我在 Windows7 和 Kali Linux(最新版本)上都使用 Volatility 2.6,
我的内存转储位于 Vmware 工作站的“.vmem”和“.vmss”中
我想检查 Linux 基本内存,默认情况下,volatility 没有 Linux 配置文件,因此我下载了它们并将它们添加到
…/volatility/plugins/overlays/linux
现在我可以在配置文件列表下的 –info 结果中看到所有这些。我对 Windows 基本内存没有问题,但当我想打开例如 Ubuntu1204 或 Ubuntu1404 服务器时,我遇到了以下错误:
No suitable address space mapping found
所以最后我用imageinfo这样的方式自动找到配置文件:
Python vol.py –f /mymemory.vmem imageinfo
但是我再次在 kali linux 中遇到这个错误:(在 windows 中出现同样的错误,在旧版本旧波动中出现同样的结果)
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure tty_struct not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure tty_struct not present in vtypes
Traceback (most recent call last):
File "/usr/bin/volatility", line 192, in <module>
main()
File "/usr/bin/volatility", line 183, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 145, in execute
func(outfd, data)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/imageinfo.py", line 45, in render_text
for k, t, v in data:
File "/usr/lib/python2.7/dist-packages/volatility/plugins/imageinfo.py", line 55, in calculate
suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
File "/usr/lib/python2.7/dist-packages/volatility/plugins/kdbgscan.py", line 116, in calculate
buf = addrspace.BufferAddressSpace(self._config)
File "/usr/lib/python2.7/dist-packages/volatility/addrspace.py", line 378, in __init__
BaseAddressSpace.__init__(self, None, config, **kwargs)
File "/usr/lib/python2.7/dist-packages/volatility/addrspace.py", line 73, in __init__
self.profile = self._set_profile(config.PROFILE)
File "/usr/lib/python2.7/dist-packages/volatility/addrspace.py", line 98, in _set_profile
ret = profs[profile_name]()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 214, in __init__
obj.Profile.__init__(self, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/volatility/obj.py", line 859, in __init__
self.reset()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 224, in reset
self.load_vtypes()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 261, in load_vtypes
vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 71, in __init__
self.feed_line(line)
File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 162, in feed_line
self.process_statement(**parsed) #pylint: disable-msg=W0142
File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 225, in process_statement
self.id_to_name[statement_id] = [self.base_type_name(data)]
File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 125, in base_type_name
return self.tp2vol[data['DW_AT_name'].strip('"')]
KeyError: 'device_attribute'