Re: [Vol-users] trouble with .volatilityrc file
7 May
2016
7 May
'16
2:02 a.m.
Hi James,
According to the wiki (
https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage#co…)
if you're putting the config file in the same folder it should be named
"volatilityrc" (no dot).
You use the dot if it's in the home folder, e.g. "~/.volatilityrc".
You could test by passing the file path with "--conf-file".
Syntax of the file content looks good though.
Adam
On 6 May 2016 at 16:41, James Kelly <42jameskelly(a)gmail.com> wrote:
1. I have a directory with a memory dump called
memdum.bin
2. I run volatility image info against it and I get
Air:ticket_number jamesk$ vol.py -f memdump.bin imageinfo
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86,
Win2003SP2x86 (Instantiated with Win2003SP0x86)
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace
(/Users/jamesk/Desktop/jackcr-challenge/DC-USTXHOU/ticket_number/memdump.bin)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x805583d0L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2012-11-27 02:01:57 UTC+0000
Image local date and time : 2012-11-26 20:01:57 -0600
3. I can run vol.py --profile=Win2003SP0x86 -f memdump.bin pslist and get
process list just fine…but...
In that same directory as the memdump.bin file I have a .volatilityrc
file which contains
[DEFAULT]
PROFILE=Win2003SP2x86
LOCATION=file://memdump.bin
When I run vol.py pslist I get:
No suitable address space mapping found
Is my syntax incorrect somewhere?
Jk
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 3.3 KB)