[prev in list] [next in list] [prev in thread] [next in thread]
List: vol-users
Subject: [Vol-users] Unable to get working profile - Vol 2.2, OS X 10.8.2
From: michael.hale () gmail ! com (Michael Hale Ligh)
Date: 2012-10-04 9:39:18
Message-ID: CAFM6LVBsbvbB2KyAr_p19uKpavof3K7pZHBGb4-52RMO7Y+iag () mail ! gmail ! com
[Download RAW message or body]
Cool.
If it becomes an annoyance to type -f --profile --kdbg --dtb, you can
always dump those in environment variables or a configuration file [1] and
then just invoke the much shorter vol.py pslist, vol.py psscan, etc.
MHL
[1].
http://code.google.com/p/volatility/wiki/VolatilityUsage22#Alternatives_to_Command_Line_Options
On Thu, Oct 4, 2012 at 5:21 PM, David Kovar <dkovar@gmail.com> wrote:
> Greetings,
>
> That did the trick! (And found some stuff that either wasn't present or
> wasn't obvious in Redline.)
>
> Thank you very much.
>
> -David
>
> On Oct 4, 2012, at 4:16 PM, Michael Hale Ligh <michael.hale@gmail.com>
> wrote:
>
> Hey David,
>
> Thanks for working with us to figure out the problem. Based on your
> imageinfo output:
>
> Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86,
> Win2003SP2x86
> AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
> AS Layer2 : FileAddressSpace (/Users/kovar/Mem
> Analysis/redacted_memdump.mem)
> PAE type : PAE
> DTB : 0x1595000L
> KDBG : 0x808943e0
> Number of Processors : 2
> Image Type (Service Pack) : 2
> KPCR for CPU 0 : 0xffdff000
> KPCR for CPU 1 : 0xf772f000
> KUSER_SHARED_DATA : 0xffdf0000
> Image date and time : 2012-10-01 19:31:06 UTC+0000
> Image local date and time : 2012-10-01 13:31:06 -0600
>
> Although there are three suggested profiles at the top, a little lower
> down it says the Image Type is Service Pack 2 - so IMO it sounds like the
> real profile is Win2003SP2x86. The AS Layer1 is JKIA32PagedMemoryPae
> which indicates its definitely a 32-bit memory dump and not x64. The fact
> that you see KPCR for CPU 0 and CPU 1 means we can dereference points in
> virtual space and properly translate them to physical addresses, which
> indicates the DTB of 0x1595000 should be valid. The value shown for the
> KDBG (0x808943e0) *can* be incorrect sometimes (which is why we have
> kdbgscan) but you ran kdbgscan and it only found one KDBG in physical space
> at 0x8943e0 (must be the one at virtual address 0x808943e0).
>
> What I would suggest is combining these pieces of evidence and supply them
> explicitly to volatility like this:
>
> $ python vol.py -f <IMAGE> --profile=Win2003SP2x86 --kdbg=0x808943e0
> --dtb=0x1595000 <PLUGIN>
>
> If you could let us know the output of that sequence when using the
> plugins pslist and psscan, we would appreciate it!
>
> Thanks,
> MHL
>
> On Thu, Oct 4, 2012 at 2:58 PM, David Kovar <dkovar@gmail.com> wrote:
>
>> Greetings,
>>
>> I am unable to get a viable profile for two different images. I built
>> V2.2 on a MacBook Pro running 10.8.2.
>>
>> This one may be a bad image:
>>
>> <kdbgscan returns silently>
>> DawnTreader:Mem Analysis kovar$ vol.py -f *dmp kdbgscan
>> Volatile Systems Volatility Framework 2.2
>>
>> DawnTreader:Mem Analysis kovar$ vol.py -f *dmp imageinfo
>> Volatile Systems Volatility Framework 2.2
>> Determining profile based on KDBG search...
>>
>> Suggested Profile(s) : No suggestion (Instantiated with no
>> profile)
>> AS Layer1 : FileAddressSpace (/Users/kovar/Mem
>> Analysis/redacted-27-09-2012-10-47-50.dmp)
>> PAE type : No PAE
>>
>> ----------------
>>
>>
>> But this one loads in Mandiant Redline but Volatility will not produce
>> any valid results. I've tried all three profiles with no success.
>>
>> DawnTreader:Mem Analysis kovar$ vol.py -f *mem imageinfo
>> Volatile Systems Volatility Framework 2.2
>> Determining profile based on KDBG search...
>>
>> Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86,
>> Win2003SP2x86
>> AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
>> AS Layer2 : FileAddressSpace (/Users/kovar/Mem
>> Analysis/redacted_memdump.mem)
>> PAE type : PAE
>> DTB : 0x1595000L
>> KDBG : 0x808943e0
>> Number of Processors : 2
>> Image Type (Service Pack) : 2
>> KPCR for CPU 0 : 0xffdff000
>> KPCR for CPU 1 : 0xf772f000
>> KUSER_SHARED_DATA : 0xffdf0000
>> Image date and time : 2012-10-01 19:31:06 UTC+0000
>> Image local date and time : 2012-10-01 13:31:06 -0600
>>
>> DawnTreader:Mem Analysis kovar$ vol.py -f *mem kdbgscan
>> Volatile Systems Volatility Framework 2.2
>> **************************************************
>> Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem
>> Win2003SP0x86 (5.2.3789 32bit)
>> Offset (P) : 0x8943e0
>> KDBG owner tag check : True
>> Profile suggestion (KDBGHeader): Win2003SP1x86
>> Version64 : 0x8943b8 (Major: 15, Minor: 3790)
>> PsActiveProcessHead : 0x808ad0c8
>> PsLoadedModuleList : 0x808a6ea8
>> KernelBase : 0x80800000
>>
>> **************************************************
>> Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem
>> Win2003SP0x86 (5.2.3789 32bit)
>> Offset (P) : 0x8943e0
>> KDBG owner tag check : True
>> Profile suggestion (KDBGHeader): Win2003SP2x86
>> Version64 : 0x8943b8 (Major: 15, Minor: 3790)
>> PsActiveProcessHead : 0x808ad0c8
>> PsLoadedModuleList : 0x808a6ea8
>> KernelBase : 0x80800000
>>
>> **************************************************
>> Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem
>> Win2003SP0x86 (5.2.3789 32bit)
>> Offset (P) : 0x8943e0
>> KDBG owner tag check : True
>> Profile suggestion (KDBGHeader): Win2003SP0x86
>> Version64 : 0x8943b8 (Major: 15, Minor: 3790)
>> PsActiveProcessHead : 0x808ad0c8
>> PsLoadedModuleList : 0x808a6ea8
>> KernelBase : 0x80800000
>>
>>
>> DawnTreader:Mem Analysis kovar$ vol.py -f *mem --profile=Win2003SP0x86
>> pslist
>> Volatile Systems Volatility Framework 2.2
>> No suitable address space mapping found
>> Tried to open image as:
>> LimeAddressSpace: lime: need base
>> WindowsHiberFileSpace32: No base Address Space
>> WindowsCrashDumpSpace64: No base Address Space
>> WindowsCrashDumpSpace32: No base Address Space
>> AMD64PagedMemory: No base Address Space
>> JKIA32PagedMemory: No base Address Space
>> IA32PagedMemoryPae: Module disabled
>> JKIA32PagedMemoryPae: No base Address Space
>> IA32PagedMemory: Module disabled
>> LimeAddressSpace: Invalid Lime header signature
>> WindowsHiberFileSpace32: No xpress signature found
>> WindowsCrashDumpSpace64: Header signature invalid
>> WindowsCrashDumpSpace32: Header signature invalid
>> AMD64PagedMemory: Incompatible profile Win2003SP0x86 selected
>> JKIA32PagedMemory: No valid DTB found
>> IA32PagedMemoryPae: Module disabled
>> JKIA32PagedMemoryPae: No valid DTB found
>> IA32PagedMemory: Module disabled
>> FileAddressSpace: Must be first Address Space
>>
>>
>> -----
>>
>> Thanks for any help you might be able to offer.
>>
>> -David
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users@volatilesystems.com
>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilesystems.com/pipermail/vol-users/attachments/20121004/3bd54e96/attachment.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic