Giters

volatilityfoundation / profiles

Volatility profiles for Linux and Mac OS X

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

AddrSpaceError with Ubuntu 18.04.3x64 profile on Ubuntu 18.04.3 - 4.15.0-55-generic

sandyboxy opened this issue · comments

commented

Hello,
I've installed volatility 2.5 to work with cuckoo 2.0.7 on Ubuntu 18.04 host with a Windows guest (on which volatility correctly works) and an Ubuntu 18.04.3 guest with 4.15.0-55-generic on which I downloaded 18.04.3x64 profile.
I correctly set osprofile in virtualbox.conf, but when I try to run an ELF file on Ubuntu guest, I have the following error:

Failed to run the processing module "Memory" for task #25:
Traceback (most recent call last):
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 246, in process
    data = current.run()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1118, in run
    return VolatilityManager(self.memory_path, osprofile).run()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 1000, in __init__
    self.vol = VolatilityAPI(self.memfile, self.osprofile)
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 79, in __init__
    self.init_config()
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 149, in init_config
    if self.get_dtb():
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/processing/memory.py", line 85, in get_dtb
    for ep in ps.calculate():
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/plugins/filescan.py", line 354, in calculate
    addr_space = utils.load_as(self._config, astype = 'physical')
  File "/home/cuckoo/venv/local/lib/python2.7/site-packages/volatility-2.5-py2.7.egg/volatility/utils.py", line 65, in load_as
    raise error
AddrSpaceError: No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 FileAddressSpace - EXCEPTION: 'DW_AT_byte_size'
 ArmAddressSpace: No base Address Space