profiles
profiles copied to clipboard
volatilityfoundation
Problem parsing Red Hat 7.6 vmem image with custom built profile
I was able to build a profile for Red Hat Linux 7.8 maipo x64 kernel 3.10.0-1127.19.1.el7.x86_64. The profile build without issues, showing no errors and building the zip file correctly. On Red I built libdwarf by source code and then created the module.dwarf using with the instructions provided by volatilityfoundation project.
However when I try to analyze the vmem file it fails. What can I do to troubleshoot this problem?
vol.py --profile=LinuxRedHat7_6Maipox64 -f "Snapshot.vmem" linux_bash Volatility Foundation Volatility Framework 2.6
Pid Name Command Time Command
No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VMWareMetaAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space QemuCoreDumpElf: No base Address Space VMWareAddressSpace: No base Address Space WindowsCrashDumpSpace32: No base Address Space Win10AMD64PagedMemory: No base Address Space WindowsAMD64PagedMemory: No base Address Space LinuxAMD64PagedMemory: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64BitMap: Header signature invalid WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VMWareMetaAddressSpace: VMware metadata file is not available VirtualBoxCoreDumpElf64: ELF Header signature invalid QemuCoreDumpElf: ELF Header signature invalid VMWareAddressSpace: Invalid VMware signature: 0xf000ff53 WindowsCrashDumpSpace32: Header signature invalid Win10AMD64PagedMemory: Incompatible profile LinuxRedHat7_6Maipox64 selected WindowsAMD64PagedMemory: Incompatible profile LinuxRedHat7_6Maipox64 selected LinuxAMD64PagedMemory: Failed valid Address Space check AMD64PagedMemory: Failed valid Address Space check IA32PagedMemoryPae: Incompatible profile LinuxRedHat7_6Maipox64 selected IA32PagedMemory: Incompatible profile LinuxRedHat7_6Maipox64 selected OSXPmemELF: ELF Header signature invalid FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check
I followed the exact same procedure with an Ubuntu 16.06.4 LTS with kernel 4.4.0-177-generic and it worked I was able to analyze the memory on that system with the custom profile that I built, however with Red Hat it does not work, what can I do to solve the problem? Thanks.
