volatilityfoundation
RHEL 7.9 No suitable address space mapping found
Good morning,
I've tried building and running on a number of different instances of RHEL 7.9 (enterprise) and cannot seem to get the process working. We're building LiME modules and pulling the memory on the same host we're doing the analysis just to proof of concept that it does, or doesn't, work. Below is how I"m creating the LiME modules.
insmod /root/LiME-master/src/lime-3.10.0-1160.31.1.el7.x86_64.ko "path=/data/linux-file.mem format=lime"
We're running on RHEL 7.9 with the following kernel:
3.10.0-1160.31.1.el7.x86_64
And when trying to run Volatility we get the following:
[root@dcr4630l volatility-master]# python vol.py --profile=LinuxRHEL79x64 -f /root/linux-file.mem linux_psaux
Volatility Foundation Volatility Framework 2.6
Pid Uid Gid Arguments
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareMetaAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
Win10AMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
QemuCoreDumpElf: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x0
WindowsCrashDumpSpace32: Header signature invalid
Win10AMD64PagedMemory: Incompatible profile LinuxRHEL79x64 selected
WindowsAMD64PagedMemory: Incompatible profile LinuxRHEL79x64 selected
LinuxAMD64PagedMemory: Failed valid Address Space check
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxRHEL79x64 selected
IA32PagedMemory: Incompatible profile LinuxRHEL79x64 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
When building the Volatility profile we also did that on the same host we're testing on, validating the kernel version is the same as the System.map file.
Keep banging our heads on this but can't seem to find a resolution anywhere online.
Is there a limitation or known issue with this version and kernel of RHEL?
I am having similar issues with newer kernels. It appears that the culprit is Address Space Layout Randomization (ASLR) and speficially KASLR. There have been a couple attempts to improve detection such as Infrastructure for PHYSICALSHIFT in the Linux overlay but I am still having trouble even using that code.
I have hit same problem on slightly customized kernel of Centos 7.3 (as used on F5 BigIP) where ASLR is disabled. Exact kernel-devel and/or source package not available so I am not really sure having everything right.
