Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

issues encountered when integrating Volatility with libvmi-python #90

Open
sttru3 opened this issue Mar 18, 2024 · 0 comments
Open

issues encountered when integrating Volatility with libvmi-python #90

sttru3 opened this issue Mar 18, 2024 · 0 comments

Comments

@sttru3
Copy link

sttru3 commented Mar 18, 2024
edited
Loading

I'm trying to integrate the libvmi Python bindings with the Volatility project. I created a CentOS Stream 8 virtual machine using libvirt, and I can access it normally through libvmi:

$ virsh list
 Id   Name                    State
---------------------------------------
 1    centosStream8_default   running

DEBUG : volatility.debug : centos8Stream: Found dwarf file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1007 symbols
DEBUG : volatility.debug : centos8Stream: Found system file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel

DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
DEBUG : volatility.debug : centos8Stream: Found dwarf file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1007 symbols
DEBUG : volatility.debug : centos8Stream: Found system file centos8Stream/boot/System.map-4.18.0-532.el8.x86_64 with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel

DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
Offset Name Pid PPid Uid Gid DTB Start Time

DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmi.VMIAddressSpace'>
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.vmi.VMIAddressSpace object at 0x7d793dfc7e50>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmi.VMIAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG : volatility.debug : Requested symbol do_fork not found in module kernel

No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Location is not of file scheme
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareMetaAddressSpace: Location is not of file scheme
VMWareAddressSpace: Invalid VMware signature: -
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxcentos8Streamx64 selected
WindowsAMD64PagedMemory: Incompatible profile Linuxcentos8Streamx64 selected
LinuxAMD64PagedMemory: Failed valid Address Space check
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile Linuxcentos8Streamx64 selected
IA32PagedMemory: Incompatible profile Linuxcentos8Streamx64 selected
OSXPmemELF: ELF Header signature invalid
VMIAddressSpace: Must be first Address Space
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sttru3