Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I have a problem, I hope you can answer it. #84

Open
lryzxy opened this issue Jul 8, 2022 · 4 comments
Open

I have a problem, I hope you can answer it. #84

lryzxy opened this issue Jul 8, 2022 · 4 comments

Comments

@lryzxy
Copy link

lryzxy commented Jul 8, 2022

root@ubuntu:/home/ha/Documents/volatility# python vol.py -d -l vmi://ubuntu16 pslist
Volatility Foundation Volatility Framework 2.6.1
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from BigPageTableMagic
DEBUG : volatility.debug : Applying modification from ControlAreaModification
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from HandleTableEntryPreWin8
DEBUG : volatility.debug : Applying modification from IEHistoryVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from PoolTagModification
DEBUG : volatility.debug : Applying modification from PoolTrackTagOverlay
DEBUG : volatility.debug : Applying modification from SSLKeyModification
DEBUG : volatility.debug : Applying modification from UnloadedDriverVTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from Win32KGahtiVType
DEBUG : volatility.debug : Applying modification from Win32Kx86VTypes
DEBUG : volatility.debug : Applying modification from WinSyscallsAttribute
DEBUG : volatility.debug : Applying modification from WinXP2003AddressObject
DEBUG : volatility.debug : Applying modification from WinXPSyscalls
DEBUG : volatility.debug : Applying modification from XP2003x86BaseVTypes
DEBUG : volatility.debug : Applying modification from XP2003x86TimerVType
DEBUG : volatility.debug : Applying modification from WindowsVTypes
DEBUG : volatility.debug : Applying modification from AtomTablex86Overlay
DEBUG : volatility.debug : Applying modification from EVTObjectTypes
DEBUG : volatility.debug : Applying modification from ObjectTypeKeyModification
DEBUG : volatility.debug : Applying modification from ProcessAuditVTypes
DEBUG : volatility.debug : Applying modification from WindowsOverlay
DEBUG : volatility.debug : Applying modification from CallbackMods
DEBUG : volatility.debug : Applying modification from MalwarePspCid
DEBUG : volatility.debug : Applying modification from MalwareWSPVTypes
DEBUG : volatility.debug : Applying modification from TimerVTypes
DEBUG : volatility.debug : Applying modification from TokenXP2003
DEBUG : volatility.debug : Applying modification from UserAssistVTypes
DEBUG : volatility.debug : Applying modification from VadFlagsModification
DEBUG : volatility.debug : Applying modification from VadTagModification
DEBUG : volatility.debug : Applying modification from WinAllTime
DEBUG : volatility.debug : Applying modification from WinPEObjectClasses
DEBUG : volatility.debug : Applying modification from WinPEVTypes
DEBUG : volatility.debug : Applying modification from WinXPTrim
DEBUG : volatility.debug : Applying modification from WinXPx86Vad
DEBUG : volatility.debug : Applying modification from WindowsObjectClasses
DEBUG : volatility.debug : Applying modification from XPOverlay
DEBUG : volatility.debug : Applying modification from XPx86SessionOverlay
DEBUG : volatility.debug : Applying modification from AuditpolTypesXP
DEBUG : volatility.debug : Applying modification from CmdHistoryObjectClasses
DEBUG : volatility.debug : Applying modification from CmdHistoryVTypesx86
DEBUG : volatility.debug : Applying modification from CrashInfoModification
DEBUG : volatility.debug : Applying modification from DumpFilesVTypesx86
DEBUG : volatility.debug : Applying modification from HeapModification
DEBUG : volatility.debug : Applying modification from KDBGObjectClass
DEBUG : volatility.debug : Applying modification from KPCRProfileModification
DEBUG : volatility.debug : Applying modification from MFTTYPES
DEBUG : volatility.debug : Applying modification from MalwareDrivers
DEBUG : volatility.debug : Applying modification from MalwareIDTGDTx86
DEBUG : volatility.debug : Applying modification from MalwareKthread
DEBUG : volatility.debug : Applying modification from ServiceBase
DEBUG : volatility.debug : Applying modification from ShellBagsTypesXP
DEBUG : volatility.debug : Applying modification from ShimCacheTypesXPx86
DEBUG : volatility.debug : Applying modification from Win10ObjectClasses
DEBUG : volatility.debug : Applying modification from Win32KCoreClasses
DEBUG : volatility.debug : Applying modification from XPHeapModification
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.linux.vmi.VMIAddressSpace'>
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from BigPageTableMagic
DEBUG : volatility.debug : Applying modification from ControlAreaModification
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from HandleTableEntryPreWin8
DEBUG : volatility.debug : Applying modification from IEHistoryVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from PoolTagModification
DEBUG : volatility.debug : Applying modification from PoolTrackTagOverlay
DEBUG : volatility.debug : Applying modification from SSLKeyModification
DEBUG : volatility.debug : Applying modification from UnloadedDriverVTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from Win32KGahtiVType
DEBUG : volatility.debug : Applying modification from Win32Kx86VTypes
DEBUG : volatility.debug : Applying modification from WinSyscallsAttribute
DEBUG : volatility.debug : Applying modification from WinXP2003AddressObject
DEBUG : volatility.debug : Applying modification from WinXPSyscalls
DEBUG : volatility.debug : Applying modification from XP2003x86BaseVTypes
DEBUG : volatility.debug : Applying modification from XP2003x86TimerVType
DEBUG : volatility.debug : Applying modification from WindowsVTypes
DEBUG : volatility.debug : Applying modification from AtomTablex86Overlay
DEBUG : volatility.debug : Applying modification from EVTObjectTypes
DEBUG : volatility.debug : Applying modification from ObjectTypeKeyModification
DEBUG : volatility.debug : Applying modification from ProcessAuditVTypes
DEBUG : volatility.debug : Applying modification from WindowsOverlay
DEBUG : volatility.debug : Applying modification from CallbackMods
DEBUG : volatility.debug : Applying modification from MalwarePspCid
DEBUG : volatility.debug : Applying modification from MalwareWSPVTypes
DEBUG : volatility.debug : Applying modification from TimerVTypes
DEBUG : volatility.debug : Applying modification from TokenXP2003
DEBUG : volatility.debug : Applying modification from UserAssistVTypes
DEBUG : volatility.debug : Applying modification from VadFlagsModification
DEBUG : volatility.debug : Applying modification from VadTagModification
DEBUG : volatility.debug : Applying modification from WinAllTime
DEBUG : volatility.debug : Applying modification from WinPEObjectClasses
DEBUG : volatility.debug : Applying modification from WinPEVTypes
DEBUG : volatility.debug : Applying modification from WinXPTrim
DEBUG : volatility.debug : Applying modification from WinXPx86Vad
DEBUG : volatility.debug : Applying modification from WindowsObjectClasses
DEBUG : volatility.debug : Applying modification from XPOverlay
DEBUG : volatility.debug : Applying modification from XPx86SessionOverlay
DEBUG : volatility.debug : Applying modification from AuditpolTypesXP
DEBUG : volatility.debug : Applying modification from CmdHistoryObjectClasses
DEBUG : volatility.debug : Applying modification from CmdHistoryVTypesx86
DEBUG : volatility.debug : Applying modification from CrashInfoModification
DEBUG : volatility.debug : Applying modification from DumpFilesVTypesx86
DEBUG : volatility.debug : Applying modification from HeapModification
DEBUG : volatility.debug : Applying modification from KDBGObjectClass
DEBUG : volatility.debug : Applying modification from KPCRProfileModification
DEBUG : volatility.debug : Applying modification from MFTTYPES
DEBUG : volatility.debug : Applying modification from MalwareDrivers
DEBUG : volatility.debug : Applying modification from MalwareIDTGDTx86
DEBUG : volatility.debug : Applying modification from MalwareKthread
DEBUG : volatility.debug : Applying modification from ServiceBase
DEBUG : volatility.debug : Applying modification from ShellBagsTypesXP
DEBUG : volatility.debug : Applying modification from ShimCacheTypesXPx86
DEBUG : volatility.debug : Applying modification from Win10ObjectClasses
DEBUG : volatility.debug : Applying modification from Win32KCoreClasses
DEBUG : volatility.debug : Applying modification from XPHeapModification
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
VMIAddressSpace: The LibVMI python bindings must be installed
FileAddressSpace: Location is not of file scheme
ArmAddressSpace: No base Address Space
@Wenzel
Copy link
Member

Wenzel commented Jul 11, 2022

It's written in the logs: VMIAddressSpace: The LibVMI python bindings must be installed

The libvmi python bindings are not found on your system or in the virtualenv you are using.

@lryzxy
Copy link
Author

lryzxy commented Jul 13, 2022

It's written in the logs: VMIAddressSpace: The LibVMI python bindings must be installed

The libvmi python bindings are not found on your system or in the virtualenv you are using.

I followed the documentation for the bindings, and I put the vmi.py file in the appropriate directory, but again the following error occurred
root@ubuntu:/home/ha/Documents/volatility# python vol.py -l vmi://ubuntu18 --profile=LinuxUbuntu1804x64 linux_pslist Volatility Foundation Volatility Framework 2.6.1 Traceback (most recent call last): File "vol.py", line 192, in <module> main() File "vol.py", line 148, in main registry.register_global_options(config, addrspace.BaseAddressSpace) File "/home/ha/Documents/volatility/volatility/registry.py", line 157, in register_global_options for m in get_plugin_classes(cls, True).values(): File "/home/ha/Documents/volatility/volatility/registry.py", line 152, in get_plugin_classes raise Exception("Object {0} has already been defined by {1}".format(name, plugin)) Exception: Object VMIAddressSpace has already been defined by <class 'volatility.plugins.linux.vmi.VMIAddressSpace'>

@Wenzel
Copy link
Member

Wenzel commented Jul 19, 2022

I seems that the python2 VMIAddressSpace might not working anymore.

Python2 itself is deprecated, you should have a look at Volatility3:
https://github.com/volatilityfoundation/volatility3/

Also libmicrovmi is another library that already provides a bridge to volatility3, here is a tutorial:
https://wenzel.github.io/libmicrovmi/tutorial/volatility3_xen.html

I hope this will help.

@lryzxy
Copy link
Author

lryzxy commented Aug 24, 2022

@Wenzel Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Wenzel @lryzxy