : volatility.debug : Applying modification from ServiceBase
DEBUG : volatility.debug : Applying modification from ShellBagsTypesXP
DEBUG : volatility.debug : Applying modification from ShimCacheTypesXPx86
DEBUG : volatility.debug : Applying modification from Win10ObjectClasses
DEBUG : volatility.debug : Applying modification from Win32KCoreClasses
DEBUG : volatility.debug : Applying modification from XPHeapModification
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
VMIAddressSpace: The LibVMI python bindings must be installed
FileAddressSpace: Location is not of file scheme
ArmAddressSpace: No base Address Space
@Wenzel
Copy link
Member

Wenzel commented Jul 11, 2022

It's written in the logs: VMIAddressSpace: The LibVMI python bindings must be installed

The libvmi python bindings are not found on your system or in the virtualenv you are using.

@lryzxy
Copy link
Author

lryzxy commented Jul 13, 2022

It's written in the logs: VMIAddressSpace: The LibVMI python bindings must be installed

The libvmi python bindings are not found on your system or in the virtualenv you are using.

I followed the documentation for the bindings, and I put the vmi.py file in the appropriate directory, but again the following error occurred
root@ubuntu:/home/ha/Documents/volatility# python vol.py -l vmi://ubuntu18 --profile=LinuxUbuntu1804x64 linux_pslist Volatility Foundation Volatility Framework 2.6.1 Traceback (most recent call last): File "vol.py", line 192, in <module> main() File "vol.py", line 148, in main registry.register_global_options(config, addrspace.BaseAddressSpace) File "/home/ha/Documents/volatility/volatility/registry.py", line 157, in register_global_options for m in get_plugin_classes(cls, True).values(): File "/home/ha/Documents/volatility/volatility/registry.py", line 152, in get_plugin_classes raise Exception("Object {0} has already been defined by {1}".format(name, plugin)) Exception: Object VMIAddressSpace has already been defined by <class 'volatility.plugins.linux.vmi.VMIAddressSpace'>

@Wenzel
Copy link
Member

Wenzel commented Jul 19, 2022

I seems that the python2 VMIAddressSpace might not working anymore.

Python2 itself is deprecated, you should have a look at Volatility3:
https://github.com/volatilityfoundation/volatility3/

Also libmicrovmi is another library that already provides a bridge to volatility3, here is a tutorial:
https://wenzel.github.io/libmicrovmi/tutorial/volatility3_xen.html

I hope this will help.

@lryzxy
Copy link
Author

lryzxy commented Aug 24, 2022

@Wenzel Thanks

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Wenzel @lryzxy