[panda-users] How to use volatility with memsavep dumps
Giovanni Mascellani
g.mascellani at gmail.com
Mon Oct 17 13:55:16 EDT 2016
Dear all,
I tried to dump the memory content of a PANDA replay with
../../qemu/x86_64-softmmu/qemu-system-x86_64 -m 512M -replay ssltest
-panda memsavep:percent=3,file=dump
Then tried to open it with volatility:
volatility -f dump gdt
Volatility Foundation Volatility Framework 2.5
CPU Sel Base Limit Type DPL Gr Pr
------ ---------- ---------- ---------- -------------- ------ ---- ----
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VMWareMetaAddressSpace: VMware metadata file is not available
VirtualBoxCoreDumpElf64: ELF Header signature invalid
QemuCoreDumpElf: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
IA32PagedMemoryPae: No valid DTB found
IA32PagedMemory: No valid DTB found
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: No valid DTB found
Apparently volatility is not recognizing it. What am I missing? Sorry, I
am not a volatility expert and I do not understand if some other
preprocessing of the dump is required.
Thanks for your help, Giovanni.
--
Giovanni Mascellani <g.mascellani at gmail.com>
PhD Student - Scuola Normale Superiore, Pisa, Italy
http://poisson.phc.unipi.it/~mascellani
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20161017/2bbbc309/attachment.bin
More information about the panda-users
mailing list