volatility profile not work with ubuntu1404

[allewwaly]

Seen at #122. I've made supplement to the question. The profile is generated with guidence of https://code.google.com/p/volatility/wiki/LinuxMemoryForensics. And the results is:

python vol.py --profile=LinuxUbuntu1204-Manualx64 -f ubuntu-hvm.mem linux_pslist
Volatility Foundation Volatility Framework 2.4
Offset             Name                 Pid             Uid             Gid    DTB                Start Time
------------------ -------------------- --------------- --------------- ------ ------------------ ----------
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 PyVmiAddressSpace: Location doesn't start with vmi://
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 VMWareMetaAddressSpace: VMware metadata file is not available
 QemuCoreDumpElf: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Incompatible profile LinuxUbuntu1204-Manualx64 selected
 IA32PagedMemory: Incompatible profile LinuxUbuntu1204-Manualx64 selected
 PyVmiAddressSpace: Must be first Address Space
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check

I've tried several memory dumps and all fail. The OS is 64 bit ubuntu1404 with 3.13.0-24 kernel.

[Stubatiger]

Did u try the profile provided under:
https://github.com/volatilityfoundation/profiles/tree/master/Linux/Ubuntu/x64
?

[allewwaly]

Yes, exactly. I tried that before made myself one. All got the same error message.

[Stubatiger]

I have recreated this problem on the following Ubuntu Versions, each a Fresh Install on VirtualBox5.0 and GuestAdditions installed, the Images were created with Lime in lime-format and i used the official Profile provided:
ubuntu-14.04.1-desktop-amd64.iso (Linux 3.13.0-32-generic #57-Ubuntu)
ubuntu-14.04.3-desktop-amd64.iso (Linux 3.19.0-25-generic #26~14.04.1-Ubuntu)

Funny enough on this Version i have no problems:
ubuntu-14.04.2-desktop-amd64.iso (Linux 3.16.0-30-generic #40~14.04.1-Ubuntu)

On the 14.04.3-Version i tried creating the RAM-Image with linpmem in elf-format, no success there either.

[atcuno]

Can you both please paste uname -a from the virtual machines where the profiles are not working? The profiles need to match the kernel version, not the Ubuntu version. Each Ubuntu version may contain 20-40 different kernels due to different configuration options and updates.

[Stubatiger]

How does this info differ though from what i already wrote?

[andrew-morris]

I am having this issue as well.

Attempting to run the imageinfo plugin yields the following-

$ python ~/Tools/volatility/vol.py -f ./img2.lime imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug    : Overlay structure tty_struct not present in vtypes
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug    : Overlay structure tty_struct not present in vtypes
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
Traceback (most recent call last):
  File "/Users/amorris/Tools/volatility/vol.py", line 192, in <module>
    main()
  File "/Users/amorris/Tools/volatility/vol.py", line 183, in main
    command.execute()
  File "/Users/amorris/Tools/volatility/volatility/commands.py", line 145, in execute
    func(outfd, data)
  File "/Users/amorris/Tools/volatility/volatility/plugins/imageinfo.py", line 45, in render_text
    for k, t, v in data:
  File "/Users/amorris/Tools/volatility/volatility/plugins/imageinfo.py", line 55, in calculate
    suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
  File "/Users/amorris/Tools/volatility/volatility/plugins/kdbgscan.py", line 116, in calculate
    buf = addrspace.BufferAddressSpace(self._config)
  File "/Users/amorris/Tools/volatility/volatility/addrspace.py", line 378, in __init__
    BaseAddressSpace.__init__(self, None, config, **kwargs)
  File "/Users/amorris/Tools/volatility/volatility/addrspace.py", line 73, in __init__
    self.profile = self._set_profile(config.PROFILE)
  File "/Users/amorris/Tools/volatility/volatility/addrspace.py", line 98, in _set_profile
    ret = profs[profile_name]()
  File "/Users/amorris/Tools/volatility/volatility/plugins/overlays/linux/linux.py", line 214, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "/Users/amorris/Tools/volatility/volatility/obj.py", line 859, in __init__
    self.reset()
  File "/Users/amorris/Tools/volatility/volatility/plugins/overlays/linux/linux.py", line 224, in reset
    self.load_vtypes()
  File "/Users/amorris/Tools/volatility/volatility/plugins/overlays/linux/linux.py", line 261, in load_vtypes
    vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
  File "/Users/amorris/Tools/volatility/volatility/dwarf.py", line 71, in __init__
    self.feed_line(line)
  File "/Users/amorris/Tools/volatility/volatility/dwarf.py", line 162, in feed_line
    self.process_statement(**parsed) #pylint: disable-msg=W0142
  File "/Users/amorris/Tools/volatility/volatility/dwarf.py", line 225, in process_statement
    self.id_to_name[statement_id] = [self.base_type_name(data)]
  File "/Users/amorris/Tools/volatility/volatility/dwarf.py", line 125, in base_type_name
    return self.tp2vol[data['DW_AT_name'].strip('"')]
KeyError: 'device_attribute'

I am using the community-provided profile located here. The memory was acquired from the target system using LiME. I have tried acquiring memory via LiME with both LiME and Padded formats, and both yield the same results.

Info about my machine:

OS: OS X Yosemite
Uname: Darwin XXXX 14.3.0 Darwin Kernel Version 14.3.0: Mon Mar 23 11:59:05 PDT 2015; root:xnu-2782.20.48~5/RELEASE_X86_64 x86_64
Python: Python 2.7.9
Volatility: Volatility Framework 2.5

[ghost]

Hii, I have the same issue with the address mapping. I tried using different profiles as well but none worked. Can anyone post the solution for this if you have resolved this issue. I have using LiME to extract memory.

labuser@labuser-virtual-machine:~/Desktop/volatility-master$ python vol.py -f /home/labuser/Desktop/volatility-master/volatility/plugins/overlays/linux/memory.dump --profile=LinuxLinuxUbuntu13x64 linux_ifconfig
Volatility Foundation Volatility Framework 2.5
Interface IP Address MAC Address Promiscous Mode

---

No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x0
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxLinuxUbuntu13x64 selected
IA32PagedMemory: Incompatible profile LinuxLinuxUbuntu13x64 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check

About my Machine
OS: OS Ubuntu 15.10
uname:4.2.0-16-generic
python-2.7.11
Volatility-master
LiME-master

[atcuno]

Hey,

Can you please past the output of the following:

strings -a
/home/labuser/Desktop/volatility-master/volatility/plugins/overlays/linux/memory.dump
| grep Kernel | grep version | grep gcc

Thanks,
Andrew (@attrc)

On 04/21/2016 02:58 PM, swagataupputolla wrote:

Hii, I have the same issue with the address mapping. I tried using
different profiles as well but none worked. Can anyone post the solution
for this if you have resolved this issue. I have using LiME to extract
memory.

labuser@labuser-virtual-machine:~/Desktop/volatility-master$ python
vol.py -f
/home/labuser/Desktop/volatility-master/volatility/plugins/overlays/linux/memory.dump
--profile=LinuxLinuxUbuntu13x64 linux_ifconfig
Volatility Foundation Volatility Framework 2.5
Interface IP Address MAC Address Promiscous Mode

---

No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x0
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxLinuxUbuntu13x64 selected
IA32PagedMemory: Incompatible profile LinuxLinuxUbuntu13x64 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check

About my Machine
OS: OS Ubuntu 15.10
uname:4.2.0-16-generic
python-2.7.11
Volatility-master
LiME-master

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#245 (comment)

[ghost]

labuser@labuser-virtual-machine:/$ strings -a /home/labuser/Desktop/volatility-master/volatility/plugins/overlays/linux/memory.dump | grep Kernel
Kernel only SVGA command: %u.
KernelName
KernelRelease
KernelVersion
KernelVersion
KernelName
KernelRelease
MESSAGE=Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.2.0-16-generic root=UUID=904d3db9-1a3f-454c-9fcc-811d33f70fb8 ro quiet splash
MESSAGE=Starting Load Kernel Modules...
5Kernel command line: %s
0Kernel Offset: 0x%lx from 0x%lx (relocation range: 0x%lx-0x%lx)
4tsc: Kernel compiled with CONFIG_X86_TSC, cannot disable TSC completely
3kexec-bzImage64: Kernel command line too long
0Kernel Offset: disabled
Kernel bss
Kernel code
Kernel data
0Kernel panic - not syncing: %s
0---[ end Kernel panic - not syncing: %s
stack-protector: Kernel stack is corrupted in: %p
KernelPageSize: %8lu kB
KernelStack: %8lu kB
2Kernel BUG at %p [verbose debug info unavailable]
Node %d KernelStack: %8lu kB
:https://collector.githubapp.com/github/page_view?dimensions[page]=https%3A%2F%2Fgithub.com%2F504ensicslabs%2Flime&dimensions[title]=GitHub%20-%20504ensicsLabs%2FLiME%3A%20LiME%20(formerly%20DMD)%20is%20a%20Loadable%20Kernel%20Module%20(LKM)%2C%20which%20allows%20the%20acquisition%20of%20volatile%20memory%20from%20Linux%20and%20Linux-based%20devices%2C%20such%20as%20those%20powered%20by%20Android.%20The%20tool%20supports%20acquiring%20memory%20either%20to%20the%20file%20system%20of%20the%20device%20or%20over%20the%20network.%20LiME%20is%20unique%20in%20that%20it%20is%20the%20first%20tool%20that%20allows%20full%20memory%20captures%20from%20Android%20devices.%20It%20also%20minimizes%20its%20interaction%20between%20user%20and%20kernel%20space%20processes%20during%20acquisition%2C%20which%20allows%20it%20to%20produce%20memory%20captures%20that%20are%20more%20forensically%20sound%20than%20those%20of%20other%20tools%20designed%20for%20Linux%20memory%20acquisition.&dimensions[referrer]=&dimensions[user_agent]=Mozilla%2F5.0%20(X11%3B%20Ubuntu%3B%20Linux%20x86_64%3B%20rv%3A41.0)%20Gecko%2F20100101%20Firefox%2F41.0&dimensions[screen_resolution]=1360x768&dimensions[pixel_ratio]=1&dimensions[browser_resolution]=1295x640&dimensions[tz_seconds]=-14400&dimensions[timestamp]=1461253162034&dimensions[request_id]=835EBA6F%3A5B23%3A3378808%3A5718F428&dimensions[user_id]=7229841&dimensions[user_login]=504ensicsLabs&dimensions[repository_id]=24379459&dimensions[repository_nwo]=504ensicsLabs%2FLiME&dimensions[repository_public]=true&dimensions[repository_is_fork]=false&dimensions[repository_network_root_id]=24379459&dimensions[repository_network_root_nwo]=504ensicsLabs%2FLiME&&measures[performance_timing]=1-33-33--1692-1322-1134-214-33-3-3---0---104-234-105---&&&dimensions[cid]=1085768318.1461253162
Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.2.0-16-generic root=UUID=904d3db9-1a3f-454c-9fcc-811d33f70fb8 ro quiet splash
systemd[1]: Listening on udev Kernel Socket.
systemd[1]: Starting Load Kernel Modules...
systemd[1]: Starting udev Kernel Device Manager...
KernelVersion
GitHub - 504ensicsLabs/LiME: LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
KernelName
KernelVersion
MESSAGE=Started udev Kernel Device Manager.
MESSAGE=Starting Remount Root and Kernel File Systems...
MESSAGE=Started Remount Root and Kernel File Systems.
<30>[ 2.701285] systemd[1]: Starting udev Kernel Device Manager...
MESSAGE=Listening on udev Kernel Socket.
0Kernel Offset: disabled
Kernel bss
Kernel code
Kernel data
<30>[ 2.701285] systemd[1]: Starting udev Kernel Device
GitHub - 504ensicsLabs/LiME: LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
MESSAGE=Starting Apply Kernel Variables...
MESSAGE=Started Apply Kernel Variables.
Kernel32
KernelRelease
KernelRelease
KernelVersion
KernelName
KernelRelease
KernelVersion
KernelName
KernelRelease
KernelVersion
KernelName
KernelRelease
KernelVersion
Kernel32.dll
mitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.12.0 try http://www.rsyslog.com/e/2222 ]
MESSAGE=Started Load Kernel Modules.
KernelRelease
KernelVersion
Remount Root and Kernel File Systems
MESSAGE=Starting udev Kernel Device Manager...
KernelRelease
KernelName
KernelRelease
KernelVersion
:https://collector.githubapp.com/github/page_view?dimensions[page]=https%3A%2F%2Fgithub.com%2F504ensicslabs%2Flime&dimensions[title]=GitHub%20-%20504ensicsLabs%2FLiME%3A%20LiME%20(formerly%20DMD)%20is%20a%20Loadable%20Kernel%20Module%20(LKM)%2C%20which%20allows%20the%20acquisition%20of%20volatile%20memory%20from%20Linux%20and%20Linux-based%20devices%2C%20such%20as%20those%20powered%20by%20Android.%20The%20tool%20supports%20acquiring%20memory%20either%20to%20the%20file%20system%20of%20the%20device%20or%20over%20the%20network.%20LiME%20is%20unique%20in%20that%20it%20is%20the%20first%20tool%20that%20allows%20full%20memory%20captures%20from%20Android%20devices.%20It%20also%20minimizes%20its%20interaction%20between%20user%20and%20kernel%20space%20processes%20during%20acquisition%2C%20which%20allows%20it%20to%20produce%20memory%20captures%20that%20are%20more%20forensically%20sound%20than%20those%20of%20other%20tools%20designed%20for%20Linux%20memory%20acquisition.&dimensions[referrer]=&dimensions[user_agent]=Mozilla%2F5.0%20(X11%3B%20Ubuntu%3B%20Linux%20x86_64%3B%20rv%3A41.0)%20Gecko%2F20100101%20Firefox%2F41.0&dimensions[screen_resolution]=1360x768&dimensions[pixel_ratio]=1&dimensions[browser_resolution]=1295x640&dimensions[tz_seconds]=-14400&dimensions[timestamp]=1461253162034&dimensions[request_id]=835EBA6F%3A5B23%3A3378808%3A5718F428&dimensions[user_id]=7229841&dimensions[user_login]=504ensicsLabs&dimensions[repository_id]=24379459&dimensions[repository_nwo]=504ensicsLabs%2FLiME&dimensions[repository_public]=true&dimensions[repository_is_fork]=false&dimensions[repository_network_root_id]=24379459&dimensions[repository_network_root_nwo]=504ensicsLabs%2FLiME&&measures[performance_timing]=1-33-33--1692-1322-1134-214-33-3-3---0---104-234-105---&&&dimensions[cid]=1085768318.1461253162
KernelRelease
KernelVersion
Kernel32
Kernel
uBlurGaussianKernel
MESSAGE=Started Load Kernel Modules.
Kernel failure message %d:
mitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.12.0 try http://www.rsyslog.com/e/2222 ]
mitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.12.0 try http://www.rsyslog.com/e/2222 ]
<30>[ 2.701285] systemd[1]: Starting udev Kernel Device Manager...
KernelName
KernelRelease
KernelVersion
mitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.12.0 try http://www.rsyslog.com/e/2222 ]
KernelName
KernelRelease
KernelVersion
Kernel module loader
MESSAGE=Starting udev Kernel Device Manager...
MESSAGE=Starting Apply Kernel Variables...
KernelStack: 6416 kB
Match.KernelCommandLine
Kernel
MESSAGE=Starting Apply Kernel Variables...
v Kernel Socket.
Kernel only SVGA command: %u.

labuser@labuser-virtual-machine:/$ strings -a /home/labuser/Desktop/volatility-master/volatility/plugins/overlays/linux/memory.dump | grep version | grep gcc
%s version %s (buildd@lcy01-07) (gcc version 5.2.1 20151003 (Ubuntu 5.2.1-21ubuntu2) ) %s
Linux version 4.2.0-16-generic (buildd@lcy01-07) (gcc version 5.2.1 20151003 (Ubuntu 5.2.1-21ubuntu2) ) #19-Ubuntu SMP Thu Oct 8 15:35:06 UTC 2015 (Ubuntu 4.2.0-16.19-generic 4.2.3)
Linux version 4.2.0-16-generic (buildd@lcy01-07) (gcc version 5.2.1 20151003 (Ubuntu 5.2.1-21ubuntu2) ) #19-Ubuntu SMP Thu Oct 8 15:35:06 UTC 2015 (Ubuntu 4.2.0-16.19-generic 4.2.3)
FELoading system version of libgcc_s.so.1.
MESSAGE=Linux version 4.2.0-16-generic (buildd@lcy01-07) (gcc version 5.2.1 20151003 (Ubuntu 5.2.1-21ubuntu2) ) #19-Ubuntu SMP Thu Oct 8 15:35:06 UTC 2015 (Ubuntu 4.2.0-16.19-generic 4.2.3)
FELoading system version of libgcc_s.so.1.
FELoading system version of libgcc_s.so.1.
inux version 4.2.0-16-generic (buildd@lcy01-07) (gcc version 5.2.1 20151003 (Ubuntu 5.2.1-21ubuntu2) ) #19-Ubuntu SMP Thu Oct 8 15:35:06 UTC 2015 (Ubuntu 4.2.0-16.19-generic 4.P
FELoading system version of libgcc_s.so.1.

[gleeda]

I'm closing this issue for now. Feel free to reopen if you have more information/issues.