1:01 p.m.
Hey Jon,
Based on your kdbgscan output I would suggest a few things:
* Try using --profile=VistaSP1x86
* When you supply --kdbg, leave off the L from 0x8193ec90L (that's just
Python telling you the number is a long, its not really part of the number.
Thanks,
MHL
On Wed, Aug 22, 2012 at 12:45 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
Here is imageinfo:
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd imageinfo
Volatile Systems Volatility Framework 2.1
Determining profile based on KDBG search...
Suggested Profile(s) : VistaSP1x86, Win2008SP1x86,
Win2008SP2x86, VistaSP2x86
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace
(G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd)
PAE type : PAE
DTB : 0x122000L
KDBG : 0x8193ec90L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x8193f800L
KPCR for CPU 1 : 0x803d1000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2010-10-26 18:35:11 UTC+0000
Image local date and time : 2010-10-26 14:35:11 -0400
Here is the complete output of kdbgscan:
Offset (V) : 0x8193ec90
Offset (P) : 0x193ec90
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008SP1x86
Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
PsActiveProcessHead : 0x81954990 (0 processes)
PsLoadedModuleList : 0x8195ec70 (0 modules)
KernelBase : 0x81847000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 0
KPCR : 0x8193f800 (CPU 0)
KPCR : 0x803d1000 (CPU 1)
**************************************************
Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
Offset (V) : 0x8193ec90
Offset (P) : 0x193ec90
KDBG owner tag check : True
Profile suggestion (KDBGHeader): VistaSP1x86
Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
PsActiveProcessHead : 0x81954990 (0 processes)
PsLoadedModuleList : 0x8195ec70 (0 modules)
KernelBase : 0x81847000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 0
KPCR : 0x8193f800 (CPU 0)
KPCR : 0x803d1000 (CPU 1)
**************************************************
Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
Offset (V) : 0x8193ec90
Offset (P) : 0x193ec90
KDBG owner tag check : True
Profile suggestion (KDBGHeader): VistaSP2x86
Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
PsActiveProcessHead : 0x81954990 (0 processes)
PsLoadedModuleList : 0x8195ec70 (0 modules)
KernelBase : 0x81847000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 0
KPCR : 0x8193f800 (CPU 0)
KPCR : 0x803d1000 (CPU 1)
**************************************************
Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
Offset (V) : 0x8193ec90
Offset (P) : 0x193ec90
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008SP2x86
Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
PsActiveProcessHead : 0x81954990 (0 processes)
PsLoadedModuleList : 0x8195ec70 (0 modules)
KernelBase : 0x81847000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 0
KPCR : 0x8193f800 (CPU 0)
KPCR : 0x803d1000 (CPU 1)
I also tried providing the kdbg value on the command line and got:
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86
--kdbg=0x8193ec90L pslist
Volatile Systems Volatility Framework 2.1
Usage: Volatility - A memory forensics analysis platform.
volatility-2.1.standalone.exe: error: option --kdbg: invalid integer
value: '0x8193ec90L'
Is that an indication of an invalid memory address?
Thanks!
On Wed, Aug 22, 2012 at 12:30 PM, Andrew Case <atcuno(a)gmail.com> wrote:
From your original post:
PsActiveProcessHead : 0x81954990 (0 processes)
PsLoadedModuleList : 0x8195ec70 (0 modules)
That is not good ... 0 processes off activeprocesshead
Do you only get one result from kdbgscan? Can you try just running the
'imageinfo' plugin on your image (don't give it --profile), and send
me the results?
On Wed, Aug 22, 2012 at 11:27 AM, Jon Nelson <dotcop(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86
kdbgscan
and...
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com> wrote:
>
> Can you paste the command line invocation you are running Vol with?
>
> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote:
> > I am using the 2.1 Windows standalone exe.
> >
> > I have a dd image of memory from the subject operating system and
when I
> > try
> > to use pslist with the Win2008SP1x86 profile I get the following
errors:
> >
> > Traceback (most recent call last):
> > File "<string>", line 185, in <module>
> > File "<string>", line 176, in main
> > File
> >
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
> > line 111, in execute
> > File "C:\volatility\volatility\plugins\taskmods.py", line 138, in
> > render_text
> > File
> >
> >
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
> > line 72, in pslist
> > File
> > "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
> > line 40, in processes
> > AttributeError: Could not list tasks, please verify your --profile
with
>
kdbgscan
>
>
> When I try to verify my profile with kdbgscan I get the following for
> all
> profiles:
>
> **************************************************
> Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
> Offset (V) : 0x8193ec90
> Offset (P) : 0x193ec90
> KDBG owner tag check : True
> Profile suggestion (KDBGHeader): Win2008SP1x86
> Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
> Service Pack (CmNtCSDVersion) : 1
> Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
> PsActiveProcessHead : 0x81954990 (0 processes)
> PsLoadedModuleList : 0x8195ec70 (0 modules)
> KernelBase : 0x81847000 (Matches MZ: True)
> Major (OptionalHeader) : 6
> Minor (OptionalHeader) : 0
> KPCR : 0x8193f800 (CPU 0)
> KPCR : 0x803d1000 (CPU 1)
>
> Any help would be greatly appreciated.
>
> Jon
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>