Hi all,
In my continuing exploration of Windows memory and Volatility I'm current looking at Windows, literally, the GUI.
Looking at a notepad process, wintree shows me:
.Untitled - Notepad (visible) notepad.exe:100 Notepad
..#20128 notepad.exe:100 6.0.7601.17514!msctls_statusbar32
..#20126 (visible) notepad.exe:100 6.0.7601.17514!Edit
.Default IME notepad.exe:100 IME
.MSCTFIME UI notepad.exe:100 MSCTFIME UI
So, I'm assuming #20128 is the status bar at the bottom of the Notepad window, and #20126 is the edit control, that is, the textarea into which the user types.
This is the corresponding output from the windows plugin for the edit control:
Window Handle: #20126 at 0xfea0dc70, Name:
ClassAtom: 0xc119, Class: 6.0.7601.17514!Edit
SuperClassAtom: 0xc018, SuperClass: Edit
pti: 0xfe2a4008, Tid: 1692 at 0x8550d368
ppi: 0xffa95550, Process: notepad.exe, Pid: 100
Visible: Yes
Left: 10, Top: 52, Bottom: 485, Right: 701
Style Flags: WS_VSCROLL,WS_CHILD,WS_OVERLAPPED,WS_VISIBLE,WS_HSCROLL
ExStyle Flags: WS_EX_CLIENTEDGE,WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT
Window procedure: 0x744399d0
Question 1:
Window Handle: #20126 at 0xfea0dc70 - what is the offset? Physical, virtual? Of what? The Edit control object?
(I'm guessing: physical, yes, of the edit control object.)
Question 2:
I can see that it's Window-esque properties (X, Y, width, height, style flags, et al) are all clearly present., but where can I find information specific to this control (in this instance, an 'Edit'). For example, maybe the text it contains?
(I'm guessing, take a look at 0xfea0dc70 and there'll be some kind of structure to parse.)
As always, many thanks. (This is all going towards a plugin that I'm hoping to write!)
Also as always, if I could've found this information on my own, please let me know where to look.
I've read the Command Reference and the associated MoVP posts.
Adam
Hello guys,
I'm trying to use Volatility through Firewire, but actually it's not
working.
My investigator PC runs Ubuntu Linux Ubuntu 12.04
I'm using the New (JuJu) Firewire stack compiled into kernel and I also
installed forensic1394.
My Firewire Bus is up and connected to a Firewire Bus on a target win7
system (4GB memory),
I can successfully dump the memory with another tool called 'inception'.
However, output only says:
vol# python vol.py -l firewire://forensic1394/0 --profile=Win7SP1x64 modules
Volatility Foundation Volatility Framework 2.3.1
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
FileAddressSpace: Location is not of file scheme
ArmAddressSpace: No base Address Space
What I am doing wrong?
Thank you!
--
Sebastian
Hello Jamie,
Apologies for delayed response. Had a short break with family.
I tried using dumpfiles plugins as per your adviced. it turned out working against winxp, but seems not against win7sp1x86. is this a known limitation?
Thanks again mate.
Regards,
Roger
On Feb 18, 2014, at 5:00 AM, vol-users-request(a)volatilityfoundation.org wrote:
> Send Vol-users mailing list submissions to
> vol-users(a)volatilityfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> or, via email, send a message with subject or body 'help' to
> vol-users-request(a)volatilityfoundation.org
>
> You can reach the person managing the list at
> vol-users-owner(a)volatilityfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Vol-users digest..."
>
>
> Today's Topics:
>
> 1. dumping registry hive(s) from memory image (Roger)
> 2. Re: dumping registry hive(s) from memory image (Jamie Levy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 17 Feb 2014 16:53:01 +1100
> From: Roger <roger.franklin67(a)gmail.com>
> Subject: [Vol-users] dumping registry hive(s) from memory image
> To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org>
> Message-ID: <98444CAC-D5F0-473B-88EB-75CC983F2869(a)gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files.
>
> Has any one found a way of doing it?
>
> Thank you very much in advance.
>
> Kind regards,
> Roger
>
> ------------------------------
>
> Message: 2
> Date: Mon, 17 Feb 2014 10:22:32 -0500
> From: Jamie Levy <jamie.levy(a)gmail.com>
> Subject: Re: [Vol-users] dumping registry hive(s) from memory image
> To: vol-users(a)volatilityfoundation.org
> Message-ID: <53022938.4040302(a)gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Roger,
>
> Try using the dumpfiles plugin:
>
> http://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles
>
> You can use an example similar to the event logs one in order to dump
> the registry file. Let me know if you need help.
>
> All the best,
>
> -Jamie
>
>
>
> On 2/17/2014 12:53 AM, Roger wrote:
>> I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files.
>>
>> Has any one found a way of doing it?
>>
>> Thank you very much in advance.
>>
>> Kind regards,
>> Roger_______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
> --
> Jamie Levy (@gleeda)
> Blog: http://volatility-labs.blogspot.com/
> GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
> Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>
>
> ------------------------------
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
> End of Vol-users Digest, Vol 68, Issue 6
> ****************************************
Michael and Jamie,
Thanks. I've I found I made a couple of stupid mistakes. The second was sending the below message to the wrong email when I figured out the first late yesterday evening.
My apologies, I've figured out that it was 64 bit, and I was completely mistaken about it being 32 bit.
I assumed that it was 32 bit, because the the 64 bit profiles took much longer to run, and I'd assumed they were hanging. I think I used a slow computer, and suspect that having everything on usb also slowed things down.
I decided I ought to check my work better, and let imageinfo run for the three hours it needed. In hindsight, I think I should have run hibinfo instead, as that seems to have indicated the right profile much faster.
I think I can figure the rest out.
Thank you,
andybellman(a)outlook.com
Hi All,
This is an FYI to the maintainers of the Volatility code. I don't need immediate help on this issue but I thought somebody might be interested.
I ran into a problem where the 'linux_pslist' command in volatility is hanging on an Ubuntu 13.04 memory dump. All the other 'ps' related commands seem to run just fine.
I'm running Volatility 2.3.1 and I can supply any other details you need (including the memory dump). I've attached the debug output (I let it run for over 30 minutes on a 1GB dump).
I'm happy to try any suggestions you may have.
Thanks for a great product,
Geoff
==============================
Geoff Torres - HP
==============================
Members of the list,
I have been attempting to recover some unsaved files from a hiberfil.sys from a Windows 7 system. It is from a laptop, I'm pretty sure running Home Premium 32 bit.
I use an XP system to run the standalone version of Volatility. Using 'volatility -f hiberfil.sys --profile=Win7SP0x86 imageinfo' I get:
' Suggested Profile(s) : No suggestion (Instantiated with Win7SP0x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS)
AS Layer3 : FileAddressSpace (I:\hfr\hiberfil.sys)
PAE type : PAE
DTB : 0x0L
KUSER_SHARED_DATA : 0xffdf0000L'
Using 'volatility -f hiberfil.sys --profile=Win7SP1x86 hibinfo' I get:
'Volatility Foundation Volatility Framework 2.3.1
PO_MEMORY_IMAGE:
Signature: HIBR
SystemTime: 1970-01-01 00:00:00 UTC+0000
Control registers flags
CR0: 00000000
CR0[PAGING]: 0
CR3: 00000000
CR4: 00000000
CR4[PSE]: 0
CR4[PAE]: 0
Windows Version is -.- (-)'
Other modules seem to hang, or produce no results.
I thought I must have a bad file, but I got it from the right place, and changing the name or location doesn't seem easy enough that an OEM would do it.
I thought I might be using the tool wrong, but it seems I can get it working better with four out of the five NIST samples linked from the code.google.com/p/volatility/wiki website.
I'm wondering if trying to do something volatility doesn't support yet, or if I am simply making a mistake.
Thanks,
andybellman(a)outlook.com
Hi,
as part of a university course I've developed a Volatility plugin to
extract user credentials cached in an OpenVPN process. Currently the
extraction is limited to OpenVPN 2.2.2 on Windows. Still, maybe this is
useful to someone else.
Code is here: https://github.com/Phaeilo/vol-openvpn
Philip
