Estou usando o Volatility 2.6 no windows7 e no Kali Linux (versão mais recente)
E meus despejos de memória estão em ".vmem" da estação de trabalho VMware e ".vmss"
Eu quero verificar as memórias básicas do Linux, por padrão, a volatilidade não tem perfil do Linux, então eu as baixei e adicionei no …/volatility/plugins/overlays/linux
Agora, posso ver todos eles em - resultados de resultados na lista de perfis. Eu não tenho nenhum problema com as memórias base do Windows, mas quando eu quero abrir, por exemplo, um servidor Ubuntu1204 ou Ubuntu1404 eu enfrento o erro que diz:
No suitable address space mapping found
Então, finalmente, usei imageinfo para encontrar o perfil automaticamente:
Python vol.py –f /mymemory.vmem imageinfo
Mas, novamente, eu enfrento esse erro no kali linux: (e os mesmos erros no windows e o mesmo resultam em versões mais antigas de volatilidade)
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure tty_struct not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure tty_struct not present in vtypes
Traceback (most recent call last):
File "/usr/bin/volatility", line 192, in <module>
main()
File "/usr/bin/volatility", line 183, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 145, in execute
func(outfd, data)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/imageinfo.py", line 45, in render_text
for k, t, v in data:
File "/usr/lib/python2.7/dist-packages/volatility/plugins/imageinfo.py", line 55, in calculate
suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
File "/usr/lib/python2.7/dist-packages/volatility/plugins/kdbgscan.py", line 116, in calculate
buf = addrspace.BufferAddressSpace(self._config)
File "/usr/lib/python2.7/dist-packages/volatility/addrspace.py", line 378, in __init__
BaseAddressSpace.__init__(self, None, config, **kwargs)
File "/usr/lib/python2.7/dist-packages/volatility/addrspace.py", line 73, in __init__
self.profile = self._set_profile(config.PROFILE)
File "/usr/lib/python2.7/dist-packages/volatility/addrspace.py", line 98, in _set_profile
ret = profs[profile_name]()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 214, in __init__
obj.Profile.__init__(self, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/volatility/obj.py", line 859, in __init__
self.reset()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 224, in reset
self.load_vtypes()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 261, in load_vtypes
vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 71, in __init__
self.feed_line(line)
File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 162, in feed_line
self.process_statement(**parsed) #pylint: disable-msg=W0142
File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 225, in process_statement
self.id_to_name[statement_id] = [self.base_type_name(data)]
File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 125, in base_type_name
return self.tp2vol[data['DW_AT_name'].strip('"')]
KeyError: 'device_attribute'