pyrebox
pyrebox copied to clipboard
Cisco-Talos
profile problem of guest OS Debian 9
Hi!
My guest OS is Debian 9. My host is Ubuntu18.04. I get my volatility profile from volatilityfoundation/profiles Github. It seems that this profile does not work. I wonder if it is because of Pyrebox's not supporting Debian or my mistake?
Also, is it the "Cannot determine partition type" caused by this profile problem?
This is my output of :
"./pyrebox-x86_64
-kernel $KERNEL/arch/x86/boot/bzImage
-drive file=$IMAGE,index=0,media=disk,format=qcow2,cache=unsafe
-monitor stdio -usb
-display none
-smp 2 -m 2G
-append "console=ttyS0 root=/dev/sda debug earlyprintk=serial slub_debug=QUZ"
-net user,hostfwd=tcp::$2-:22 -net nic
-vnc 127.0.0.1:0 ${snapshot}
--pidfile $WORKDIR/vm.pid "
[] Loading python component initialization script [] Platform: x86_64-softmmu [] Starting python module initialization [] Reading configuration from 'pyrebox.conf' [] Setting up Linux Profile... Could not retrieve symbols for profile initialization 'pyrebox_thread_stack_size_info'[] Initializing scripts... [] Loading python module scripts.script_example.py [!] Could not initialize python module due to exception No module named py [] Finished python module initialization QEMU 4.0.0 monitor - type 'help' for more information (qemu) [SLEUTHKIT] Opening image - Size: 2147483648 [!] Error, could not open volume system Cannot determine partition type
Here is my pyrebox.conf:
[MODULES] scripts.script_example.py: True scripts.volatility_example: False
[VOL] profile: LinuxDebian94x64
[AGENT] name: linux_agent_64 conf: linux_agent_64.conf
[SYMBOL_CACHE] path: symbols.LinuxDebian94x64
Hi @H0w1 ,
I can see a couple of things there:
[!] Could not initialize python module due to exception
No module named py
This is happening because of an error in the [MODULES] section of your pyrebox.conf:
scripts.script_example.py: True
This section should list scripts to load in the notation used by python to import modules: just remove the ".py" at the end:
scripts.script_example: True
The second error:
[!] Error, could not open volume system
Cannot determine partition type
This happens when you try to load an uninitialized disk into PyREBox. Have you properly initialized the image pointed by $IMAGE?
In such a case, could you tell me how you initialized it so that I can reproduce the error?
Thanks,
Thanks a lot for your reply @xabiugarte.
The image which pointed by $IMAGE comes from a script create-image.sh .
It is used by Syzkaller to create a Debian Stretch Linux image with a minimal set of required packages. Some details about that. I converted it to qcow2 format then.
./qemu/qemu-img convert -f raw -o compat=0.10 -O qcow2 stretch.img py_test.qcow2
This image goes well when I use the raw qemu-system-x86_64, I can get an ssh connection to the VM when it is running.
Hi @xabiugarte , Thanks for your advice, I have solved this
[!] Could not initialize python module due to exception
No module named py
The second error
[!] Error, could not open volume system
Cannot determine partition type
I still cannot solve it. The good news is that I can connect to the VM by ssh now. At least the VM can run. But both ps command and vol linux_psaux don't work.
P.S. I found if I use 2>&1 | tee vm.log as part of pyrebox-x86_64's argument , when I use q to quit the qemu monitor, the thread will block. kill -9 is needed to kill it successfully.
Here is my output :
[*] Loading python component initialization script
[*] Platform: x86_64-softmmu
[*] Starting python module initialization
[*] Reading configuration from 'pyrebox.conf'
[*] Setting up Linux Profile...
Could not retrieve symbols for profile initialization 'pyrebox_thread_stack_size_info'[*] Initializing scripts...
[*] Loading python module scripts.script_example
[*] Loading python module plugins.guest_agent
[plugins.guest_agent] [*] Initializing guest_agent plugin
[scripts.script_example] [*] Initializing callbacks
[scripts.script_example] [*] Initialized callbacks
[*] Finished python module initialization
QEMU 4.0.0 monitor - type 'help' for more information
(qemu)
[SLEUTHKIT]
Opening image - Size: 2147483648
[!] Error, could not open volume system
Cannot determine partition type
(qemu) sh
[1] pyrebox> ps
CPU 0 PGD: 0 InKernel: 1
CPU 1 PGD: 0 InKernel: 1
+------+---------+-----------+-----+-----+
| Name | Running | Monitored | PID | PGD |
+------+---------+-----------+-----+-----+
+------+---------+-----------+-----+-----+
[2] pyrebox> vol linux_psaux
Pid Uid Gid Arguments
VolShell: Error while executing volatility command
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
PMemAddressSpace: Must be first Address Space
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace - EXCEPTION: 'NoneType' object has no attribute 'startswith'
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareMetaAddressSpace - EXCEPTION: 'NoneType' object has no attribute 'startswith'
QemuCoreDumpElf: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxDebian94x64 selected
WindowsAMD64PagedMemory: Incompatible profile LinuxDebian94x64 selected
LinuxAMD64PagedMemory: Failed valid Address Space check
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxDebian94x64 selected
IA32PagedMemory: Incompatible profile LinuxDebian94x64 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
Hi,
I am revisiting this issue. Sorry for the long wait. Did you finally solve the problem?
Thanks,