Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No suitable address space mapping found #53

Open
darshantank opened this issue Feb 4, 2020 · 5 comments
Open

No suitable address space mapping found #53

darshantank opened this issue Feb 4, 2020 · 5 comments

Comments

@darshantank
Copy link

I'm trying to use LibVMI python bindings to introspect my VMs (win7 and ubuntu).

When I run the command, I get following message on my terminal.

# python vol.py -l vmi://win7_Guest --profile=Win7SP1x64 pslist

Volatility Foundation Volatility Framework 2.6.1
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
LimeAddressSpace - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
WindowsHiberFileSpace32 - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
WindowsCrashDumpSpace64BitMap - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
WindowsCrashDumpSpace64 - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
HPAKAddressSpace: Location is not of file scheme
VMWareMetaAddressSpace: Location is not of file scheme
VirtualBoxCoreDumpElf64 - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
QemuCoreDumpElf - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
VMWareAddressSpace: Invalid VMware signature: -
WindowsCrashDumpSpace32 - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
SkipDuplicatesAMD64PagedMemory: Incompatible profile Win7SP1x64 selected
WindowsAMD64PagedMemory - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
LinuxAMD64PagedMemory: Incompatible profile Win7SP1x64 selected
AMD64PagedMemory - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
IA32PagedMemoryPae: Incompatible profile Win7SP1x64 selected
IA32PagedMemory: Incompatible profile Win7SP1x64 selected
OSXPmemELF - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
VMIAddressSpace: Must be first Address Space
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Profile does not have valid Address Space check

I'm missing something at somewhere. What are the possible causes of such message?

Thanking you.
@Wenzel
Copy link
Member

Wenzel commented Feb 4, 2020

hi @darshantank

No suitable address space mapping found

This usually means that Volatility tried all avaiable address spaces, and none of them has been selected.

VMIAddressSpace: Must be first Address Space

When the VMIAddressSpace was selected and tested, it required not to be stacked onto another address space.

You can ask Volatility devs for more information.

@tklengyel
Copy link
Contributor

In the interim I would suggest just using the vmifs tool that's part of LibVMI and then running Volatility on that file as if it was a memory dump. I always found the VMIAddressSpace to be buggy and unreliable.

@darshantank
Copy link
Author

@ tklengyel
Thanks for your concern and response.

I'm very much keen and interested to integrate LibVMI with Volatility framework.

I'm completely unaware of the functionality of the vmifs tool.

Sir, May I ask you, How do I use vmifs tool with Volatility on a live virtual machine?

Could you please elaborate the steps ?

Thanking you.

@tklengyel
Copy link
Contributor

It's really straight forward. Compile it and it will tell you how to use it. It creates a file that represents the target VMs memory. You run Volatility on that file as if it was an ordinary memory dump.

@darshantank
Copy link
Author

@ tklengyel
Thanks for your concern and response. I really appreciate your time and effort.

After following your instructions, I'm able to install volatility framework and integrate it with python-libvmi.

I'm able to run pslist plugin on my Windows 7 VM. But I'm unable to run any plugins on my Ubuntu 16.04.6 VM.

I have successfully created new profile for my VM running Ubuntu 16.04.6 LTS as described at https://github.com/volatilityfoundation/volatility/wiki/Linux

And move the zip file under 'volatility/plugins/overlays/linux/'

python vol.py --info | grep Linux

Volatility Foundation Volatility Framework 2.6.1
LinuxUbuntu1604x64 - A Profile for Linux Ubuntu1604 x64
LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space.
linux_aslr_shift - Automatically detect the Linux ASLR shift
linux_banner - Prints the Linux banner information
linux_yarascan - A shell in the Linux memory image

But when I run vol.py, it shows the following message on my terminal , and did not get the list of running process.
# python vol.py -l vmi://ubuntu_Guest --profile=LinuxUbuntu1604x64 linux_pslist

Offset Name Pid PPid Uid Gid DTB Start Time

No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
QemuCoreDumpElf: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: Location is not of file scheme
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Location is not of file scheme
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: -
WindowsCrashDumpSpace32: Header signature invalid
QemuCoreDumpElf: ELF Header signature invalid
SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected
WindowsAMD64PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected
LinuxAMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxUbuntu1604x64 selected
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected
OSXPmemELF: ELF Header signature invalid
VMIAddressSpace: Must be first Address Space
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check

I would greatly appreciate it if you kindly give us some feedback and share your views.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Wenzel @tklengyel @darshantank