Volatility failed to scan memory dump of Virtualbox

StackOverflow https://stackoverflow.com/questions/18299907

  •  24-06-2022
  •  | 
  •  

Question

I done a memory dump with elf format using Virtualbox manager. 

VBoxManage debugvm "image_name" dumpguestcore --filename test.elf

It worked well. Then I try to analyze the dump with volatility.

The imageinfo worked well and get the result.

volatility-2.2.standalone.exe -f test.elf imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : FileAddressSpace (C:\work\volatility\test.elf)
                      PAE type : No PAE
                           DTB : 0x2f3000L
                          KDBG : 0x5461d0
          Number of Processors : 0
     Image Type (Service Pack) : -
             KUSER_SHARED_DATA : 0xffdf0000L

It is failed When I tried to using pslist.

volatility-2.2.standalone.exe -f test.elf --profile=WinXPSP3x86 pslist
Volatile Systems Volatility Framework 2.2
No suitable address space mapping found
Tried to open image as:
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 JKIA32PagedMemory: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: No xpress signature found
 WindowsCrashDumpSpace64: Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile WinXPSP3x86 selected
 JKIA32PagedMemory: Failed valid Address Space check
 JKIA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace: Must be first Address Space

Could anyone help to look at the issue why Volatility could not find "suitable address space mapping found" ???

Great thanks!!

No correct solution

OTHER TIPS

Solved, virtualbox memory dump used ELF64 format, but volatility 2.2 didn't support it. The plugin here http://wiki.yobi.be/wiki/RAM_analysis could be used to support ELF64 format.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top