0
我使用Virtualbox管理器完成了使用elf格式的內存轉儲。波動性未能掃描Virtualbox的內存轉儲
VBoxManage debugvm "image_name" dumpguestcore --filename test.elf
它運作良好。然後我嘗試分析具有波動性的轉儲。
imageinfo運行良好,並得到結果。
volatility-2.2.standalone.exe -f test.elf imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : FileAddressSpace (C:\work\volatility\test.elf)
PAE type : No PAE
DTB : 0x2f3000L
KDBG : 0x5461d0
Number of Processors : 0
Image Type (Service Pack) : -
KUSER_SHARED_DATA : 0xffdf0000L
這是失敗當我試圖使用pslist。
volatility-2.2.standalone.exe -f test.elf --profile=WinXPSP3x86 pslist
Volatile Systems Volatility Framework 2.2
No suitable address space mapping found
Tried to open image as:
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64: Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP3x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
任何人都可以幫忙看看爲什麼波動找不到「找到合適的地址空間映射」的問題?
非常感謝!