[Vol-users] hibernation file - imagecopy

Jamie Levy jamie.levy at gmail.com
Tue Mar 5 08:51:39 CST 2013


Hi,

I actually have a patch for the read error actually and it's currently
getting bundled with a few other changes and should be updated in the
svn soon.  I can send you a fix in the meantime here in a bit.  Thanks
for reporting!

All the best,

-gleeda



On Tue, Mar 5, 2013 at 4:13 AM, kongo sec <kongo86.sec at gmail.com> wrote:
> Hi
>
> I am running - revision 3164
> I get the following error when running: Ignore the import errors
> # python2.7 vol.py -f /opt/hiberfil.sys --profile=WinXPSP3x86 imagecopy -O
> /opt/winxp_sp3_2nd.raw
>
>
> Volatile Systems Volatility Framework 2.3_alpha
> *** Failed to import volatility.plugins.zeusscan1 (AttributeError: 'module'
> object has no attribute 'ImpScan')
> *** Failed to import volatility.plugins.zeusscan2 (AttributeError: 'module'
> object has no attribute 'ApiHooks')
> Writing data (5.00 MB chunks):
> |......................................................................................................................................................................................................................................................ERROR
> : volatility.plugins.imagecopy: Error when reading from address space
>
> I have tried coping over the .sys file twice. I generated a new .sys file
> and same error. It worked wonderfully on lastweek. I tried reverting back to
> revision 3159 and no dice. Also Oddly enough it works with an old version of
> volatility running on remnux.
> Not sure whats up. Also here is the output from imageinfo:
>
> Determining profile based on KDBG search...
>
>           Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with
> WinXPSP2x86)
>                      AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
>                      AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS)
>                      AS Layer3 : FileAddressSpace (/opt/hiberfil.sys)
>                       PAE type : PAE
>                            DTB : 0x9300060L
>                           KDBG : 0x80545be0L
>           Number of Processors : 1
>      Image Type (Service Pack) : 3
>                 KPCR for CPU 0 : 0xffdff000L
>              KUSER_SHARED_DATA : 0xffdf0000L
>            Image date and time : 2013-03-05 06:26:20 UTC+0000
>      Image local date and time : 2013-03-05 00:26:20 -0600
>
>
> thanks in advance
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>



-- 
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92


More information about the Vol-users mailing list