[Vol-users] Problems with Server 2003 vmss image

David Kovar dkovar at gmail.com
Tue Sep 10 09:55:20 CDT 2013


Mui bien, good to go, thanks!

-David

On Sep 10, 2013, at 6:11 AM, Jamie Levy <jamie.levy at gmail.com> wrote:

> I think this was fixed in svn.  please update and confirm if you can.
> 
> All the best,
> 
> -gleeda
> 
> 
> 
> On Mon, Sep 9, 2013 at 11:44 PM, David Kovar <dkovar at gmail.com> wrote:
>> Good evening,
>> 
>> I have what purports to be a Windows Server 2003 vmss file from an ESXi
>> server.
>> 
>> Volatile Systems Volatility Framework 2.2
>> Determining profile based on KDBG search...
>> 
>>          Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86
>>                     AS Layer1 : FileAddressSpace (E:\memory.vmss)
>>                      PAE type : No PAE
>>                           DTB : 0xe02000L
>>                          KDBG : 0x89e3e0
>>          Number of Processors : 32
>>     Image Type (Service Pack) : 8388479
>>                KPCR for CPU 1 : 0xb4428734L
>>              KPCR for CPU 105 : 0x6ab88836
>>              KPCR for CPU 187 : 0xbbb081feL
>>              KPCR for CPU 217 : 0xd26666cfL
>>              KPCR for CPU 244 : 0xf6396926L
>>               KPCR for CPU 43 : 0xdb784fe4L
>>                KPCR for CPU 0 : 0xbfcc7b14L
>>              KPCR for CPU 144 : 0xfdce5831L
>>              KPCR for CPU 163 : 0xe645d2edL
>>              KPCR for CPU 240 : 0xe641b395L
>>                KPCR for CPU 0 : 0x54430b95
>>              KPCR for CPU 121 : 0xe647cb92L
>>              KPCR for CPU 156 : 0x11fcab95
>>               KPCR for CPU 88 : 0x7e5a9411
>>                KPCR for CPU 0 : 0x3a144ddb
>>                KPCR for CPU 0 : 0xad8d25f2L
>>              KPCR for CPU 167 : 0x6a05fdd2
>>              KPCR for CPU 149 : 0x9623d84aL
>>              KPCR for CPU 116 : 0x4d5a811c
>>                KPCR for CPU 0 : 0x770a23f1
>>                KPCR for CPU 0 : 0x62485716
>>               KPCR for CPU 47 : 0xb52572fcL
>>                KPCR for CPU 0 : 0x1449293a
>>               KPCR for CPU 46 : 0x4997edb2
>>                KPCR for CPU 0 : 0x95971adeL
>>                KPCR for CPU 0 : 0x95bcc716L
>>               KPCR for CPU 53 : 0x55851105
>>                KPCR for CPU 0 : 0x55bcc700
>>                KPCR for CPU 0 : 0xd5893716L
>>              KPCR for CPU 169 : 0x4a21113d
>>                KPCR for CPU 1 : 0x88f33d8dL
>>                KPCR for CPU 0 : 0xa3d2de22L
>>             KUSER_SHARED_DATA : 0xffdf0000L
>>           Image date and time : 1970-01-01 00:00:00 UTC+0000
>> Traceback (most recent call last):
>>  File "vol.py", line 186, in <module>
>>    main()
>>  File "vol.py", line 177, in main
>>    command.execute()
>>  File "E:\Tools\volatility-2.2\volatility\commands.py", line 111, in
>> execute
>>    func(outfd, data)
>>  File "E:\Tools\volatility-2.2\volatility\plugins\imageinfo.py", line 34,
>> in re
>> nder_text
>>    for k, v in data:
>>  File "E:\Tools\volatility-2.2\volatility\plugins\imageinfo.py", line 109,
>> in c
>> alculate
>>    yield ('Image local date and time',
>> timefmt.display_datetime(data['ImageDate
>> time'].as_datetime(), data['ImageTz']))
>>  File "E:\Tools\volatility-2.2\volatility\timefmt.py", line 82, in
>> display_date
>> time
>>    dt = dt.astimezone(custom_tz)
>> ValueError: tzinfo.utcoffset() returned 1440; must be in -1439 .. 1439
>> 
>> Or, maybe it isn't.
>> 
>> Anyhow, I converted it with imagecopy and while imageinfo returns the same
>> information, none of the other commands will work:
>> 
>> E:\Tools\volatility-2.2>python vol.py -f E:\RAM\memory.raw
>> --profile=Win2003SP2x86 connections
>> Volatile Systems Volatility Framework 2.2
>> No suitable address space mapping found
>> Tried to open image as:
>> LimeAddressSpace: lime: need base
>> WindowsHiberFileSpace32: No base Address Space
>> WindowsCrashDumpSpace64: No base Address Space
>> WindowsCrashDumpSpace32: No base Address Space
>> AMD64PagedMemory: No base Address Space
>> JKIA32PagedMemory: No base Address Space
>> JKIA32PagedMemoryPae: No base Address Space
>> IA32PagedMemoryPae: Module disabled
>> IA32PagedMemory: Module disabled
>> LimeAddressSpace: Invalid Lime header signature
>> WindowsHiberFileSpace32: No xpress signature found
>> WindowsCrashDumpSpace64: Header signature invalid
>> WindowsCrashDumpSpace32: Header signature invalid
>> AMD64PagedMemory: Incompatible profile Win2003SP2x86 selected
>> JKIA32PagedMemory: Failed valid Address Space check
>> JKIA32PagedMemoryPae: Failed valid Address Space check
>> IA32PagedMemoryPae: Module disabled
>> IA32PagedMemory: Module disabled
>> FileAddressSpace: Must be first Address Space
>> 
>> Any thoughts on how to work with this image would be most welcome.
>> 
>> -David
>> 
>> 
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> 
> 
> 
> 
> -- 
> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92



More information about the Vol-users mailing list