python
python copied to clipboard
libvmi
I have a problem, I hope you can answer it.
root@ubuntu:/home/ha/Documents/volatility# python vol.py -d -l vmi://ubuntu16 pslist Volatility Foundation Volatility Framework 2.6.1 DEBUG : volatility.debug : Applying modification from BasicObjectClasses DEBUG : volatility.debug : Applying modification from BigPageTableMagic DEBUG : volatility.debug : Applying modification from ControlAreaModification DEBUG : volatility.debug : Applying modification from ELF32Modification DEBUG : volatility.debug : Applying modification from ELF64Modification DEBUG : volatility.debug : Applying modification from ELFModification DEBUG : volatility.debug : Applying modification from HPAKVTypes DEBUG : volatility.debug : Applying modification from HandleTableEntryPreWin8 DEBUG : volatility.debug : Applying modification from IEHistoryVTypes DEBUG : volatility.debug : Applying modification from LimeTypes DEBUG : volatility.debug : Applying modification from MachoModification DEBUG : volatility.debug : Applying modification from MachoTypes DEBUG : volatility.debug : Applying modification from MbrObjectTypes DEBUG : volatility.debug : Applying modification from PoolTagModification DEBUG : volatility.debug : Applying modification from PoolTrackTagOverlay DEBUG : volatility.debug : Applying modification from SSLKeyModification DEBUG : volatility.debug : Applying modification from UnloadedDriverVTypes DEBUG : volatility.debug : Applying modification from VMwareVTypesModification DEBUG : volatility.debug : Applying modification from VirtualBoxModification DEBUG : volatility.debug : Applying modification from Win32KGahtiVType DEBUG : volatility.debug : Applying modification from Win32Kx86VTypes DEBUG : volatility.debug : Applying modification from WinSyscallsAttribute DEBUG : volatility.debug : Applying modification from WinXP2003AddressObject DEBUG : volatility.debug : Applying modification from WinXPSyscalls DEBUG : volatility.debug : Applying modification from XP2003x86BaseVTypes DEBUG : volatility.debug : Applying modification from XP2003x86TimerVType DEBUG : volatility.debug : Applying modification from WindowsVTypes DEBUG : volatility.debug : Applying modification from AtomTablex86Overlay DEBUG : volatility.debug : Applying modification from EVTObjectTypes DEBUG : volatility.debug : Applying modification from ObjectTypeKeyModification DEBUG : volatility.debug : Applying modification from ProcessAuditVTypes DEBUG : volatility.debug : Applying modification from WindowsOverlay DEBUG : volatility.debug : Applying modification from CallbackMods DEBUG : volatility.debug : Applying modification from MalwarePspCid DEBUG : volatility.debug : Applying modification from MalwareWSPVTypes DEBUG : volatility.debug : Applying modification from TimerVTypes DEBUG : volatility.debug : Applying modification from TokenXP2003 DEBUG : volatility.debug : Applying modification from UserAssistVTypes DEBUG : volatility.debug : Applying modification from VadFlagsModification DEBUG : volatility.debug : Applying modification from VadTagModification DEBUG : volatility.debug : Applying modification from WinAllTime DEBUG : volatility.debug : Applying modification from WinPEObjectClasses DEBUG : volatility.debug : Applying modification from WinPEVTypes DEBUG : volatility.debug : Applying modification from WinXPTrim DEBUG : volatility.debug : Applying modification from WinXPx86Vad DEBUG : volatility.debug : Applying modification from WindowsObjectClasses DEBUG : volatility.debug : Applying modification from XPOverlay DEBUG : volatility.debug : Applying modification from XPx86SessionOverlay DEBUG : volatility.debug : Applying modification from AuditpolTypesXP DEBUG : volatility.debug : Applying modification from CmdHistoryObjectClasses DEBUG : volatility.debug : Applying modification from CmdHistoryVTypesx86 DEBUG : volatility.debug : Applying modification from CrashInfoModification DEBUG : volatility.debug : Applying modification from DumpFilesVTypesx86 DEBUG : volatility.debug : Applying modification from HeapModification DEBUG : volatility.debug : Applying modification from KDBGObjectClass DEBUG : volatility.debug : Applying modification from KPCRProfileModification DEBUG : volatility.debug : Applying modification from MFTTYPES DEBUG : volatility.debug : Applying modification from MalwareDrivers DEBUG : volatility.debug : Applying modification from MalwareIDTGDTx86 DEBUG : volatility.debug : Applying modification from MalwareKthread DEBUG : volatility.debug : Applying modification from ServiceBase DEBUG : volatility.debug : Applying modification from ShellBagsTypesXP DEBUG : volatility.debug : Applying modification from ShimCacheTypesXPx86 DEBUG : volatility.debug : Applying modification from Win10ObjectClasses DEBUG : volatility.debug : Applying modification from Win32KCoreClasses DEBUG : volatility.debug : Applying modification from XPHeapModification DEBUG : volatility.debug : Voting round DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.linux.vmi.VMIAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.debug : Applying modification from BasicObjectClasses DEBUG : volatility.debug : Applying modification from BigPageTableMagic DEBUG : volatility.debug : Applying modification from ControlAreaModification DEBUG : volatility.debug : Applying modification from ELF32Modification DEBUG : volatility.debug : Applying modification from ELF64Modification DEBUG : volatility.debug : Applying modification from ELFModification DEBUG : volatility.debug : Applying modification from HPAKVTypes DEBUG : volatility.debug : Applying modification from HandleTableEntryPreWin8 DEBUG : volatility.debug : Applying modification from IEHistoryVTypes DEBUG : volatility.debug : Applying modification from LimeTypes DEBUG : volatility.debug : Applying modification from MachoModification DEBUG : volatility.debug : Applying modification from MachoTypes DEBUG : volatility.debug : Applying modification from MbrObjectTypes DEBUG : volatility.debug : Applying modification from PoolTagModification DEBUG : volatility.debug : Applying modification from PoolTrackTagOverlay DEBUG : volatility.debug : Applying modification from SSLKeyModification DEBUG : volatility.debug : Applying modification from UnloadedDriverVTypes DEBUG : volatility.debug : Applying modification from VMwareVTypesModification DEBUG : volatility.debug : Applying modification from VirtualBoxModification DEBUG : volatility.debug : Applying modification from Win32KGahtiVType DEBUG : volatility.debug : Applying modification from Win32Kx86VTypes DEBUG : volatility.debug : Applying modification from WinSyscallsAttribute DEBUG : volatility.debug : Applying modification from WinXP2003AddressObject DEBUG : volatility.debug : Applying modification from WinXPSyscalls DEBUG : volatility.debug : Applying modification from XP2003x86BaseVTypes DEBUG : volatility.debug : Applying modification from XP2003x86TimerVType DEBUG : volatility.debug : Applying modification from WindowsVTypes DEBUG : volatility.debug : Applying modification from AtomTablex86Overlay DEBUG : volatility.debug : Applying modification from EVTObjectTypes DEBUG : volatility.debug : Applying modification from ObjectTypeKeyModification DEBUG : volatility.debug : Applying modification from ProcessAuditVTypes DEBUG : volatility.debug : Applying modification from WindowsOverlay DEBUG : volatility.debug : Applying modification from CallbackMods DEBUG : volatility.debug : Applying modification from MalwarePspCid DEBUG : volatility.debug : Applying modification from MalwareWSPVTypes DEBUG : volatility.debug : Applying modification from TimerVTypes DEBUG : volatility.debug : Applying modification from TokenXP2003 DEBUG : volatility.debug : Applying modification from UserAssistVTypes DEBUG : volatility.debug : Applying modification from VadFlagsModification DEBUG : volatility.debug : Applying modification from VadTagModification DEBUG : volatility.debug : Applying modification from WinAllTime DEBUG : volatility.debug : Applying modification from WinPEObjectClasses DEBUG : volatility.debug : Applying modification from WinPEVTypes DEBUG : volatility.debug : Applying modification from WinXPTrim DEBUG : volatility.debug : Applying modification from WinXPx86Vad DEBUG : volatility.debug : Applying modification from WindowsObjectClasses DEBUG : volatility.debug : Applying modification from XPOverlay DEBUG : volatility.debug : Applying modification from XPx86SessionOverlay DEBUG : volatility.debug : Applying modification from AuditpolTypesXP DEBUG : volatility.debug : Applying modification from CmdHistoryObjectClasses DEBUG : volatility.debug : Applying modification from CmdHistoryVTypesx86 DEBUG : volatility.debug : Applying modification from CrashInfoModification DEBUG : volatility.debug : Applying modification from DumpFilesVTypesx86 DEBUG : volatility.debug : Applying modification from HeapModification DEBUG : volatility.debug : Applying modification from KDBGObjectClass DEBUG : volatility.debug : Applying modification from KPCRProfileModification DEBUG : volatility.debug : Applying modification from MFTTYPES DEBUG : volatility.debug : Applying modification from MalwareDrivers DEBUG : volatility.debug : Applying modification from MalwareIDTGDTx86 DEBUG : volatility.debug : Applying modification from MalwareKthread DEBUG : volatility.debug : Applying modification from ServiceBase DEBUG : volatility.debug : Applying modification from ShellBagsTypesXP DEBUG : volatility.debug : Applying modification from ShimCacheTypesXPx86 DEBUG : volatility.debug : Applying modification from Win10ObjectClasses DEBUG : volatility.debug : Applying modification from Win32KCoreClasses DEBUG : volatility.debug : Applying modification from XPHeapModification DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareMetaAddressSpace: No base Address Space VMWareAddressSpace: No base Address Space QemuCoreDumpElf: No base Address Space WindowsCrashDumpSpace32: No base Address Space SkipDuplicatesAMD64PagedMemory: No base Address Space WindowsAMD64PagedMemory: No base Address Space LinuxAMD64PagedMemory: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space VMIAddressSpace: The LibVMI python bindings must be installed FileAddressSpace: Location is not of file scheme ArmAddressSpace: No base Address Space
