[Vol-users] Problems with Server 2003 vmss image

David Kovar dkovar at gmail.com
Mon Sep 9 16:44:45 CDT 2013

Good evening,

I have what purports to be a Windows Server 2003 vmss file from an ESXi

Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...

          Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86
                     AS Layer1 : FileAddressSpace (E:\memory.vmss)
                      PAE type : No PAE
                           DTB : 0xe02000L
                          KDBG : 0x89e3e0
          Number of Processors : 32
     Image Type (Service Pack) : 8388479
                KPCR for CPU 1 : 0xb4428734L
              KPCR for CPU 105 : 0x6ab88836
              KPCR for CPU 187 : 0xbbb081feL
              KPCR for CPU 217 : 0xd26666cfL
              KPCR for CPU 244 : 0xf6396926L
               KPCR for CPU 43 : 0xdb784fe4L
                KPCR for CPU 0 : 0xbfcc7b14L
              KPCR for CPU 144 : 0xfdce5831L
              KPCR for CPU 163 : 0xe645d2edL
              KPCR for CPU 240 : 0xe641b395L
                KPCR for CPU 0 : 0x54430b95
              KPCR for CPU 121 : 0xe647cb92L
              KPCR for CPU 156 : 0x11fcab95
               KPCR for CPU 88 : 0x7e5a9411
                KPCR for CPU 0 : 0x3a144ddb
                KPCR for CPU 0 : 0xad8d25f2L
              KPCR for CPU 167 : 0x6a05fdd2
              KPCR for CPU 149 : 0x9623d84aL
              KPCR for CPU 116 : 0x4d5a811c
                KPCR for CPU 0 : 0x770a23f1
                KPCR for CPU 0 : 0x62485716
               KPCR for CPU 47 : 0xb52572fcL
                KPCR for CPU 0 : 0x1449293a
               KPCR for CPU 46 : 0x4997edb2
                KPCR for CPU 0 : 0x95971adeL
                KPCR for CPU 0 : 0x95bcc716L
               KPCR for CPU 53 : 0x55851105
                KPCR for CPU 0 : 0x55bcc700
                KPCR for CPU 0 : 0xd5893716L
              KPCR for CPU 169 : 0x4a21113d
                KPCR for CPU 1 : 0x88f33d8dL
                KPCR for CPU 0 : 0xa3d2de22L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 1970-01-01 00:00:00 UTC+0000
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
  File "vol.py", line 177, in main
  File "E:\Tools\volatility-2.2\volatility\commands.py", line 111, in
    func(outfd, data)
  File "E:\Tools\volatility-2.2\volatility\plugins\imageinfo.py", line 34,
in re
    for k, v in data:
  File "E:\Tools\volatility-2.2\volatility\plugins\imageinfo.py", line 109,
in c
    yield ('Image local date and time',
time'].as_datetime(), data['ImageTz']))
  File "E:\Tools\volatility-2.2\volatility\timefmt.py", line 82, in
    dt = dt.astimezone(custom_tz)
ValueError: tzinfo.utcoffset() returned 1440; must be in -1439 .. 1439

Or, maybe it isn't.

Anyhow, I converted it with imagecopy and while imageinfo returns the same
information, none of the other commands will work:

E:\Tools\volatility-2.2>python vol.py -f E:\RAM\memory.raw
--profile=Win2003SP2x86 connections
Volatile Systems Volatility Framework 2.2
No suitable address space mapping found
Tried to open image as:
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 JKIA32PagedMemory: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: No xpress signature found
 WindowsCrashDumpSpace64: Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile Win2003SP2x86 selected
 JKIA32PagedMemory: Failed valid Address Space check
 JKIA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace: Must be first Address Space

Any thoughts on how to work with this image would be most welcome.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130909/9133c21f/attachment.html

More information about the Vol-users mailing list