[Vol-users] Problems with Server 2003 vmss image

Jamie Levy jamie.levy at gmail.com
Tue Sep 10 06:11:17 CDT 2013


I think this was fixed in svn.  please update and confirm if you can.

All the best,

-gleeda



On Mon, Sep 9, 2013 at 11:44 PM, David Kovar <dkovar at gmail.com> wrote:
> Good evening,
>
> I have what purports to be a Windows Server 2003 vmss file from an ESXi
> server.
>
> Volatile Systems Volatility Framework 2.2
> Determining profile based on KDBG search...
>
>           Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86
>                      AS Layer1 : FileAddressSpace (E:\memory.vmss)
>                       PAE type : No PAE
>                            DTB : 0xe02000L
>                           KDBG : 0x89e3e0
>           Number of Processors : 32
>      Image Type (Service Pack) : 8388479
>                 KPCR for CPU 1 : 0xb4428734L
>               KPCR for CPU 105 : 0x6ab88836
>               KPCR for CPU 187 : 0xbbb081feL
>               KPCR for CPU 217 : 0xd26666cfL
>               KPCR for CPU 244 : 0xf6396926L
>                KPCR for CPU 43 : 0xdb784fe4L
>                 KPCR for CPU 0 : 0xbfcc7b14L
>               KPCR for CPU 144 : 0xfdce5831L
>               KPCR for CPU 163 : 0xe645d2edL
>               KPCR for CPU 240 : 0xe641b395L
>                 KPCR for CPU 0 : 0x54430b95
>               KPCR for CPU 121 : 0xe647cb92L
>               KPCR for CPU 156 : 0x11fcab95
>                KPCR for CPU 88 : 0x7e5a9411
>                 KPCR for CPU 0 : 0x3a144ddb
>                 KPCR for CPU 0 : 0xad8d25f2L
>               KPCR for CPU 167 : 0x6a05fdd2
>               KPCR for CPU 149 : 0x9623d84aL
>               KPCR for CPU 116 : 0x4d5a811c
>                 KPCR for CPU 0 : 0x770a23f1
>                 KPCR for CPU 0 : 0x62485716
>                KPCR for CPU 47 : 0xb52572fcL
>                 KPCR for CPU 0 : 0x1449293a
>                KPCR for CPU 46 : 0x4997edb2
>                 KPCR for CPU 0 : 0x95971adeL
>                 KPCR for CPU 0 : 0x95bcc716L
>                KPCR for CPU 53 : 0x55851105
>                 KPCR for CPU 0 : 0x55bcc700
>                 KPCR for CPU 0 : 0xd5893716L
>               KPCR for CPU 169 : 0x4a21113d
>                 KPCR for CPU 1 : 0x88f33d8dL
>                 KPCR for CPU 0 : 0xa3d2de22L
>              KUSER_SHARED_DATA : 0xffdf0000L
>            Image date and time : 1970-01-01 00:00:00 UTC+0000
> Traceback (most recent call last):
>   File "vol.py", line 186, in <module>
>     main()
>   File "vol.py", line 177, in main
>     command.execute()
>   File "E:\Tools\volatility-2.2\volatility\commands.py", line 111, in
> execute
>     func(outfd, data)
>   File "E:\Tools\volatility-2.2\volatility\plugins\imageinfo.py", line 34,
> in re
> nder_text
>     for k, v in data:
>   File "E:\Tools\volatility-2.2\volatility\plugins\imageinfo.py", line 109,
> in c
> alculate
>     yield ('Image local date and time',
> timefmt.display_datetime(data['ImageDate
> time'].as_datetime(), data['ImageTz']))
>   File "E:\Tools\volatility-2.2\volatility\timefmt.py", line 82, in
> display_date
> time
>     dt = dt.astimezone(custom_tz)
> ValueError: tzinfo.utcoffset() returned 1440; must be in -1439 .. 1439
>
> Or, maybe it isn't.
>
> Anyhow, I converted it with imagecopy and while imageinfo returns the same
> information, none of the other commands will work:
>
> E:\Tools\volatility-2.2>python vol.py -f E:\RAM\memory.raw
> --profile=Win2003SP2x86 connections
> Volatile Systems Volatility Framework 2.2
> No suitable address space mapping found
> Tried to open image as:
>  LimeAddressSpace: lime: need base
>  WindowsHiberFileSpace32: No base Address Space
>  WindowsCrashDumpSpace64: No base Address Space
>  WindowsCrashDumpSpace32: No base Address Space
>  AMD64PagedMemory: No base Address Space
>  JKIA32PagedMemory: No base Address Space
>  JKIA32PagedMemoryPae: No base Address Space
>  IA32PagedMemoryPae: Module disabled
>  IA32PagedMemory: Module disabled
>  LimeAddressSpace: Invalid Lime header signature
>  WindowsHiberFileSpace32: No xpress signature found
>  WindowsCrashDumpSpace64: Header signature invalid
>  WindowsCrashDumpSpace32: Header signature invalid
>  AMD64PagedMemory: Incompatible profile Win2003SP2x86 selected
>  JKIA32PagedMemory: Failed valid Address Space check
>  JKIA32PagedMemoryPae: Failed valid Address Space check
>  IA32PagedMemoryPae: Module disabled
>  IA32PagedMemory: Module disabled
>  FileAddressSpace: Must be first Address Space
>
> Any thoughts on how to work with this image would be most welcome.
>
> -David
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>



-- 
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92


More information about the Vol-users mailing list