-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No suitable address space mapping found #53
Comments
hi @darshantank
This usually means that Volatility tried all avaiable address spaces, and none of them has been selected.
When the You can ask Volatility devs for more information. |
In the interim I would suggest just using the |
@ tklengyel I'm very much keen and interested to integrate LibVMI with Volatility framework. I'm completely unaware of the functionality of the vmifs tool. Sir, May I ask you, How do I use vmifs tool with Volatility on a live virtual machine? Could you please elaborate the steps ? Thanking you. |
It's really straight forward. Compile it and it will tell you how to use it. It creates a file that represents the target VMs memory. You run Volatility on that file as if it was an ordinary memory dump. |
@ tklengyel After following your instructions, I'm able to install volatility framework and integrate it with python-libvmi. I'm able to run pslist plugin on my Windows 7 VM. But I'm unable to run any plugins on my Ubuntu 16.04.6 VM. I have successfully created new profile for my VM running Ubuntu 16.04.6 LTS as described at https://github.com/volatilityfoundation/volatility/wiki/Linux And move the zip file under 'volatility/plugins/overlays/linux/' python vol.py --info | grep Linux Volatility Foundation Volatility Framework 2.6.1 But when I run vol.py, it shows the following message on my terminal , and did not get the list of running process. Offset Name Pid PPid Uid Gid DTB Start Time No suitable address space mapping found I would greatly appreciate it if you kindly give us some feedback and share your views. Thanks |
I'm trying to use LibVMI python bindings to introspect my VMs (win7 and ubuntu).
When I run the command, I get following message on my terminal.
# python vol.py -l vmi://win7_Guest --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6.1
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
LimeAddressSpace - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
WindowsHiberFileSpace32 - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
WindowsCrashDumpSpace64BitMap - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
WindowsCrashDumpSpace64 - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
HPAKAddressSpace: Location is not of file scheme
VMWareMetaAddressSpace: Location is not of file scheme
VirtualBoxCoreDumpElf64 - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
QemuCoreDumpElf - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
VMWareAddressSpace: Invalid VMware signature: -
WindowsCrashDumpSpace32 - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
SkipDuplicatesAMD64PagedMemory: Incompatible profile Win7SP1x64 selected
WindowsAMD64PagedMemory - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
LinuxAMD64PagedMemory: Incompatible profile Win7SP1x64 selected
AMD64PagedMemory - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
IA32PagedMemoryPae: Incompatible profile Win7SP1x64 selected
IA32PagedMemory: Incompatible profile Win7SP1x64 selected
OSXPmemELF - EXCEPTION: 'CompiledFFI' object has no attribute 'unpack'
VMIAddressSpace: Must be first Address Space
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Profile does not have valid Address Space check
I'm missing something at somewhere. What are the possible causes of such message?
Thanking you.
The text was updated successfully, but these errors were encountered: