volatilityfoundation
Unable to run vol.py plugins for "Ubuntu 16.04.6" target
I have successfully created a new profile for my VM running Ubuntu 16.04.6 LTS as described at https://github.com/volatilityfoundation/volatility/wiki/Linux and move the zip file under 'volatility/plugins/overlays/linux/'
When I run vol.py, it shows the following message on my terminal and did not get the list of the running processes.
(venv) root@dmt-HP-Laptop-15-da1xxx:/home/dmt/volatility#
python vol.py -l vmi://ubuntu_Guest --profile=LinuxUbuntu1604x64 linux_pslist -d
Volatility Foundation Volatility Framework 2.6.1 DEBUG : volatility.debug : Ubuntu1604: Found dwarf file boot/System.map-4.15.0-76-generic with 814 symbols DEBUG : volatility.debug : Ubuntu1604: Found system file boot/System.map-4.15.0-76-generic with 1 symbols DEBUG : volatility.debug : Applying modification from BashHashTypes DEBUG : volatility.debug : Applying modification from BashTypes DEBUG : volatility.debug : Applying modification from BasicObjectClasses DEBUG : volatility.debug : Applying modification from ELF32Modification DEBUG : volatility.debug : Applying modification from ELF64Modification DEBUG : volatility.debug : Applying modification from ELFModification DEBUG : volatility.debug : Applying modification from HPAKVTypes DEBUG : volatility.debug : Applying modification from LimeTypes DEBUG : volatility.debug : Applying modification from LinuxIDTTypes DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification DEBUG : volatility.debug : Applying modification from MachoModification DEBUG : volatility.debug : Applying modification from MachoTypes DEBUG : volatility.debug : Applying modification from MbrObjectTypes DEBUG : volatility.debug : Applying modification from VMwareVTypesModification DEBUG : volatility.debug : Applying modification from VirtualBoxModification DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay DEBUG : volatility.debug : Applying modification from LinuxObjectClasses DEBUG : volatility.debug : Applying modification from LinuxOverlay DEBUG : volatility.debug : Ubuntu1604: Found dwarf file boot/System.map-4.15.0-76-generic with 814 symbols DEBUG : volatility.debug : Ubuntu1604: Found system file boot/System.map-4.15.0-76-generic with 1 symbols DEBUG : volatility.debug : Applying modification from BashHashTypes DEBUG : volatility.debug : Applying modification from BashTypes DEBUG : volatility.debug : Applying modification from BasicObjectClasses DEBUG : volatility.debug : Applying modification from ELF32Modification DEBUG : volatility.debug : Applying modification from ELF64Modification DEBUG : volatility.debug : Applying modification from ELFModification DEBUG : volatility.debug : Applying modification from HPAKVTypes DEBUG : volatility.debug : Applying modification from LimeTypes DEBUG : volatility.debug : Applying modification from LinuxIDTTypes DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification DEBUG : volatility.debug : Applying modification from MachoModification DEBUG : volatility.debug : Applying modification from MachoTypes DEBUG : volatility.debug : Applying modification from MbrObjectTypes DEBUG : volatility.debug : Applying modification from VMwareVTypesModification DEBUG : volatility.debug : Applying modification from VirtualBoxModification DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay DEBUG : volatility.debug : Applying modification from LinuxIntelOverlay DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.debug : Requested symbol cache_chain not found in module kernel
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay DEBUG : volatility.debug : Applying modification from LinuxObjectClasses DEBUG : volatility.debug : Applying modification from LinuxOverlay Offset Name Pid PPid Uid Gid DTB Start Time
DEBUG : volatility.debug : Voting round DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmi.VMIAddressSpace'> DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.vmi.VMIAddressSpace object at 0x7f603de92510> DEBUG : volatility.debug : Voting round DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmi.VMIAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG : volatility.debug : Requested symbol do_fork not found in module kernel
No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VMWareMetaAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareAddressSpace: No base Address Space QemuCoreDumpElf: No base Address Space WindowsCrashDumpSpace32: No base Address Space SkipDuplicatesAMD64PagedMemory: No base Address Space WindowsAMD64PagedMemory: No base Address Space LinuxAMD64PagedMemory: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64BitMap: Header signature invalid WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Location is not of file scheme VMWareMetaAddressSpace: Location is not of file scheme VirtualBoxCoreDumpElf64: ELF Header signature invalid VMWareAddressSpace: Invalid VMware signature: - QemuCoreDumpElf: ELF Header signature invalid WindowsCrashDumpSpace32: Header signature invalid SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected WindowsAMD64PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected LinuxAMD64PagedMemory: Failed valid Address Space check AMD64PagedMemory: Failed valid Address Space check IA32PagedMemoryPae: Incompatible profile LinuxUbuntu1604x64 selected IA32PagedMemory: Incompatible profile LinuxUbuntu1604x64 selected OSXPmemELF: ELF Header signature invalid VMIAddressSpace: Must be first Address Space FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check
I would greatly appreciate it if you kindly give us some feedback and share your views.
Thanks.
