[panda-users] How to use volatility with memsavep dumps
Brendan Dolan-Gavitt
brendandg at nyu.edu
Fri Oct 21 15:57:21 EDT 2016
I think I have seen this before, but can't reproduce it at the moment.
Do other values of percent= work? And, is ssltest something you can
share so we can debug?
-Brendan
On Mon, Oct 17, 2016 at 1:55 PM, Giovanni Mascellani
<g.mascellani at gmail.com> wrote:
> Dear all,
>
> I tried to dump the memory content of a PANDA replay with
>
> ../../qemu/x86_64-softmmu/qemu-system-x86_64 -m 512M -replay ssltest
> -panda memsavep:percent=3,file=dump
>
> Then tried to open it with volatility:
>
> volatility -f dump gdt
> Volatility Foundation Volatility Framework 2.5
> CPU Sel Base Limit Type DPL Gr Pr
> ------ ---------- ---------- ---------- -------------- ------ ---- ----
> No suitable address space mapping found
> Tried to open image as:
> MachOAddressSpace: mac: need base
> LimeAddressSpace: lime: need base
> WindowsHiberFileSpace32: No base Address Space
> WindowsCrashDumpSpace64BitMap: No base Address Space
> WindowsCrashDumpSpace64: No base Address Space
> HPAKAddressSpace: No base Address Space
> VMWareMetaAddressSpace: No base Address Space
> VirtualBoxCoreDumpElf64: No base Address Space
> QemuCoreDumpElf: No base Address Space
> VMWareAddressSpace: No base Address Space
> WindowsCrashDumpSpace32: No base Address Space
> AMD64PagedMemory: No base Address Space
> IA32PagedMemoryPae: No base Address Space
> IA32PagedMemory: No base Address Space
> OSXPmemELF: No base Address Space
> MachOAddressSpace: MachO Header signature invalid
> LimeAddressSpace: Invalid Lime header signature
> WindowsHiberFileSpace32: No xpress signature found
> WindowsCrashDumpSpace64BitMap: Header signature invalid
> WindowsCrashDumpSpace64: Header signature invalid
> HPAKAddressSpace: Invalid magic found
> VMWareMetaAddressSpace: VMware metadata file is not available
> VirtualBoxCoreDumpElf64: ELF Header signature invalid
> QemuCoreDumpElf: ELF Header signature invalid
> VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
> WindowsCrashDumpSpace32: Header signature invalid
> AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
> IA32PagedMemoryPae: No valid DTB found
> IA32PagedMemory: No valid DTB found
> OSXPmemELF: ELF Header signature invalid
> FileAddressSpace: Must be first Address Space
> ArmAddressSpace: No valid DTB found
>
> Apparently volatility is not recognizing it. What am I missing? Sorry, I
> am not a volatility expert and I do not understand if some other
> preprocessing of the dump is required.
>
> Thanks for your help, Giovanni.
> --
> Giovanni Mascellani <g.mascellani at gmail.com>
> PhD Student - Scuola Normale Superiore, Pisa, Italy
>
> http://poisson.phc.unipi.it/~mascellani
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
--
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
More information about the panda-users
mailing list