-
Notifications
You must be signed in to change notification settings - Fork 249
no process in pslist :( #9
Comments
Could you confirm if you have adjusted the configuration file used by ./start_x86_64.sh (pyrebox.conf.Win7SP0x64), to the operating system version you are emulating? This configuration file uses by default the profile for Win7SP0x64. Also, are you enabling KVM? |
you mean KVM is -enable-kvm option ? sure |
Ok, then you might want to read this Issue: #2 Although for Win7 64 bit there are no differences in required kernel offsets between SP0 and SP1, this might be important for other OS versions. Also, QEMU (in whole system emulation mode) does not allow to load a snapshot taken in KVM mode. This would be useful to quickly boot up the system, take a snapshot, and then load from there in whole system emulation mode. Although you only may need to do this once, we are also working on a workaround for this in order to speed up the set up of the machine. |
Thanks your information.. do you mean KVM is ? |
A quick way to know if KVM is enabled is to use the following qemu command: The only way I can reproduce this error is to use an incorrect volatility profile. For instance, if I try to run pyrebox for an XP machine specifying the following profile in pyrebox.conf: [VOL] Then it will not find KDBG and when trying to run VolShell: Error while executing volatility command Another possibility I can think of, is that volatility was not correctly installed. From your pyrebox directory, try removing the volatility/ directory and run this: git clone https://github.com/volatilityfoundation/volatility volatility |
reinstalled xp 32bit. it's work. Thanks Thanks your information 👍unknown@unknown:~/Desktop/pyrebox$ ./start_i386.sh /mnt/hgfs/Shared/QEMU/xpsp3.qcow2 [] Loading python component initialization script unknown@unknown:~/Desktop/pyrebox$ ./pyrebox-i386 -monitor stdio -m 512 -usb -drive file=/mnt/hgfs/Shared/QEMU/xpsp3.qcow2,index=0,media=disk,format=qcow2,cache=unsafe -vnc 127.0.0.1:0 [] Loading python component initialization script explorer...[4] pyrebox(4)> ps where is calc LOL [6] pyrebox(4)> proc calc.exe anyways Thanks ! |
I'm glad you managed to run it :-). The reason why the script is not working is because it tells pyrebox to start a VM with 256 MB of RAM. When it tries to load a snapshot of a machine with 512 MB of RAM, it fails (I guess you created a snapshot "init" with 512 MB of RAM). Finally, in order to set the context to one specific process using its process name (e.g.: proc calc), the process needs to be running on the system. I will close this issue given that you already managed to run PyREBox succesfully. Enjoy it! |
hi ! I'm setting up pyrebox but no have process anything :(
$ sudo ./start_x86_64.sh /mnt/hgfs/Shared/QEMU/imagesWin7x64
[] Loading python component initialization script
[] Platform: x86_64-softmmu
[] Starting python module initialization
[] Reading configuration
[] Importing scripts.script_example
[scripts.script_example] [] Initializing callbacks
[scripts.script_example] [] Initialized callbacks
[] Finished python module initialization
[*] Searching for KDBG... << no message about KDBG ? :(
QEMU 2.9.0 monitor - type 'help' for more information
[13] pyrebox> ps
CPU 0 PGD: 1ef111a0 InKernel: 1
+------+---------+-----------+-----+-----+
| Name | Running | Monitored | PID | PGD |
+------+---------+-----------+-----+-----+
+------+---------+-----------+-----+-----+
[14] pyrebox> vol pslist
VolShell: Error while executing volatility command
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
screendump is works. windows normally booted. Thanks
The text was updated successfully, but these errors were encountered: