Commentaires sur : Volatilitux : Physical memory analysis of Linux systems https://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/ Projets d’un consultant en sécurité informatique Sat, 22 Aug 2015 12:46:18 +0000 hourly 1 http://wordpress.org/?v=3.4.2 Par : Emilien Girault https://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/comment-page-1/#comment-670 Emilien Girault Tue, 05 Feb 2013 08:58:48 +0000 http://www.segmentationfault.fr/?p=858#comment-670 Hi, You get this error because 2 pages of this file are indeed not mapped anymore; the OS must have swapped them on disk. However, if you look at the remaining 3 pages, you will notice that they are separated into 2 groups of contiguous physical pages (you can see it by computing the physical address of each one). The 2 pages that are missing are actually still in RAM (although they are marked as absent on their Page Table) and are respectively after the first group, and before the second group. It seems that the OS did not have time to clear them, and this was done on purpose by the challenge creators. You can still manually dump both of the missing pages and reassemble the complete secret.apk file. This procedure is described in some of the official solutions (http://communaute.sstic.org/ChallengeSSTIC2010), but are unfortunately in French... Hi,
You get this error because 2 pages of this file are indeed not mapped anymore; the OS must have swapped them on disk. However, if you look at the remaining 3 pages, you will notice that they are separated into 2 groups of contiguous physical pages (you can see it by computing the physical address of each one). The 2 pages that are missing are actually still in RAM (although they are marked as absent on their Page Table) and are respectively after the first group, and before the second group. It seems that the OS did not have time to clear them, and this was done on purpose by the challenge creators.
You can still manually dump both of the missing pages and reassemble the complete secret.apk file. This procedure is described in some of the official solutions (http://communaute.sstic.org/ChallengeSSTIC2010), but are unfortunately in French…

]]> Par : jomars https://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/comment-page-1/#comment-669 jomars Mon, 04 Feb 2013 22:43:42 +0000 http://www.segmentationfault.fr/?p=858#comment-669 hello. Iam tring to solve the challv2 using volatilitux. ok with textviewer.apk. But what about secret.apk ? when i tried to export ,i got "Warning: Page 426f5000-426f6000 is invalid! Warning: Page 426f6000-426f7000 is invalid! Warning: The target memory range is incomplete, because 2 pages out of 5 are not mapped anymore. " when i tried to install failed. Does anyone have any ideas about this? thanks. hello. Iam tring to solve the challv2 using volatilitux. ok with textviewer.apk. But what about secret.apk ? when i tried to export ,i got « Warning: Page 426f5000-426f6000 is invalid!
Warning: Page 426f6000-426f7000 is invalid!
Warning: The target memory range is incomplete, because 2 pages out of 5 are not mapped anymore.
 »
when i tried to install failed. Does anyone have any ideas about this? thanks.

]]> Par : Emilien Girault https://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/comment-page-1/#comment-664 Emilien Girault Mon, 17 Dec 2012 18:53:51 +0000 http://www.segmentationfault.fr/?p=858#comment-664 Hello, You have the same bug than phocean (see the 1st comment) due to 64 bits. Please check out the last version of the framework (http://code.google.com/p/volatilitux/source/checkout), that fixes this issue. See http://code.google.com/p/volatilitux/source/diff?spec=svn6&r=6&format=side&path=/trunk/core/raw_dump.py Hello,
You have the same bug than phocean (see the 1st comment) due to 64 bits. Please check out the last version of the framework (http://code.google.com/p/volatilitux/source/checkout), that fixes this issue. See http://code.google.com/p/volatilitux/source/diff?spec=svn6&r=6&format=side&path=/trunk/core/raw_dump.py

]]> Par : tsukishiro https://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/comment-page-1/#comment-662 tsukishiro Thu, 13 Dec 2012 06:34:40 +0000 http://www.segmentationfault.fr/?p=858#comment-662 Hello, I downloaded volatilitux and the challv2 file but I always get "Error: RawDump: Unable to read physical memory at offset 2a0e54". I also get a similar error with different offset value for the android dump that I took. Can you help me with this one? Btw, thanks for your effort on making this framework! Hello,

I downloaded volatilitux and the challv2 file but I always get « Error: RawDump: Unable to read physical memory at offset 2a0e54″. I also get a similar error with different offset value for the android dump that I took.

Can you help me with this one?

Btw, thanks for your effort on making this framework!

]]> Par : Geo https://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/comment-page-1/#comment-608 Geo Tue, 15 May 2012 07:51:01 +0000 http://www.segmentationfault.fr/?p=858#comment-608 Hi, Thanks for the quick answer. I'm using LiMe for Android and I don't think my dump is invalid because I tried the same things with the Android emulator and it works perfectly. I'll told you if I find. Bye Hi,

Thanks for the quick answer.

I’m using LiMe for Android and I don’t think my dump is invalid because I tried the same things with the Android emulator and it works perfectly.

I’ll told you if I find.

Bye

]]> Par : Emilien Girault https://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/comment-page-1/#comment-607 Emilien Girault Mon, 14 May 2012 21:08:30 +0000 http://www.segmentationfault.fr/?p=858#comment-607 Hi, I actually have a lot of feedback about this issue. In most of the cases, this is due to an invalid dump: the method you used to acquire your dump may be erroneous, or the dump you provided was not a full RAM dump. Using "cat /proc/kcore" is not a valid method since this file is actually in ELF format. Using /dev/mem doesn't work either on recent Linux distribs because of kernel restrictions. <a href="http://www.forensicswiki.org/wiki/Tools:Memory_Imaging" rel="nofollow">This page</a> counts a few methods to perform a valid RAM dump. I usually recommend to use the fmem tool that creates a /dev/fmem pseudo-device that you can "cat" like /dev/mem. Unfortunately I never had the time to try it so I can't really provide feedback on this side. Good luck! Hi, I actually have a lot of feedback about this issue. In most of the cases, this is due to an invalid dump: the method you used to acquire your dump may be erroneous, or the dump you provided was not a full RAM dump.
Using « cat /proc/kcore » is not a valid method since this file is actually in ELF format. Using /dev/mem doesn’t work either on recent Linux distribs because of kernel restrictions. This page counts a few methods to perform a valid RAM dump. I usually recommend to use the fmem tool that creates a /dev/fmem pseudo-device that you can « cat » like /dev/mem. Unfortunately I never had the time to try it so I can’t really provide feedback on this side.
Good luck!

]]> Par : Geo https://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/comment-page-1/#comment-606 Geo Mon, 14 May 2012 13:38:56 +0000 http://www.segmentationfault.fr/?p=858#comment-606 Hi emilien, Great Work for Volatilitux. I have a little problem A dump of a tablet on android 4.0.3 I use your lkm to build a config file but it doesn't work: : KernelSpace: Unable to translate virtual address (14c) below PAGE_OFFSET Do you have any ideas? Thx a lot Hi emilien,

Great Work for Volatilitux.
I have a little problem
A dump of a tablet on android 4.0.3 I use your lkm to build a config file but it doesn’t work:
: KernelSpace: Unable to translate virtual address (14c) below PAGE_OFFSET

Do you have any ideas? Thx a lot

]]> Par : Fernando Mercês https://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/comment-page-1/#comment-602 Fernando Mercês Tue, 27 Mar 2012 14:45:53 +0000 http://www.segmentationfault.fr/?p=858#comment-602 Congratulations! It's a really impressive tool. Congratulations! It’s a really impressive tool.

]]> Par : phocean https://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/comment-page-1/#comment-600 phocean Wed, 14 Mar 2012 20:30:37 +0000 http://www.segmentationfault.fr/?p=858#comment-600 I restarted the whole fmem procedure and it worked. This time I carefully checked the md5 checksum and also used this command for dd: dd if=/dev/fmem count=`head -n 1 /proc/meminfo |cut -f 9 -d \` of=disk.img bs=1MB Last time I just used free to get the amount of RAM and my guess is that I probably messed up with the value. Anyway, I am glad it works now. Thank you for your support Emilien. I restarted the whole fmem procedure and it worked.
This time I carefully checked the md5 checksum and also used this command for dd:
dd if=/dev/fmem count=`head -n 1 /proc/meminfo |cut -f 9 -d \` of=disk.img bs=1MB
Last time I just used free to get the amount of RAM and my guess is that I probably messed up with the value.
Anyway, I am glad it works now. Thank you for your support Emilien.

]]> Par : Emilien Girault https://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/comment-page-1/#comment-599 Emilien Girault Wed, 14 Mar 2012 12:48:56 +0000 http://www.segmentationfault.fr/?p=858#comment-599 I've never actually used it so I can't really help, sorry... But please let me know if you solve your problem. I’ve never actually used it so I can’t really help, sorry… But please let me know if you solve your problem.

]]>