volatility
volatility copied to clipboard
volatilityfoundation
Cuckoo on Ubuntu VM - AddrSpaceError: No suitable address space mapping found
Hello, I've correctly configured Volatility 2.5 to work with Cuckoo 2.0.7 on Ubuntu host. Memory dump works with Windows guest.
I added an Ubuntu guest VM on cuckoo and I created a new volatility profile for my kernel version (directly on guest machine) following this tutorial. Finally, I copied new plugin to volatility and it is correctly loaded.
Now, when I try to analyze a malicious elf file, this is the output I obtaing:
Failed to run the processing module "Memory" for task #23:
Traceback (most recent call last):
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 246, in process
data = current.run()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1118, in run
return VolatilityManager(self.memory_path, osprofile).run()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1000, in __init__
self.vol = VolatilityAPI(self.memfile, self.osprofile)
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 79, in __init__
self.init_config()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 149, in init_config
if self.get_dtb():
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 85, in get_dtb
for ep in ps.calculate():
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/filescan.py", line 354, in calculate
addr_space = utils.load_as(self._config, astype = 'physical')
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/utils.py", line 65, in load_as
raise error
AddrSpaceError: No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
FileAddressSpace - EXCEPTION: 'DW_AT_byte_size'
ArmAddressSpace: No base Address Space
How can I solve this issue?
Did you try to analyze a memory dump using your created volatility profile out of cuckoo automatic execution?
The message you get there "AddrSpaceError: No suitable address space mapping found" normally appears when the volatility profile is not correct.
I tried to run this command
$ vol.py -f /opt/cuckoo/storage/analyses/23/memory.dmp --profile=LinuxUbuntu_4_15_0-122-generic_profilex64 linux_dmesg
but I have this error:
Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
File "/home/cuckoo/venv/bin/vol.py", line 4, in <module>
__import__('pkg_resources').run_script('volatility==2.5', 'vol.py')
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 658, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1438, in run_script
exec(code, namespace, namespace)
File "/home/cuckoo/venv/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in <module>
main()
File "/home/cuckoo/venv/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
command.execute()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/linux/common.py", line 63, in execute
commands.Command.execute(self, *args, **kwargs)
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 115, in execute
if not self.is_valid_profile(profs[self._config.PROFILE]()):
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/linux/linux.py", line 214, in __init__
obj.Profile.__init__(self, *args, **kwargs)
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/obj.py", line 859, in __init__
self.reset()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/linux/linux.py", line 224, in reset
self.load_vtypes()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/linux/linux.py", line 261, in load_vtypes
vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/dwarf.py", line 71, in __init__
self.feed_line(line)
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/dwarf.py", line 162, in feed_line
self.process_statement(**parsed) #pylint: disable-msg=W0142
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/dwarf.py", line 204, in process_statement
self.vtypes[name] = [ int(data['DW_AT_byte_size'], self.base), {} ]
KeyError: 'DW_AT_byte_size'
I did another test with volatility 2.6.1 and distorm3 3.4.4 with command vol.py -f /opt/cuckoo/storage/analyses/23/memory.dmp --profile=LinuxUbuntu_4_15_0-122-generic_profilex64 linux_malfind and all works.
If I try the same command with volatility 2.5 and distorm3 3.4.4 it fails as shown above.
So, it seems a volatility version, but I don't think 2.6.1 version is supported from cuckoo 2.0.7
EDIT
Using volatility 2.6.1 I have an other error:
Failed to run the processing module "Memory" for task #26:
Traceback (most recent call last):
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 246, in process
data = current.run()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1118, in run
return VolatilityManager(self.memory_path, osprofile).run()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1039, in run
results[plugin_name] = getattr(self.vol, plugin_name)()
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 172, in pslist
for process in command.calculate():
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/win32/tasks.py", line 88, in pslist
for p in get_kdbg(addr_space).processes():
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/win32/tasks.py", line 50, in get_kdbg
if obj.VolMagic(addr_space).KPCR.value:
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/obj.py", line 751, in __getattr__
return self.m(attr)
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/obj.py", line 733, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KPCR
The backtrace in your first post mentions filescan.py and the backtrace in your latest post mentions win32/tasks.py. Those are both windows-only plugins. It seems like cuckoo is running windows-only plugins against your linux sample, which is not going to work.
