volatility
volatility copied to clipboard
Published
20 hours ago •
volatilityfoundation
volatilityfoundation
Error on a lime dump performed on Android VM Goldfish 3.6 arm v7
Hello,
I'm trying to analyse a dump from an android emulator. I followed the steps described here : https://github.com/volatilityfoundation/volatility/wiki/Android
The goldfish kernel is 3.4 armv7 Lime : https://github.com/504ensicsLabs/LiME emulator from android sdk 25.1.6 volatility 2.6
I got the following error :
python2 vol.py --profile=LinuxGoldfish-3_4ARM -f ~/ram.dd -d -d -d linux_pslist
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.servicediff (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.userassist (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.registry.amcache (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.auditpol (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.envars (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash)
DEBUG : volatility.debug : Goldfish-3.4: Found dwarf file System.map with 460 symbols
DEBUG : volatility.debug : Goldfish-3.4: Found system file System.map with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
DEBUG : volatility.debug : Goldfish-3.4: Found dwarf file System.map with 460 symbols
DEBUG : volatility.debug : Goldfish-3.4: Found system file System.map with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
Offset Name Pid PPid Uid Gid DTB Start Time
---------- -------------------- --------------- --------------- --------------- ------ ---------- ----------
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: mac: need base
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating LimeAddressSpace: lime: need base
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareMetaAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.debug : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.debug : Failed instantiating QemuCoreDumpElf: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating SkipDuplicatesAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating WindowsAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating LinuxAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.debug : Failed instantiating OSXPmemELF: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7ff11a25ff10>
<class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : None object instantiated: Invalid Address 0x7D000020, instantiating lime_header
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7ff11a25fed0>
<class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.debug : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.debug : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0x115001
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating WindowsAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating LinuxAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.debug : None object instantiated: Unable to read base AS at 0xffffffe0
DEBUG1 : volatility.debug : None object instantiated: Unable to read base AS at 0xffffffe0
DEBUG1 : volatility.debug : None object instantiated: Unable to read base AS at 0xffffffe0
DEBUG1 : volatility.debug : None object instantiated: Unable to read base AS at 0xfffffff8L
DEBUG1 : volatility.debug : None object instantiated: No suggestions available
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemoryPae: Failed valid Address Space check
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.debug : None object instantiated: Unable to read_long_phys at -0x1
DEBUG1 : volatility.debug : None object instantiated: Unable to read_long_phys at -0x1
DEBUG1 : volatility.debug : None object instantiated: Unable to read_long_phys at -0x1
DEBUG1 : volatility.debug : None object instantiated: No suggestions available
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemory: Failed valid Address Space check
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.debug : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1L
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1L
DEBUG1 : volatility.debug : None object instantiated: No suggestions available
DEBUG1 : volatility.debug : Failed instantiating ArmAddressSpace: Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
QemuCoreDumpElf: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x115001
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
WindowsAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
LinuxAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
AMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
We can see from the debug information that the FileAddressSpace and LimeAddressSpace are correctly found but not the ArmAddressSpace resulting in the final error : No suitable address space mapping found.
The dump realised by Lime seems correct
hexdump -C -n 20 ~/ram.dd
00000000 45 4d 69 4c 01 00 00 00 00 00 00 00 00 00 00 00 |EMiL............|
00000010 ff ff ff 7c |...||
00000014
as the dwarfdump and the System.map
head module.dwarf
.debug_info
[...]
/include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000016> DW_AT_type<<0x0000004c>>
<1><0x4c><DW_TAG_base_type> DW_AT_byte_size<0x00000002> DW_AT_encoding<DW_ATE_signed> DW_AT_name<short int>
head System.map
00000000 t __vectors_start
00000020 A cpu_v7_suspend_size
00001000 t __stubs_start
00001004 t vector_rst
00001020 t vector_irq
000010a0 t vector_dabt
00001120 t vector_pabt
000011a0 t vector_und
00001220 t vector_addrexcptn
00001224 t vector_fiq
In volatility 2.4, I have another error : Failed instantiating ArmAddressSpace: Can not stack over another paging address space: None object instantiated: Pointer next invalid
python2 vol.py --profile=LinuxGoldfish-3_4ARM -f ~/ram.dd -d -d -d linux_pslist
Volatility Foundation Volatility Framework 2.4
*** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.auditpol (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.envars (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.linux.apihooks (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
DEBUG : volatility.plugins.overlays.linux.linux: Goldfish-3.4: Found dwarf file System.map with 460 symbols
DEBUG : volatility.plugins.overlays.linux.linux: Goldfish-3.4: Found system file System.map with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF32Modification
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Goldfish-3.4: Found dwarf file System.map with 460 symbols
DEBUG : volatility.plugins.overlays.linux.linux: Goldfish-3.4: Found system file System.map with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF32Modification
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
Offset Name Pid Uid Gid DTB Start Time
---------- -------------------- --------------- --------------- ------ ---------- ----------
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7fc4a4fb0b90>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x7D000020, instantiating lime_header
DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7fc4a4fb0b50>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0x115001
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Failed valid Address Space check
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Failed valid Address Space check
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x7fc4a4fb6210>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000, instantiating HPAK_HEADER
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: Can not stack over another paging address space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000, instantiating _VMWARE_HEADER
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: Invalid VMware signature: -
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Can not stack over another paging address space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Can not stack over another paging address space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Can not stack over another paging address space
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7fc4a4fb66d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x7D000020, instantiating lime_header
DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7fc4a4fb6410>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0x115001
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Failed valid Address Space check
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Failed valid Address Space check
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x7fc4a4fb68d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000, instantiating HPAK_HEADER
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: Can not stack over another paging address space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000, instantiating _VMWARE_HEADER
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: Invalid VMware signature: -
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Can not stack over another paging address space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Can not stack over another paging address space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Can not stack over another paging address space
DEBUG1 : volatility.obj : None object instantiated: Pointer next invalid
I downloaded samples from here https://www.memoryanalysis.net/amf. There is a linux ARM64 dump there but i've got similar issues with symbols
python2 vol.py --profile=Linuxbookx64 -f ../volatility_test/linux/linux-sample-1.bin -d -d -d linux_pslist
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.servicediff (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.userassist (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.registry.amcache (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.auditpol (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.envars (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash)
DEBUG : volatility.debug : book: Found dwarf file boot/System.map-3.2.0-4-amd64 with 551 symbols
DEBUG : volatility.debug : book: Found system file boot/System.map-3.2.0-4-amd64 with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
DEBUG : volatility.debug : book: Found dwarf file boot/System.map-3.2.0-4-amd64 with 551 symbols
DEBUG : volatility.debug : book: Found system file boot/System.map-3.2.0-4-amd64 with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
Offset Name Pid PPid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: mac: need base
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating LimeAddressSpace: lime: need base
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareMetaAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.debug : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.debug : Failed instantiating QemuCoreDumpElf: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating SkipDuplicatesAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating WindowsAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating LinuxAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.debug : Failed instantiating OSXPmemELF: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f2936896210>
<class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.debug : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.debug : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxbookx64 selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating WindowsAMD64PagedMemory: Incompatible profile Linuxbookx64 selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory object at 0x7f2936896610>
<class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.debug : None object instantiated: Invalid Address 0x00000000, instantiating HPAK_HEADER
DEBUG1 : volatility.debug : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareMetaAddressSpace: Can not stack over another paging address space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.debug : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.debug : None object instantiated: Invalid Address 0x00000000, instantiating _VMWARE_HEADER
DEBUG1 : volatility.debug : Failed instantiating VMWareAddressSpace: Invalid VMware signature: -
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.debug : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxbookx64 selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating WindowsAMD64PagedMemory: Incompatible profile Linuxbookx64 selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating LinuxAMD64PagedMemory: Can not stack over another paging address space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating AMD64PagedMemory: Can not stack over another paging address space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemoryPae: Incompatible profile Linuxbookx64 selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemory: Incompatible profile Linuxbookx64 selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.debug : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating ArmAddressSpace: Can not stack over another paging address space
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: mac: need base
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating LimeAddressSpace: lime: need base
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareMetaAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.debug : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.debug : Failed instantiating QemuCoreDumpElf: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating SkipDuplicatesAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating WindowsAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating LinuxAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.debug : Failed instantiating OSXPmemELF: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f2936896990>
<class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.debug : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.debug : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxbookx64 selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating WindowsAMD64PagedMemory: Incompatible profile Linuxbookx64 selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory object at 0x7f2936896cd0>
<class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.debug : None object instantiated: Invalid Address 0x00000000, instantiating HPAK_HEADER
DEBUG1 : volatility.debug : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareMetaAddressSpace: Can not stack over another paging address space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.debug : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.debug : None object instantiated: Invalid Address 0x00000000, instantiating _VMWARE_HEADER
DEBUG1 : volatility.debug : Failed instantiating VMWareAddressSpace: Invalid VMware signature: -
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.debug : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxbookx64 selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating WindowsAMD64PagedMemory: Incompatible profile Linuxbookx64 selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating LinuxAMD64PagedMemory: Can not stack over another paging address space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating AMD64PagedMemory: Can not stack over another paging address space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemoryPae: Incompatible profile Linuxbookx64 selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemory: Incompatible profile Linuxbookx64 selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.debug : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating ArmAddressSpace: Can not stack over another paging address space
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f994740 init 1 0 0 0 0x000000001d4cf000 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f994040 kthreadd 2 0 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f9a2780 ksoftirqd/0 3 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f9a67c0 kworker/u:0 5 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f9a60c0 migration/0 6 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f9ab800 watchdog/0 7 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f9ab100 cpuset 8 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f9af840 khelper 9 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f9af140 kdevtmpfs 10 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f9c1880 netns 11 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f9c1180 sync_supers 12 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001fa438c0 bdi-default 13 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001fa431c0 kintegrityd 14 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001fa56740 kblockd 15 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001fa56040 khungtaskd 16 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001b42c780 kswapd0 17 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001b42c080 ksmd 18 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001b4357c0 fsnotify_mark 19 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001b4350c0 crypto 20 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001b764840 ata_sff 61 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001b62e180 mpt_poll_0 67 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f479080 mpt/0 101 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f479780 khubd 102 2 0 0 ------------------ 2014-06-24 10:22:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f4f27c0 scsi_eh_0 142 2 0 0 ------------------ 2014-06-24 10:22:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001b7718c0 scsi_eh_1 144 2 0 0 ------------------ 2014-06-24 10:22:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f500800 scsi_eh_2 145 2 0 0 ------------------ 2014-06-24 10:22:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f1377c0 kworker/u:1 146 2 0 0 ------------------ 2014-06-24 10:22:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f2d71c0 jbd2/sda1-8 177 2 0 0 ------------------ 2014-06-24 10:22:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f2d78c0 ext4-dio-unwrit 178 2 0 0 ------------------ 2014-06-24 10:22:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f085880 udevd 322 1 0 0 0x000000001b6ed000 2014-06-24 10:22:35 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f085180 ttm_swap 431 2 0 0 ------------------ 2014-06-24 10:22:35 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c1be080 udevd 468 322 0 0 0x000000001c31d000 2014-06-24 10:22:35 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c3347c0 udevd 469 322 0 0 0x000000001c335000 2014-06-24 10:22:35 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001c246180 kpsmoused 512 2 0 0 ------------------ 2014-06-24 10:22:35 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001c65f7c0 hci0 553 2 0 0 ------------------ 2014-06-24 10:22:35 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f665840 rpcbind 1752 1 0 0 0x000000001c39d000 2014-06-24 10:22:37 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001bf1d800 rpc.statd 1784 1 105 65534 0x000000001d6b9000 2014-06-24 10:22:37 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f107780 rpciod 1789 2 0 0 ------------------ 2014-06-24 10:22:37 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f6ed740 nfsiod 1791 2 0 0 ------------------ 2014-06-24 10:22:37 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001be1e1c0 rpc.idmapd 1798 1 0 0 0x000000001c8cd000 2014-06-24 10:22:37 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f0d9040 rsyslogd 2057 1 0 0 0x000000001c94c000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d5ed080 acpid 2157 1 0 0 0x000000001d7a9000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001be1e8c0 dbus-daemon 2178 1 101 105 0x000000001c949000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c278080 apache2 2254 1 0 0 0x000000001be34000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001aca0080 atd 2344 1 0 0 0x000000001acf5000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001ac987c0 NetworkManager 2363 1 0 0 0x000000001aca1000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c86a040 avahi-daemon 2388 1 106 114 0x000000001c6f8000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001ac980c0 avahi-daemon 2390 2388 106 114 0x000000001c68a000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001aca5180 polkitd 2393 1 0 0 0x000000001c157000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d5e5140 modem-manager 2403 1 0 0 0x000000001c130000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001acc2100 gdm3 2425 1 0 0 0x000000001c708000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c1721c0 gdm-simple-slav 2440 2425 0 0 0x000000001c759000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c717800 dhclient 2450 2363 0 0 0x000000001c7f7000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c1728c0 bluetoothd 2451 1 0 0 0x000000001c04f000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c65f0c0 Xorg 2459 2440 0 0 0x000000001c7dd000 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f53e140 krfcommd 2467 2 0 0 ------------------ 2014-06-24 10:22:38 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001aca0780 cron 2532 1 0 0 0x000000001c124000 2014-06-24 10:22:39 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c171040 daemon 2573 1 0 0 0x000000001ad56000 2014-06-24 10:22:39 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c0ce140 mpt-statusd 2575 2573 0 0 0x000000001c0fe000 2014-06-24 10:22:39 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c171740 accounts-daemon 2645 1 0 0 0x000000001add1000 2014-06-24 10:22:39 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001ad518c0 console-kit-dae 2652 1 0 0 0x000000001d005000 2014-06-24 10:22:39 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d06c100 inetd 2720 1 0 0 0x000000001d25b000 2014-06-24 10:22:39 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d064840 nmbd 2798 1 0 0 0x000000001d339000 2014-06-24 10:22:39 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d26f180 upowerd 2802 1 0 0 0x000000001d31d000 2014-06-24 10:22:40 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001ad0e100 smbd 2803 1 0 0 0x000000001d3cf000 2014-06-24 10:22:40 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d317840 smbd 2813 2803 0 0 0x000000001ca82000 2014-06-24 10:22:40 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cbb31c0 rtkit-daemon 2974 1 112 118 0x000000001c5f5000 2014-06-24 10:22:40 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c51f0c0 exim4 3300 1 104 111 0x000000001c438000 2014-06-24 10:22:41 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d375840 sshd 3373 1 0 0 0x000000001bd53000 2014-06-24 10:22:41 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001ca36740 winbindd 3415 1 0 0 0x000000001cb6b000 2014-06-24 10:22:41 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001ca517c0 winbindd 3419 3415 0 0 0x000000001bd6c000 2014-06-24 10:22:41 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001bc0d140 dovecot 3444 1 0 0 0x000000001bd84000 2014-06-24 10:22:41 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d375140 minissdpd 3468 1 0 0 0x000000001bdb7000 2014-06-24 10:22:41 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cbbb840 getty 3476 1 0 0 0x000000001ae4c000 2014-06-24 10:22:41 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cac67c0 getty 3477 1 0 0 0x000000001d624000 2014-06-24 10:22:41 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001adb0080 getty 3478 1 0 0 0x000000001ae40000 2014-06-24 10:22:41 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c417800 getty 3479 1 0 0 0x000000001ae3b000 2014-06-24 10:22:41 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cba2740 getty 3480 1 0 0 0x000000001ae21000 2014-06-24 10:22:41 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001adc87c0 getty 3481 1 0 0 0x000000001ae0a000 2014-06-24 10:22:41 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c1be780 anvil 3482 3444 107 115 0x000000001f7c3000 2014-06-24 10:22:42 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c184040 log 3483 3444 0 0 0x000000001d51e000 2014-06-24 10:22:42 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c9901c0 config 3485 3444 0 0 0x000000001c3f2000 2014-06-24 10:22:42 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001ca50780 apache2 3575 2254 33 33 0x000000001c8cc000 2014-06-24 10:27:39 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f1370c0 apache2 3576 2254 33 33 0x000000001beee000 2014-06-24 10:27:39 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f6ed040 apache2 3578 2254 33 33 0x000000001b726000 2014-06-24 10:27:39 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001d5e5840 kauditd 3728 2 0 0 ------------------ 2014-06-24 10:29:16 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cac8780 gdm-session-wor 3733 2440 0 1000 0x000000001f2f1000 2014-06-24 10:29:28 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cbab880 gnome-keyring-d 3737 1 1000 1000 0x000000001f1f6000 2014-06-24 10:29:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cb68040 x-session-manag 3754 3733 1000 1000 0x000000001bc51000 2014-06-24 10:29:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cb68740 ssh-agent 3794 3754 1000 1000 0x000000001c586000 2014-06-24 10:29:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c86a740 dbus-launch 3797 1 1000 1000 0x000000001c5ec000 2014-06-24 10:29:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cac41c0 dbus-daemon 3798 1 1000 1000 0x000000001bca9000 2014-06-24 10:29:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001caf71c0 gnome-settings- 3807 3754 1000 1000 0x000000001b650000 2014-06-24 10:29:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cbed180 gvfsd 3818 1 1000 1000 0x000000001d3b5000 2014-06-24 10:29:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001ad0e800 pulseaudio 3824 1 1000 1000 0x000000001c467000 2014-06-24 10:29:33 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c3340c0 gvfs-gdu-volume 3828 1 1000 1000 0x000000001cbfe000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001ad511c0 udisks-daemon 3830 1 0 0 0x000000001be83000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f0b01c0 udisks-daemon 3831 3830 0 0 0x000000001cb2f000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cb93800 gvfs-gphoto2-vo 3834 1 1000 1000 0x000000001c533000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cbd6080 gvfs-afc-volume 3836 1 1000 1000 0x000000001d65a000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f737080 colord 3841 1 102 106 0x000000001f796000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f665140 metacity 3842 3754 1000 1000 0x000000001f347000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001adc80c0 colord-sane 3852 1 102 106 0x000000001bfc2000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f667840 gsd-printer 3854 1 1000 1000 0x000000001d5c7000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d5ed780 gnome-panel 3856 3754 1000 1000 0x000000001d2be000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d2ff800 gconfd-2 3868 1 1000 1000 0x000000001f040000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d2ff100 dconf-service 3870 1 1000 1000 0x000000001f05b000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f68a0c0 tracker-store 3874 3754 1000 1000 0x000000001f529000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001bc1c180 notification-da 3875 3754 1000 1000 0x000000001f609000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f0518c0 polkit-gnome-au 3876 3754 1000 1000 0x000000001c19a000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f0511c0 gnome-sound-app 3877 3754 1000 1000 0x000000001d2c7000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f082740 gdu-notificatio 3878 3754 1000 1000 0x000000001f5f4000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f082040 evolution-alarm 3879 3754 1000 1000 0x000000001d674000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f0070c0 bluetooth-apple 3883 3754 1000 1000 0x000000001d161000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d522800 gnome-screensav 3884 3754 1000 1000 0x000000001f6b1000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001ac9e8c0 gnome-fallback- 3885 3754 1000 1000 0x000000001d2eb000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f654840 nm-applet 3887 3754 1000 1000 0x000000001d743000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001cb93100 tracker-miner-f 3889 3754 1000 1000 0x000000001bfb4000 2014-06-24 10:29:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001af86080 mission-control 3924 1 1000 1000 0x000000001afd3000 2014-06-24 10:29:36 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff880004404100 goa-daemon 3929 1 1000 1000 0x000000001afa4000 2014-06-24 10:29:36 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001afd67c0 gnome-terminal 3968 3856 1000 1000 0x000000001c4b5000 2014-06-24 10:36:39 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001c581140 gnome-pty-helpe 3975 3968 1000 1000 0x0000000004572000 2014-06-24 10:36:40 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f68a7c0 bash 3976 3968 1000 1000 0x0000000004590000 2014-06-24 10:36:40 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f0b08c0 flush-8:0 8099 2 0 0 ------------------ 2014-06-24 12:02:44 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001ae6d8c0 kworker/0:1 8105 2 0 0 ------------------ 2014-06-24 12:10:16 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f18e140 sleep 8471 2575 0 0 0x000000000450a000 2014-06-24 12:52:39 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001b5e3140 kworker/0:2 8492 2 0 0 ------------------ 2014-06-24 12:55:34 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d06c800 sshd 8497 3373 0 0 0x0000000004407000 2014-06-24 12:58:52 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001d3a7180 sshd 8502 8497 1001 1001 0x000000001ac16000 2014-06-24 12:58:55 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001ac9c740 bash 8503 8502 1001 1001 0x0000000001ee6000 2014-06-24 12:58:55 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff88001f53e840 sudo 8599 3976 0 1000 0x000000001f72c000 2014-06-24 13:00:21 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
0xffff8800044a5880 bash 8600 8599 0 0 0x000000001ca4e000 2014-06-24 13:00:21 UTC+0000
DEBUG : volatility.debug : Requested symbol tk_core not found in module kernel
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
DEBUG1 : volatility.debug : None object instantiated: Pointer mm invalid
0xffff88001f9a2080 kworker/0:0 8601 2 0 0 ------------------ 2014-06-24 13:00:36 UTC+0000
similar issues : https://github.com/volatilityfoundation/volatility/issues/486 https://github.com/volatilityfoundation/volatility/issues/503 https://github.com/volatilityfoundation/volatility/issues/330 https://github.com/volatilityfoundation/volatility/issues/381 https://github.com/volatilityfoundation/volatility/issues/413 https://github.com/volatilityfoundation/volatility/issues/417
The files and the dump that I used can be downloaded here : https://www.dropbox.com/s/7edntg68eo2eoxp/goldfish_dump_and_files.zip?dl=0
It's a zip file containing :
- ram.dd : got from lime executed in the Android emulator and a VM using goldfish 3.4
- System.map : got from goldfish 3.4 after compilation
- goldfish-3.4-systemmap.json : got from dwarf2json on System.map
- module.dwarf : got from volatily2.6 module.c
Thanks
I think that PyCrypto is not installed in your environment. You can verify it by opening python 2.x in the shell and importing pycrypto. If it does not import successfully than it's missing and you have to install it. Successful import will look something like this:
E:\volatilityPy>python2
Python 2.7.13 (v2.7.13:a06454b1afa1, Dec 17 2016, 20:42:59) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import Crypto
>>>
To check for volatility dependencies, visit here
Thanks for the reply. PyCrypto is not installed but in the FAQ states that
If you are not using lsadump, hashdump or any other registry plugin that uses PyCrypto, then you can safely ignore the error message. Otherwise, install PyCrypto and the message will disappear.
Do you think I need to install it in order to get the address space recognize ?
From line#4 of the errors, I can infer that distorm3 is also not installed in your environment. Try running your plugin after installing distorm3. Hopefully it will resolve your issue.
Thanks for your advice. I've installed distorm3 et pycrypto but the error persists :
python2 vol.py --profile=LinuxGoldfish-3_4ARM -f ~/ram.dd -d -d -d linux_pslist
Volatility Foundation Volatility Framework 2.6.1
DEBUG : volatility.debug : Goldfish-3.4: Found dwarf file System.map with 460 symbols
DEBUG : volatility.debug : Goldfish-3.4: Found system file System.map with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
DEBUG : volatility.debug : Goldfish-3.4: Found dwarf file System.map with 460 symbols
DEBUG : volatility.debug : Goldfish-3.4: Found system file System.map with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
Offset Name Pid PPid Uid Gid DTB Start Time
---------- -------------------- --------------- --------------- --------------- ------ ---------- ----------
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: mac: need base
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating LimeAddressSpace: lime: need base
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareMetaAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.debug : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.debug : Failed instantiating QemuCoreDumpElf: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating SkipDuplicatesAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating WindowsAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating LinuxAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.debug : Failed instantiating OSXPmemELF: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f6c614fcb50>
<class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : None object instantiated: Invalid Address 0x7D000020, instantiating lime_header
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f6c614fcb10>
<class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.debug : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.debug : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0x115001
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating WindowsAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating LinuxAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.debug : None object instantiated: Unable to read base AS at 0xffffffe0
DEBUG1 : volatility.debug : None object instantiated: Unable to read base AS at 0xffffffe0
DEBUG1 : volatility.debug : None object instantiated: Unable to read base AS at 0xffffffe0
DEBUG1 : volatility.debug : None object instantiated: Unable to read base AS at 0xfffffff8L
DEBUG1 : volatility.debug : None object instantiated: No suggestions available
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemoryPae: Failed valid Address Space check
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.debug : None object instantiated: Unable to read_long_phys at -0x1
DEBUG1 : volatility.debug : None object instantiated: Unable to read_long_phys at -0x1
DEBUG1 : volatility.debug : None object instantiated: Unable to read_long_phys at -0x1
DEBUG1 : volatility.debug : None object instantiated: No suggestions available
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemory: Failed valid Address Space check
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.debug : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1L
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1L
DEBUG1 : volatility.debug : None object instantiated: No suggestions available
DEBUG1 : volatility.debug : Failed instantiating ArmAddressSpace: Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
QemuCoreDumpElf: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x115001
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
WindowsAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
LinuxAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
AMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
One thing I am unable to understand is why you have passed -d flag three times in your command? I haven't seen this type of command before. You can also try the standalone executable of volatility to ensure that there is no issue of dependency. Best of luck 👍
The three -d flag allows to print the DEBUG1 information. It's the super verbose command.
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1L
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1L
DEBUG1 : volatility.debug : None object instantiated: No suggestions available
You don't have this with just the -v or -d flags.
I tried the standalone executable, same problem ... Thanks for your help !
Hello,
I tried to debug the code. Perhaps i can help by giving the information I gather.
First, we can see from the log that several address space are try to identify the dump.
It's done by the util.py:load_as:l41 function. The function is responsible for printing the error or success message.
44 for cls in sorted(registry.get_plugin_classes(addrspace.BaseAddressSpace).values(),
45 key = lambda x: x.order if hasattr(x, 'order') else 10):
46 debug.debug("Trying {0} ".format(cls))
47 try:
48 base_as = cls(base_as, config, astype = astype, **kwargs)
49 -> debug.debug("Succeeded instantiating {0}".format(base_as))
The first address space used is the standard one from standard.py. Here an handle, to the ram.dd file is gained.
Next the lime address space is recognized. At this point, the beginning of the file is read and the signature of the lime dump is verified
53 sig = base.read(0, 4)
54
55 ## ARM processors are bi-endian, but little is the default and currently
56 ## the only mode we support; unless it comes a common request.
57 -> if sig == '\x4c\x69\x4d\x45':
58 debug.debug("Big-endian ARM not supported, please submit a feature request")
59
60 self.as_assert(sig == '\x45\x4D\x69\x4c', "Invalid Lime header signature")
61
62 self.addr_cache = {}
(Pdb) sig.encode("hex")
'454d694c'
(Pdb) sig.encode("ascii")
'EMiL'
Then the parse_lime() function is called wich read the lime dump to search for the header (signature 4c694d45). My guess is that lime uses several segments to store the data and each segment are identified by a header. In volatility, the segments are stored in a tuple with the beginning, the end, and the size. Then the tuple are stored in the limeAddressSpace.runs list. The size of the header structure is 32 (0x20)
(Pdb) self
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f57902e7250>
(Pdb) self.runs
[]
(Pdb) type(self.runs)
<type 'list'>
(Pdb) seg
(0, 32, 2097152000L)
Here, we have only one big segment with one header. It's good because the size of the file is 2097152032 (2097152000 + 32).
Now, the pointer in the ram.dd points to the offset 16
(Pdb) self.base.fhandle.tell()
16
(Pdb) self.base.fhandle.read(4)
'\xff\xff\xff|'
Perhaps we should place the base address after the header at offset 0x20 ?
me@me:~/Documents/Android/androidKernel/android_module$ hexdump -C ~/ram.dd -n 40
00000000 45 4d 69 4c 01 00 00 00 00 00 00 00 00 00 00 00 |EMiL............|
00000010 ff ff ff 7c 00 00 00 00 00 00 00 00 00 00 00 00 |...|............|
00000020 01 50 11 00 02 50 11 00
After identifyng the lime address space the voting round in is restart from the beginning, as we can see in the log :
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : None object instantiated: Invalid Address 0x7D000020, instantiating lime_header
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7ff11a25fed0>
<class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Voting round
We can print the class used as base address space
(Pdb) sorted(registry.get_plugin_classes(addrspace.BaseAddressSpace).values())
[<class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>, <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>, <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>, <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>, <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>, <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>, <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>, <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>, <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>, <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>, <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>, <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>, <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>, <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>, <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>, <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>, <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>, <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>, <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>, <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>]
Next, my guess is that the arm address space (addrspaces.arm.ArmAddressSpace) should be used.
There is 2 FIXME in the code of arm.py
$ grep -ni "FIXME" arm.py -A 3 -B 3
52-
53- def page_table_present(self, entry):
54- if entry:
55: return True # TODO FIXME
56- return False
57-
58- # Page Directory Index (1st Level Index)
--
159-
160- return pte_value
161-
162: # FIXME
163- # this is supposed to return all valid physical addresses based on the current dtb
164- # this (may?) be painful to write due to ARM's different page table types and having small & large pages inside of those
165- def get_available_pages(self):
With each iteration in the while loop in util.py:load_as:l41, the function increases the file pointer of ram.dd.
(Pdb) base_as.base.fhandle.tell()
36
We step in the debug session until the arm address space and we arrived in page.py
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
> /home/me/Documents/Android/androidKernel/android_module/android-volatility/volatility/utils.py(47)load_as()
-> try:
(Pdb)
> /home/me/Documents/Android/androidKernel/android_module/android-volatility/volatility/utils.py(48)load_as()
-> base_as = cls(base_as, config, astype = astype, **kwargs)
(Pdb) base_as
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f552304e8d0>
(Pdb) s
--Call--
> /home/me/Documents/Android/androidKernel/android_module/android-volatility/volatility/plugins/addrspaces/paged.py(31)__init__()
-> def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs):
(Pdb) l
26
27 Note: Pages can be of any size
28 """
29 checkname = "Intel"
30
31 -> def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs):
32 ## We must be stacked on someone else:
33 self.as_assert(base, "No base Address Space")
34
35 addrspace.AbstractVirtualAddressSpace.__init__(self, base, config, *args, **kwargs)
36
At this point, the pointer in the ram.dd file is in offset 38 which don't make any sense
(Pdb) base.base.fhandle.tell()
38
$ hexdump -C -s 38 ~/ram.dd -n 40
00000026 11 00 03 50 11 00 04 50 11 00 05 50 11 00 06 50 |...P...P...P...P|
00000036 11 00 07 50 11 00 08 50 11 00 09 50 11 00 0a 50 |...P...P...P...P|
00000046 11 00 0b 50 11 00 0c 50 |...P...P|
0000004e
So back in page.py, load_dtb() is called
def load_dtb(self):
"""Loads the DTB as quickly as possible from the config, then the base, then searching for it"""
try:
# If the user has manually specified one, then shortcircuit to that one
if self._config.DTB:
raise AttributeError
## Try to be lazy and see if someone else found dtb for
## us:
return self.base.dtb
except AttributeError:
## Ok so we need to find our dtb ourselves:
dtb = obj.VolMagic(self.base).DTB.v()
if dtb:
## Make sure to save dtb for other AS's
## Will this have an effect on following ASes attempts if this fails?
self.base.dtb = dtb
return dtb
I don't know what a DTB is. A Device Tree Blob perharps ?
Th DTB value in the _config object is 0
(Pdb) self._config.DTB
0
(Pdb) n
> /home/me/Documents/Android/androidKernel/android_module/android-volatility/volatility/plugins/addrspaces/paged.py(43)__init__()
-> self.as_assert(self.dtb != None, "No valid DTB found")
Then the attribute is missing so we got the error message
(Pdb) volmag
[VOLATILITY_MAGIC VOLATILITY_MAGIC] @ 0x00000000
(Pdb) self.checkname
'ArmValidAS'
(Pdb) n
> /home/me/Documents/Android/androidKernel/android_module/android-volatility/volatility/plugins/addrspaces/paged.py(48)__init__()
-> self.as_assert(getattr(volmag, self.checkname).v(), "Failed valid Address Space check")
(Pdb) n
ASAssertionError: ASAssert... check',)
> /home/me/Documents/Android/androidKernel/android_module/android-volatility/volatility/plugins/addrspaces/paged.py(48)__init__()
-> self.as_assert(getattr(volmag, self.checkname).v(), "Failed valid Address Space check")
I don't understand this check from volatility/obj.py VolMagic()
if not skip_as_check:
volmag = obj.VolMagic(self)
if hasattr(volmag, self.checkname):
self.as_assert(getattr(volmag, self.checkname).v(), "Failed valid Address Space check")
else:
self.as_assert(False, "Profile does not have valid Address Space check")
(Pdb) self.checkname
'ArmValidAS'
then volatility exit.
This checkname should comes from arm.py which is called at the start of volatilty by the registry.py module.
grep -ni "ArmValidAS" * -A 3 -B 3
arm.py-31- order = 800
arm.py-32- pae = False
arm.py-33- paging_address_space = True
arm.py:34: checkname = 'ArmValidAS'
arm.py-35- minimum_size = 0x1000
arm.py-36- alignment_gcd = 0x1000
arm.py-37- _long_struct = struct.Struct("<I")
Binary file arm.pyc matches
There's a lot of going on there. So i'm not able to understand where the problem comes from ! For some reason, the lime dump is correctly recognize but the arm address space is not.
Could you please repeat the acquisition process with the following added before running Lime:
- copy /proc/iomem to a file
- copy /proc/kallsyms to a file
Then run lime and upload a zip with the sample + the 2 files above. This will help me debug better.
I am not sure if there has been a fix to this issue? The issue still persists on arm_4_15_0-1065 architecture. Can someone please help/update on recent progress?
