Error [No suitable address space mapping found] at CentOS_X64_2.6.18-194.el5 _use volatility v2.3.1
GoogleCodeExporter opened this issue · 4 comments
GoogleCodeExporter commented
Hey all,
I have a problem with generating a profile for CentOS 5.10
I'm not sure that is the cause of the profile or dump memory file.
I've used libdwarf-20140519.tar.gz, lime-forensics-1.1-r17 and the kernel
Version CentOS 2.6.18-371.9.1.el5.x86_64 with volatility 3.2.1
What is the expected output? What do you see instead?
# vol -f /tmp/centos.lime -dd --profile=LinuxCentOS510x64 linux_netstat
Volatility Foundation Volatility Framework 2.3.1
DEBUG : volatility.plugins.overlays.linux.linux: CentOS510: Found dwarf file
boot/System.map-2.6.18-371.9.1.el5 with 378 symbols
DEBUG : volatility.plugins.overlays.linux.linux: CentOS510: Found system file
boot/System.map-2.6.18-371.9.1.el5 with 1 symbols
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
DEBUG : volatility.obj : Applying modification from Linux64ObjectClasses
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac:
need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime:
need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32:
No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64:
No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64:
No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32:
No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.plugins.overlays.linux.linux: CentOS510: Found dwarf file
boot/System.map-2.6.18-371.9.1.el5 with 378 symbols
DEBUG : volatility.plugins.overlays.linux.linux: CentOS510: Found system file
boot/System.map-2.6.18-371.9.1.el5 with 1 symbols
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
DEBUG : volatility.obj : Applying modification from Linux64ObjectClasses
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x2b38c270a590>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO
Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address
0x3FF7F860, instantiating lime_header
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x2b38bcd46710>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO
Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid
Lime header signature
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32:
PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64:
Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid
magic found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64:
ELF64 Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile:
Invalid VMware signature: 0x11063
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32:
Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Failed
valid Address Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae:
Incompatible profile LinuxCentOS510x64 selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory:
Incompatible profile LinuxCentOS510x64 selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be
first Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Could not
read_long_phys at offset 0x3ffffffff00cL
DEBUG1 : volatility.obj : None object instantiated: Could not
read_long_phys at offset 0x3ffffffff000L
DEBUG1 : volatility.obj : None object instantiated: No suggestions
available
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Failed
valid Address Space check
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0x11063
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxCentOS510x64 selected
IA32PagedMemory: Incompatible profile LinuxCentOS510x64 selected
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
# strings /tmp/centos.lime |more
EMiL
cq}?
4[^_]
QWVP
PSVh@
[^_]
Sj@j
PPhx
,PPhx
2$Pj
[^_]
PPVS
[^_]
[^_]
0RPhX
>_MP_
WWVhy
F Y[
;PCMPu
:F t
VPh>
SSPhi
tHRj
SVh
++@%-------=--=--=-=-=--=-=---=-*@@@@%%@%@%@%@@@@@%@%@@@@@%@@@@%@@@@@%@@
"OOoOOOOOOOO+OO++O++O+++OOO+O++O+OO+O+O+++++++++++++@++@@+++@++++++++@+
@+@@++@+@@@+@+@@@@%@@@@@+@@@@@@@@@@+@@@@@@@+@+@+@+@+@@@++@+++@@+++++@++@
OOO+OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOoOOoOOOOOOOOOOOOOooOoOOOOoOOOOOOO+O
OooOooOOOOooOOOOOOO+O+OOO+OOO+O+++O+OO+O+++O+O+OOO++OOOOOOOOOO+OOOOOOOOO
+++O@++@==-=-=-=--=-=----=-=--=-=--=-*%@%@@%@@%%@%%%@@%%@@%@@%@%%%@@@%%%
=-",
"OOOoOOOOOOO+OOOOO+O+O+O++O+OOOO++O++++O+O+O+O+++++++@++++++++++@+@
+@@@@@@@@@@@+@@@@@@@@+@@@@@@+@@@@@@@@@@@@@+@+@@@@+@+@+@@@+@@@+@@+@@@+@++
OOOO+O+OO+O+OOOOOOOOOOOOOOOOOOOOOOOOOOOOoOooOOOOOOOOOOOOOOOoOOOOOOOOOOOO
ooooOoOoOoOoOOOOOOOOO+O+O++OOO+OOO+O+O+O+++O+O+O+OOO+O+O++OOOO+OOOOOOOOO
-&++++++++++@-=---=--=---=-=--=--=--=-=---=%@%@%@%@%%@@%@@@%%@%@@@@@@%%%
-=-=--",
"OoOOOOOOOOOO+O+O+O+O++O+O+O+++OOO+O+O+O++O++++++++++@+@+++++++++++++@+@@@@@+++@
+@@+@@+@@@
---------
[root@centos-5 volatility-2.3.1]# strings /tmp/centos.fmem |more
/vmlinuz-2.6.18-371.9.1.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
fXfSf
tLf1
pPf1
Loading stage2
Geom
Read
Error
0.97
(hd0,0)/grub/grub.conf
Ou=<
^_[]
USWV
MPuW
^_[]
USWV
PAMS
f=PAMSfu
^_[]
t)PS
USQR
ZY[]
UPSQRf
ZY[X]
Rj#j
tLPjRj
[^_]
[^_]
^<au
U<bu
L<cu
@<du
7<Du
+<gu
.PPh
t2PS
[^_]
/~*f
HdrS
SPhv
HdrSu
RjuP
umRR
RSVh
t>PPSV
tBWWS
u+QQ
[^_]
[^_]
0PhN
QQShh
PPShh
QHP)
[^_]
PPRh
[^_]
hPhC
aPhN
[^_]
t&@9
t:PP
YSSj
PShx
[^_]
PPRh
WWVj
……
What version of the product are you using? On what operating system?
# uname -a
Linux centos-5.5-X64 2.6.18-371.9.1.el5 #1 SMP
Volatility 2.3.1
lime-forensics-1.1-r17 /fmem_1.6-1
Please provide any additional information below.
create a profile
1 create module.dwarf
#make
make -C //lib/modules/2.6.18-371.9.1.el5/build CONFIG_DEBUG_INFO=y
M=/pentoo/volatility-2.3.1/tools/linux modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-371.9.1.el5-x86_64'
CC [M] /pentoo/volatility-2.3.1/tools/linux/module.o
/pentoo/volatility-2.3.1/tools/linux/module.c:303:5: warning: "STATS" is not
defined
/pentoo/volatility-2.3.1/tools/linux/module.c:319:5: warning: "DEBUG" is not
defined
Building modules, stage 2.
MODPOST
CC /pentoo/volatility-2.3.1/tools/linux/module.mod.o
LD [M] /pentoo/volatility-2.3.1/tools/linux/module.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.18-371.9.1.el5-x86_64'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/2.6.18-371.9.1.el5/build
M=/pentoo/volatility-2.3.1/tools/linux clean
make[1]: Entering directory `/usr/src/kernels/2.6.18-371.9.1.el5-x86_64'
CLEAN /pentoo/volatility-2.3.1/tools/linux/.tmp_versions
make[1]: Leaving directory `/usr/src/kernels/2.6.18-371.9.1.el5-x86_64'
2
#pwd
/pentoo/volatility-2.3.1/tools/linux
#zip volatility/plugins/overlays/linux/CentOS510.zip tools/linux/module.dwarf
/boot/System.map-2.6.18-371.9.1.el5
3
# vol --info |grep Linux
Volatility Foundation Volatility Framework 2.3.1
LinuxCentOS510x64 - A Profile for Linux CentOS510 x64
linux_banner - Prints the Linux banner information
linux_yarascan - A shell in the Linux memory image
#cat /boot/grub/grub.conf
title CentOS (2.6.18-371.9.1.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-371.9.1.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.18-371.9.1.el5.img
title CentOS (2.6.18-371.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-371.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet crashkerne
l=128M@16M
initrd /initrd-2.6.18-371.el5.img
---------------------
dump physical memory
#insmod lime.ko path=/tmp/centos.lime format=lime
#dd if=/dev/fmem of=/tmp/centos.fmem bs=1MB count=1024
[root@centos-5 volatility-2.3.1]# ls -alh /tmp
-rw-r--r-- 1 root root 977M Jun 15 22:58 centos.fmem
-r--r--r-- 1 root root 1.0G Jun 16 00:06 centos.lime
=========================================
Can anyone tell me why ???
Original issue reported on code.google.com by po1e3...@gmail.com on 15 Jun 2014 at 4:38
Attachments:
GoogleCodeExporter commented
Oh,I found it.
# grep init_level4_pgt /boot/System.map-2.6.18-371.9.1.el5
ffffffff80001000 T init_level4_pgt
ffffffff802f2b00 r __ksymtab_init_level4_pgt
ffffffff803007d8 r __kcrctab_init_level4_pgt
ffffffff80307870 r __kstrtab_init_level4_pgt
Please, what do I need to do?
Original comment by po1e3...@gmail.com on 15 Jun 2014 at 5:14
GoogleCodeExporter commented
Original comment by michael.hale@gmail.com on 15 Jun 2014 at 7:01
GoogleCodeExporter commented
Please close the issue 503.
the issue has fixed by
[http://lists.volatilesystems.com/pipermail/vol-users/2013-February/000743.html]
---------------------------
I'm sorry to say michael.hale.
work overtime for days,i feel very tired,so did't see this article.
--------------------------------------------------------
Simple solution:
cd ../volatility/plugins/overlays/linux/
vi linux.py
In the 1000th row , replace' shift = 0xffffffff80000000 ' with 'shift =
0xffffffff7fe00000'
vi linux.64py
In the 38h row
replace' shift = 0xffffffff80000000 ' with 'shift = 0xffffffff7fe00000'
Original comment by po1e3...@gmail.com on 17 Jun 2014 at 2:57
GoogleCodeExporter commented
No worries, glad that takes care of it. Thanks...
Original comment by michael.hale@gmail.com on 29 Jun 2014 at 5:18
- Changed state: Done