Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to run vol.py plugins for "Ubuntu 16.04.6" target #77

Open
darshantank opened this issue Feb 26, 2020 · 0 comments
Open

Unable to run vol.py plugins for "Ubuntu 16.04.6" target #77

darshantank opened this issue Feb 26, 2020 · 0 comments

Comments

@darshantank
Copy link

I have successfully created a new profile for my VM running Ubuntu 16.04.6 LTS as described at https://github.com/volatilityfoundation/volatility/wiki/Linux and move the zip file under 'volatility/plugins/overlays/linux/'

When I run vol.py, it shows the following message on my terminal and did not get the list of the running processes.

(venv) root@dmt-HP-Laptop-15-da1xxx:/home/dmt/volatility#

python vol.py -l vmi://ubuntu_Guest --profile=LinuxUbuntu1604x64 linux_pslist -d

Volatility Foundation Volatility Framework 2.6.1
DEBUG : volatility.debug : Ubuntu1604: Found dwarf file boot/System.map-4.15.0-76-generic with 814 symbols
DEBUG : volatility.debug : Ubuntu1604: Found system file boot/System.map-4.15.0-76-generic with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel

DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
DEBUG : volatility.debug : Ubuntu1604: Found dwarf file boot/System.map-4.15.0-76-generic with 814 symbols
DEBUG : volatility.debug : Ubuntu1604: Found system file boot/System.map-4.15.0-76-generic with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel

DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
Offset Name Pid PPid Uid Gid DTB Start Time

DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmi.VMIAddressSpace'>
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.vmi.VMIAddressSpace object at 0x7f603de92510>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmi.VMIAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG : volatility.debug : Requested symbol do_fork not found in module kernel

No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Location is not of file scheme
VMWareMetaAddressSpace: Location is not of file scheme
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: -
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected
WindowsAMD64PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected
LinuxAMD64PagedMemory: Failed valid Address Space check
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxUbuntu1604x64 selected
IA32PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected
OSXPmemELF: ELF Header signature invalid
VMIAddressSpace: Must be first Address Space
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check

I would greatly appreciate it if you kindly give us some feedback and share your views.

Thanks.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@darshantank