I done a memory dump with elf format using Virtualbox manager.
VBoxManage debugvm "image_name" dumpguestcore --filename test.elf
It worked well. Then I try to analyze the dump with volatility.
The imageinfo worked well and get the result.
volatility-2.2.standalone.exe -f test.elf imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : FileAddressSpace (C:\work\volatility\test.elf)
PAE type : No PAE
DTB : 0x2f3000L
KDBG : 0x5461d0
Number of Processors : 0
Image Type (Service Pack) : -
KUSER_SHARED_DATA : 0xffdf0000L
It is failed When I tried to using pslist.
volatility-2.2.standalone.exe -f test.elf --profile=WinXPSP3x86 pslist
Volatile Systems Volatility Framework 2.2
No suitable address space mapping found
Tried to open image as:
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64: Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP3x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Could anyone help to look at the issue why Volatility could not find "suitable address space mapping found" ???
Great thanks!!
Solved, virtualbox memory dump used ELF64 format, but volatility 2.2 didn't support it. The plugin here http://wiki.yobi.be/wiki/RAM_analysis could be used to support ELF64 format.