profile problem of guest OS Debian 9

[H0w1]

Hi!
My guest OS is Debian 9. My host is Ubuntu18.04. I get my volatility profile from volatilityfoundation/profiles Github. It seems that this profile does not work. I wonder if it is because of Pyrebox's not supporting Debian or my mistake?
Also, is it the "Cannot determine partition type" caused by this profile problem?
This is my output of :
"./pyrebox-x86_64
-kernel $KERNEL/arch/x86/boot/bzImage
-drive file=$IMAGE,index=0,media=disk,format=qcow2,cache=unsafe
-monitor stdio -usb
-display none
-smp 2 -m 2G
-append "console=ttyS0 root=/dev/sda debug earlyprintk=serial slub_debug=QUZ"
-net user,hostfwd=tcp::$2-:22 -net nic
-vnc 127.0.0.1:0 ${snapshot}
--pidfile $WORKDIR/vm.pid "

[] Loading python component initialization script
[] Platform: x86_64-softmmu
[] Starting python module initialization
[] Reading configuration from 'pyrebox.conf'
[] Setting up Linux Profile...
Could not retrieve symbols for profile initialization 'pyrebox_thread_stack_size_info'[] Initializing scripts...
[] Loading python module scripts.script_example.py
[!] Could not initialize python module due to exception
No module named py
[] Finished python module initialization
QEMU 4.0.0 monitor - type 'help' for more information
(qemu)
[SLEUTHKIT]
Opening image - Size: 2147483648
[!] Error, could not open volume system
Cannot determine partition type

[H0w1]

Here is my pyrebox.conf:

[MODULES]
scripts.script_example.py: True
scripts.volatility_example: False

[VOL]
profile: LinuxDebian94x64

[AGENT]
name: linux_agent_64
conf: linux_agent_64.conf

[SYMBOL_CACHE]
path: symbols.LinuxDebian94x64

[xabiugarte]

Hi @H0w1 ,

I can see a couple of things there:

[!] Could not initialize python module due to exception
No module named py

This is happening because of an error in the [MODULES] section of your pyrebox.conf:

scripts.script_example.py: True

This section should list scripts to load in the notation used by python to import modules: just remove the ".py" at the end:

scripts.script_example: True

The second error:

[!] Error, could not open volume system
Cannot determine partition type

This happens when you try to load an uninitialized disk into PyREBox. Have you properly initialized the image pointed by $IMAGE?

In such a case, could you tell me how you initialized it so that I can reproduce the error?

Thanks,

[H0w1]

Thanks a lot for your reply @xabiugarte.

The image which pointed by $IMAGE comes from a script create-image.sh .
It is used by Syzkaller to create a Debian Stretch Linux image with a minimal set of required packages. Some details about that. I converted it to qcow2 format then.
./qemu/qemu-img convert -f raw -o compat=0.10 -O qcow2 stretch.img py_test.qcow2

This image goes well when I use the raw qemu-system-x86_64, I can get an ssh connection to the VM when it is running.

[H0w1]

Hi @xabiugarte ,
Thanks for your advice, I have solved this

[!] Could not initialize python module due to exception
No module named py

The second error

[!] Error, could not open volume system
Cannot determine partition type

I still cannot solve it. The good news is that I can connect to the VM by ssh now. At least the VM can run. But both ps command and vol linux_psaux don't work.
P.S. I found if I use 2>&1 | tee vm.log as part of pyrebox-x86_64's argument , when I use q to quit the qemu monitor, the thread will block. kill -9 is needed to kill it successfully.

Here is my output :

[*] Loading python component initialization script
[*] Platform: x86_64-softmmu
[*] Starting python module initialization
[*] Reading configuration from 'pyrebox.conf'
[*] Setting up Linux Profile...
Could not retrieve symbols for profile initialization 'pyrebox_thread_stack_size_info'[*] Initializing scripts...
[*]  Loading python module scripts.script_example
[*]  Loading python module plugins.guest_agent
[plugins.guest_agent] [*]    Initializing guest_agent plugin
[scripts.script_example] [*]    Initializing callbacks
[scripts.script_example] [*]    Initialized callbacks
[*] Finished python module initialization
QEMU 4.0.0 monitor - type 'help' for more information
(qemu) 
[SLEUTHKIT]
Opening image - Size: 2147483648
[!] Error, could not open volume system
Cannot determine partition type

(qemu) sh

[1] pyrebox> ps
CPU 0 PGD: 0 InKernel: 1
CPU 1 PGD: 0 InKernel: 1
+------+---------+-----------+-----+-----+
| Name | Running | Monitored | PID | PGD |
+------+---------+-----------+-----+-----+
+------+---------+-----------+-----+-----+

[2] pyrebox> vol linux_psaux
Pid    Uid    Gid    Arguments                                                       
VolShell: Error while executing volatility command
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 PMemAddressSpace: Must be first Address Space
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace - EXCEPTION: 'NoneType' object has no attribute 'startswith'
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 VMWareMetaAddressSpace - EXCEPTION: 'NoneType' object has no attribute 'startswith'
 QemuCoreDumpElf: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
 WindowsCrashDumpSpace32: Header signature invalid
 SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxDebian94x64 selected
 WindowsAMD64PagedMemory: Incompatible profile LinuxDebian94x64 selected
 LinuxAMD64PagedMemory: Failed valid Address Space check
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Incompatible profile LinuxDebian94x64 selected
 IA32PagedMemory: Incompatible profile LinuxDebian94x64 selected
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check

[xabiugarte]

Hi,

I am revisiting this issue. Sorry for the long wait. Did you finally solve the problem?

Thanks,