[Vol-users] Sample error or real module? (and other questions)

Michael Ligh michael.ligh at mnin.org
Fri May 15 10:57:35 CDT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hmm, that does not appear to sync up as expected. What format is your
memory dump? Strings requires a "raw" memory dump. You can check by
typing addrspace().base in volshell and if its a raw memory dump
you'll see FileAddressSpace. If you don't have a raw memory image, use
the imagecopy plugin to create a raw memory dump from whatever format
you have and then translate the strings again.

MHL

On 5/15/15 11:48 AM, Gregory Pendergast wrote:
> Thanks gentlemen. No worries there. I didn't take it badly. Sorry
> for the oversight.
> 
> Correcting the command gives me output, but leaves me with a new 
> question. The string of interest seems nowhere to be found (maybe
> it's unicode? I'm not sure how to tell...):
> 
>>>> db(0xf9805ba44800)
> 0xf9805ba44800  00 00 00 00 00 00 00 00 1b 00 01 00 28 00 00 00 
> ............(... 0xf9805ba44810  28 00 00 00 18 00 00 00 00 00 00
> 00 00 00 02 00 (............... 0xf9805ba44820  00 00 00 00 00 00
> 00 00 48 a4 83 08 a0 f8 ff ff ........H....... 0xf9805ba44830  06
> 09 65 f1 02 00 00 00 00 00 00 00 00 00 00 00 ..e............. 
> 0xf9805ba44840  00 00 00 00 00 00 00 00 a8 00 00 00 00 00 00 00 
> ................ 0xf9805ba44850  01 00 00 00 40 00 00 00 00 00 00
> 00 00 00 00 00 .... at ........... 0xf9805ba44860  07 00 07 00 28 00
> 40 00 68 00 40 00 18 00 01 00 ....(. at .h.@..... 0xf9805ba44870  38
> 00 20 00 04 00 02 00 0b 9e 00 00 00 00 00 00 8...............
> 
>>>> db(0xf9805ba44800,length=0xFF)
> 0xf9805ba44800  00 00 00 00 00 00 00 00 1b 00 01 00 28 00 00 00 
> ............(... 0xf9805ba44810  28 00 00 00 18 00 00 00 00 00 00
> 00 00 00 02 00 (............... 0xf9805ba44820  00 00 00 00 00 00
> 00 00 48 a4 83 08 a0 f8 ff ff ........H....... 0xf9805ba44830  06
> 09 65 f1 02 00 00 00 00 00 00 00 00 00 00 00 ..e............. 
> 0xf9805ba44840  00 00 00 00 00 00 00 00 a8 00 00 00 00 00 00 00 
> ................ 0xf9805ba44850  01 00 00 00 40 00 00 00 00 00 00
> 00 00 00 00 00 .... at ........... 0xf9805ba44860  07 00 07 00 28 00
> 40 00 68 00 40 00 18 00 01 00 ....(. at .h.@..... 0xf9805ba44870  38
> 00 20 00 04 00 02 00 0b 9e 00 00 00 00 00 00 8............... 
> 0xf9805ba44880  50 14 9e 00 00 00 00 00 03 ee e4 ad 6d 83 d0 01 
> P...........m... 0xf9805ba44890  03 ee e4 ad 6d 83 d0 01 18 24 3a
> 05 d4 82 d0 01 ....m....$:..... 0xf9805ba448a0  26 20 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 &............... 0xf9805ba448b0  00
> 00 00 00 90 05 00 00 00 00 00 00 00 00 00 00 ................ 
> 0xf9805ba448c0  a0 3f 54 90 00 00 00 00 f2 c6 e4 ad 6d 83 d0 01 
> .?T.........m... 0xf9805ba448d0  f2 c6 e4 ad 6d 83 d0 01 18 24 3a
> 05 d4 82 d0 01 ....m....$:..... Here's the string I expect to see
> based on the strings output: 4397692928 [kernel:f9805ba44800]
> Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware,
> Ltd. ALL RIGHTS RESERVED.
> 
> Thanks again for the help. Greg
> 
> On Fri, May 15, 2015 at 11:30 AM, Michael Ligh
> <michael.ligh at mnin.org <mailto:michael.ligh at mnin.org>> wrote:
> 
> Hey Greg....Andrew just (to my surprise) asked me why I was being 
> "rough" on you, so I apologize if that's how it came across...the
> goal was just to point out the issue as fast as possible.
> 
> MHL
> 
> On 5/15/15 11:15 AM, Michael Ligh wrote:
>> My command:
> 
>> db(0xf9805ba44800)
> 
>> Your command:
> 
>> db(f9805ba44800)
> 
>> The missing 0x in front makes Python think f9805ba44800 is a 
>> variable name rather than a number.
> 
>> On 5/15/15 11:05 AM, Gregory Pendergast wrote:
>>> Thanks Michael. I did try that, and received an error. That's 
>>> why I thought I must be doing/forgetting something stupid. Now 
>>> that I'm back at my analysis machine, here's the output:
> 
>>>>>> db(f9805ba44800)
>>> Traceback (most recent call last): File "<console>", line 1,
>>> in <module> NameError: name 'f9805ba44800' is not defined
>>>>>> addrspace()
>>> <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object
>>> at 0xbef520c>
>>>>>> 
>>> Note that I'm using Volatilty through the VM provided for the 
>>> most recent class in Reston, in case the version is in
>>> question. The profile for this sample is WIn7SP1x64.
> 
>>> Thanks, Greg
> 
> 
> 
>>> On Fri, May 15, 2015 at 10:49 AM, Michael Ligh 
>>> <michael.ligh at mnin.org <mailto:michael.ligh at mnin.org>
> <mailto:michael.ligh at mnin.org <mailto:michael.ligh at mnin.org>>>
> wrote:
> 
>>> You would just type db(0xf9805ba44800) in volshell (or
>>> whatever other address you want to see).
> 
>>> https://github.com/volatilityfoundation/volatility/wiki/Command%20Re
f
>
>>> 
e
> 
>>> 
> re
> 
> 
>> nce#volshell
>>> <https://github.com/volatilityfoundation/volatility/wiki/Command%20R
e
>
>>> 
f
> 
>>> 
> erence#volshell>
> 
>>> I would also search an electronic copy of the AMF book for 
>>> "volshell" - there are lots of examples.
> 
> 
>>> On 5/14/15 10:52 PM, Gregory Pendergast wrote:
>>>> Thanks Michael. Regarding the latter part of inspecting the 
>>>> data around the strings, that's where I really need the help.
>>>> I know I can accomplish that with volshell, but I'm not 
>>>> proficient enough yet to know how to get at it.
> 
>>>> If you could provide the necessary commands to get at the
>>>> data around this hit [kernel:f9805ba44800] as an example,
>>>> that would be most helpful.
> 
>>>> I'm sure I was doing something n00bishly wrong, but I could 
>>>> never get to the point of displaying the data around that 
>>>> location. I'd be more specific about my attempts, but I'm
>>>> not in front of my analysis machine right now and don't
>>>> recall exactly what I tried.
> 
>>>> thanks, greg
> 
>>>>> On May 14, 2015, at 9:39 PM, Michael Ligh 
>>>>> <michael.ligh at mnin.org <mailto:michael.ligh at mnin.org>
>>> <mailto:michael.ligh at mnin.org <mailto:michael.ligh at mnin.org>>>
>>>>> wrote:
>>>>> 
>>>> I wouldn't think the module at 0x48706657040b0003 requires 
>>>> investigation. Not only bc its not in the 0xfffff8 range,
>>>> but you might notice legitimate modules are typically loaded
>>>> at page aligned base addresses (not XXX0003). Your result
>>>> looks like a false positive and given the way modscan works
>>>> (pool scanning) its probably a partially overwritten
>>>> structure in free/deallocated memory. We *could* put a sanity
>>>> check in the code to suppress entries that aren't loaded at
>>>> page aligned addresses, but there are a few exceptions where
>>>> you'll have modules loaded from non-page aligned addresses.
>>>> For example, we just looked at a rootkit today in class that
>>>> is loaded at 0x81b91b80 (on a 32-bit system). Jared's advice
>>>> is also good - if you ever suspect something like this again,
>>>> you can use volshell to display the data at the alleged base
>>>> address and see what's there. If its not an MZ signature,
>>>> then its probably not a currently loaded module (but keep in
>>>> mind you can overwrite the MZ with 00 or anything else as a
>>>> trick...but in that case you'll see real executable code not
>>>> too far away).
> 
>>>> I would suggest trying to figure out what downloaded the EXE
>>>> in the first place, so that you can determine what it does
>>>> after the download finishes (drop to disk and run, drop to
>>>> disk and run then delete, load directly into memory without
>>>> touching disk, etc). I would also inspect the data around the
>>>> strings you found in kernel and free memory - is it verbatim
>>>> with what you see in the pcap (i.e. just a copy of the
>>>> packet) or has it been altered (i.e. unpacked, executed,
>>>> expanded).
> 
>>>>>>> On 5/14/15 4:31 PM, Gregory Pendergast wrote: Just as
>>>>>>> a follow up to my last reply, the shimcache plugin
>>>>>>> reported that there was no shimcache data, and the
>>>>>>> timeliner plugin didn't reveal anything apparently
>>>>>>> interesting except IE history related to the download.
>>>>>>> 
>>>>>>> Thanks, Greg
>>>>>>> 
>>>>>>> 
>>>>>>> On May 14, 2015, at 12:35 PM, Jared Greenhill 
>>>>>>> <jared703 at gmail.com <mailto:jared703 at gmail.com>
> <mailto:jared703 at gmail.com <mailto:jared703 at gmail.com>>
>>> <mailto:jared703 at gmail.com <mailto:jared703 at gmail.com>
> <mailto:jared703 at gmail.com <mailto:jared703 at gmail.com>>>> wrote:
>>>>>>> 
>>>>>>>> Hey Greg,
>>>>>>>> 
>>>>>>>> A couple thoughts/ideas:
>>>>>>>> 
>>>>>>>> What was the initial reason for investigation- the 
>>>>>>>> suspect EXE? Do you have a timeframe of the suspect 
>>>>>>>> activity?
>>>>>>>> 
>>>>>>>> What was the context around the suspect EXE
>>>>>>>> download, just the PCAP or? If so, did the memory
>>>>>>>> capture occur when there was still an active
>>>>>>>> connection? Sometimes this can be a dealbreaker when
>>>>>>>> the connection isn't there.
>>>>>>>> 
>>>>>>>> Does moddump work on the module with that base 
>>>>>>>> address? If so, what type of strings are you seeing?
>>>>>>>> 
>>>>>>>> As far as execution goes, does the shimcache plugin 
>>>>>>>> provide any results around the time of interest? 
>>>>>>>> Assuming you have a time of interest, you could also 
>>>>>>>> try the timeliner plugin to pull in other temporal 
>>>>>>>> artifacts to hone in around that suspect time.
>>>>>>>> 
>>>>>>>> hope this helps, Jared - @jared703
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On Tue, May 12, 2015 at 3:36 PM, Gregory Pendergast 
>>>>>>>> <greg.pendergast at gmail.com
>>>>>>>> <mailto:greg.pendergast at gmail.com> 
>>>>>>>> <mailto:greg.pendergast at gmail.com
> <mailto:greg.pendergast at gmail.com>>
>>>>>>>> <mailto:greg.pendergast at gmail.com
> <mailto:greg.pendergast at gmail.com>
>>> <mailto:greg.pendergast at gmail.com
> <mailto:greg.pendergast at gmail.com>>>> wrote:
>>>>>>>> 
>>>>>>>> Greeting,
>>>>>>>> 
>>>>>>>> I'm examining a memory sample (captured locally with 
>>>>>>>> winpmem_1.6.2) <yeah...i know...>
>>>>>>>> 
>>>>>>>> Modscan shows one apparently strange module that has
>>>>>>>> no name and no file listed. The base address space
>>>>>>>> also seems way out of whack for the rest of the
>>>>>>>> sample.
>>>>>>>> 
>>>>>>>> So all i have are offset, base, and size: 
>>>>>>>> 0x000000023a80b540 0x48706657040b0003 0xf3a54f0
>>>>>>>> 
>>>>>>>> In particular, that base address seems way out of
>>>>>>>> range compared to everything else in 0xfffff8....
>>>>>>>> space
>>>>>>>> 
>>>>>>>> How can I tell if this is an error of some kind in
>>>>>>>> the captured sample versus a legitimate anomaly that
>>>>>>>> bears investigation?
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Lastly, and pardon me if this is a n00b question,
>>>>>>>> but how can I determine why specific strings appear
>>>>>>>> in kernel memory (based on strings plugin output)?
>>>>>>>> For context, I have a suspicious executable download,
>>>>>>>> but there appears to be no evidence of the file in
>>>>>>>> $MFT (I don't have access to UsnJrnl) and I'm trying
>>>>>>>> to find out what happened to it and whether it ran.
>>>>>>>> Strings from the executable (ontained from pcap) do
>>>>>>>> appear in Free Memory and Kernel memory, but I'm not
>>>>>>>> clear whether that's a symptom of the download or a
>>>>>>>> sign of execution.
>>>>>>>> 
>>>>>>>> Thanks, greg
>>>>>>>> 
>>>>>>>> 
>>>>>>>>>> On May 11, 2015, at 11:30 AM, Torres, Geoff
>>>>>>>>>> (Cyber Security)
>>>>>>>>> <geoff.torres at hp.com <mailto:geoff.torres at hp.com>
> <mailto:geoff.torres at hp.com <mailto:geoff.torres at hp.com>>
>>> <mailto:geoff.torres at hp.com <mailto:geoff.torres at hp.com>
> <mailto:geoff.torres at hp.com <mailto:geoff.torres at hp.com>>>>
>>>>>>>>> wrote:
>>>>>>>>> 
>>>>>>>>> Thanks Michael,
>>>>>>>>> 
>>>>>>>>> I confirm that I now see what I was expecting. 
>>>>>>>>> Sorry for the
>>>>>>>> rookie mistake.
>>>>>>>>> 
>>>>>>>>> I *really* need to get to your class...
>>>>>>>>> 
>>>>>>>>> Geoff
>>>>>>>>> 
>>>>>>>>>> Don't be afraid to tell me I'm doing something 
>>>>>>>>>> stupid... :-)
>>>>>>>>> 
>>>>>>>>> I only said that because I didn't think I was... 
>>>>>>>>> :-P
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> -----Original Message----- From: 
>>>>>>>>> vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>
>>> <mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>>
>>>>>>>> <mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>
>>> <mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>>>
>>>>>>>> [mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>
>>> <mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>>
>>>>>>>> <mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>
>>> <mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>>>] On Behalf
>>>>>>>> Of Michael Ligh
>>>>>>>>> Sent: Saturday, May 09, 2015 9:00 AM To: 
>>>>>>>>> vol-users at volatilityfoundation.org
> <mailto:vol-users at volatilityfoundation.org>
>>> <mailto:vol-users at volatilityfoundation.org
> <mailto:vol-users at volatilityfoundation.org>>
>>>>>>>> <mailto:vol-users at volatilityfoundation.org
> <mailto:vol-users at volatilityfoundation.org>
>>> <mailto:vol-users at volatilityfoundation.org
> <mailto:vol-users at volatilityfoundation.org>>>
>>>>>>>>> Subject: Re: [Vol-users] Output of strings not
>>>>>>>>> found in memdump
>>>>>>>> output - QEMU/QEVM sample
>>>>>>> Hi Geoff,
>>>>>>> 
>>>>>>> The key to get strings working is to make sure you have
>>>>>>> a raw
>>>>>>>>> memory dump. lqs2mem *should* give you that,
>>>>>>>>> however I've not personally used it before.
>>>>>>> 
>>>>>>> One discrepancy I see with your logic is regarding
>>>>>>> this line:
>>>>>>> 
>>>>>>> memory_dump.ram.vol.strings:183190042 [3156:0189321a]
>>>>>>>>> <Search_String>
>>>>>>> 
>>>>>>> It tells you the search string is at virtual address 
>>>>>>> 0189321a in
>>>>>>>>> pid 3156. You then dumped the *executable* for pid 
>>>>>>>>> 3156 which gives you memory from the base of the
>>>>>>>>> exe 400000 to its base + size (nowhere near
>>>>>>>>> 0189321a).
>>>>>>> 
>>>>>>> Try using the memdump or vaddump plugins on 3156
>>>>>>> instead. That
>>>>>>>>> will give you ALL of the process's addressable 
>>>>>>>>> memory, not just the range that contains the exe.
>>>>>>> 
>>>>>>> MHL
>>>>>>> 
>>>>>>>>>>> On 5/7/15 3:03 PM, Torres, Geoff (Cyber
>>>>>>>>>>> Security) wrote: Hi,
>>>>>>>>>>> 
>>>>>>>>>>> Sorry for the 'me too' response, but I'm
>>>>>>>>>>> having this exact same problem.  However, the
>>>>>>>>>>> main difference is that I'm using a 'QEMU'
>>>>>>>>>>> memory image (Hex dump sig is QEVM in the first
>>>>>>>>>>> 4 bytes) from a
>>>>>>>>> cloud
>>>>>>>>>>> instance.
>>>>>>>>>>> 
>>>>>>>>>>> I've converted these in the past using the 
>>>>>>>>>>> 'lqs2mem' tool
>>>>>>>>> written by
>>>>>>>>>>> Juerg Haefliger and Andrew Tappert and it's 
>>>>>>>>>>> worked perfectly
>>>>>>>>> for the
>>>>>>>>>>> 'netscan' and 'ps' type plugins.  However, I 
>>>>>>>>>>> haven't needed to dump processes before and
>>>>>>>>>>> look for specific strings.  I can locate the
>>>>>>>>>>> strings in the converted image, but it's not
>>>>>>>>>>> translating to the processes that are
>>>>>>>>>>> identified by the 'strings' plugin.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> Here's the steps I've been taking -
>>>>>>>>>>> 
>>>>>>>>>>> ## Memory dump info
>>>>>>>>>>>> ll memory_dump
>>>>>>>>>>> -rw------- 1 geoff citsirt 7579914273 Apr 27 
>>>>>>>>>>> 13:36 memory_dump
>>>>>>>>>>> 
>>>>>>>>>>>> file memory_dump
>>>>>>>>>>> memory_dump: QEMU suspend to disk image
>>>>>>>>>>> 
>>>>>>>>>>>> xxd memory_dump | head -n1
>>>>>>>>>>> 0000000: 5145 564d 0000 0003 0100 0000 0105
>>>>>>>>>>> 626c QEVM..........bl
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> ## Convert the dump
>>>>>>>>>>>> lqs2mem -w pc.ram memory_dump
>>>>>>>>>>>> memory_dump.ram
>>>>>>>>>>> section = pc.ram                           size
>>>>>>>>>>> = 8192 [MB] 8589934592 [bytes] section =
>>>>>>>>>>> pc.bios size = 128 [KB]       131072 [bytes]
>>>>>>>>>>> section = pc.rom size = 128 [KB]       131072
>>>>>>>>>>> [bytes] section = vga.vram size =    16 [MB]
>>>>>>>>>>> 16777216 [bytes] section =
>>>>>>>>>>> 0000:00:02.0/cirrus_vga.rom size = 64 [KB]
>>>>>>>>>>> 65536 [bytes] Wrote 8589934592 bytes from
>>>>>>>>>>> section 'pc.ram' to file memory_dump.ram
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> ## Create the strings file
>>>>>>>>>>>> strings -a -t d memory_dump.ram > 
>>>>>>>>>>>> memory_dump.ram.strings
>>>>>>>>>>> 
>>>>>>>>>>>> strings -a -t d -el memory_dump.ram >> 
>>>>>>>>>>>> memory_dump.ram.strings
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> ## Create the volatility strings file
>>>>>>>>>>>> python 
>>>>>>>>>>>> /data/download/apps/forensic_tools/volatility/vol.py
>>>>>>>>>>>>
>>>>>>>>>>>>
>
>>>>>>>>>>>> 
>>>>>>>>>>>> 
> -f memory_dump.ram --profile=Win2008SP2x64 strings
>>>>>>>>>>>> -s --output-file=memory_dump.ram.vol.strings
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> ll memory_dump.ram.strings 
>>>>>>>>>>>> memory_dump.ram.vol.strings
>>>>>>>>>>> -rw-rw-r-- 1 geoff citsirt 2914258187 May  7 
>>>>>>>>>>> 08:58 memory_dump.ram.strings -rw-rw-r-- 1
>>>>>>>>>>> geoff citsirt 4292775089 May 7 12:17 
>>>>>>>>>>> memory_dump.ram.vol.strings
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> ## '<Search_String>' is found in both string 
>>>>>>>>>>> files as expected
>>>>>>>>>>>> fgrep <Search_String>
>>>>>>>>>>>> memory_dump.ram.strings 
>>>>>>>>>>>> memory_dump.ram.vol.strings
>>>>>>>>>>> memory_dump.ram.strings:183190042
>>>>>>>>>>> <Search_String> 
>>>>>>>>>>> memory_dump.ram.vol.strings:183190042 
>>>>>>>>>>> [3156:0189321a]
>>>>>>>>> <Search_String>
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> ## Dump process 3156 as identified by
>>>>>>>>>>> volatility
>>>>>>>>>>>> python 
>>>>>>>>>>>> /data/download/apps/forensic_tools/volatility/vol.py
>>>>>>>>>>>>
>>>>>>>>>>>>
>
>>>>>>>>>>>> 
>>>>>>>>>>>> 
> -f memory_dump.ram --profile=Win2008SP2x64 procdump
>>>>>>>>>>>> -p 3156 -D processes -m
>>>>>>>>>>> Volatility Foundation Volatility Framework 2.4 
>>>>>>>>>>> Process(V) ImageBase          Name Result 
>>>>>>>>>>> ------------------ ------------------ 
>>>>>>>>>>> -------------------- ------ 0xfffffa800a4e6370 
>>>>>>>>>>> 0x0000000000400000 iwproxy.exe OK: 
>>>>>>>>>>> executable.3156.exe
>>>>>>>>>>> 
>>>>>>>>>>>> ll processes/executable.3156.exe
>>>>>>>>>>> -rw-rw-r-- 1 geoff citsirt 3248128 May  7
>>>>>>>>>>> 12:35 processes/executable.3156.exe
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> ## '<Search_String>' not found in the dumped 
>>>>>>>>>>> executable
>>>>>>>>>>>> strings -a processes/executable.3156.exe | 
>>>>>>>>>>>> fgrep <Search_String> strings -a -el 
>>>>>>>>>>>> processes/executable.3156.exe | fgrep 
>>>>>>>>>>>> <Search_String>
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> I've tried many different variations of the
>>>>>>>>>>> above steps and all have the same results.
>>>>>>>>>>> 
>>>>>>>>>>> According to what I've read in this thread is 
>>>>>>>>>>> that the issue is to make sure the original
>>>>>>>>>>> dump is properly converted.  How can I do
>>>>>>>>>>> that? 'lqs2mem' has limited options.
>>>>>>>>>>> 
>>>>>>>>>>> Any ideas on what I can do differently to get 
>>>>>>>>>>> this to work?
>>>>>>>>>>> 
>>>>>>>>>>> Thanks,
>>>>>>>>>>> 
>>>>>>>>>>> Geoff
>>>>>>>>>>> 
>>>>>>>>>>> Don't be afraid to tell me I'm doing something 
>>>>>>>>>>> stupid... :-)
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> -----Original Message----- From: 
>>>>>>>>>>> vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>
>>> <mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>>
>>>>>>>>> <mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>
>>> <mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>>>
>>>>>>>>>>> [mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>
>>> <mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>>
>>>>>>>>> <mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>
>>> <mailto:vol-users-bounces at volatilityfoundation.org
> <mailto:vol-users-bounces at volatilityfoundation.org>>>] On Behalf
>>>>>>>>> Of Michael
>>>>>>>>>>> Ligh Sent: Tuesday, March 24, 2015 6:49 AM To: 
>>>>>>>>>>> Bridgey theGeek Cc: 
>>>>>>>>>>> vol-users at volatilityfoundation.org
> <mailto:vol-users at volatilityfoundation.org>
>>> <mailto:vol-users at volatilityfoundation.org
> <mailto:vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:vol-users at volatilityfoundation.org
> <mailto:vol-users at volatilityfoundation.org>
>>> <mailto:vol-users at volatilityfoundation.org
> <mailto:vol-users at volatilityfoundation.org>>> Subject: Re:
>>>>>>>>> [Vol-users] Output of
>>>>>>>>>>> strings not found in memdump output
>>>>>>>>>>> 
>>>>>>>>>>> Perfect! Glad to hear all is good in the world 
>>>>>>>>>>> ;-)
>>>>>>>>>>> 
>>>>>>>>>>> MHL
>>>>>>>>>>> 
>>>>>>>>>>>> On 3/24/15 5:05 AM, Bridgey theGeek wrote: 
>>>>>>>>>>>> Awesome, thanks Michael.
>>>>>>>>>>> 
>>>>>>>>>>>> I generated a raw dump as follows, with the 
>>>>>>>>>>>> vmsn and vmem files in the same folder: $ 
>>>>>>>>>>>> python vol.py -f winxp.vmem 
>>>>>>>>>>>> --profile=WinXPSP2x86 imagecopy -O winxp.raw
>>>>>>>>>>> 
>>>>>>>>>>>> Then ran strings again (having generated a
>>>>>>>>>>>> new input text file because of course the
>>>>>>>>>>>> offsets will be different): $ python vol.py
>>>>>>>>>>>> -f winxp.raw --profile=WinXPSP2x86 strings
>>>>>>>>>>>> -s pk.txt
>>>>>>>>>>> 
>>>>>>>>>>>> I was then able to find the banner at the 
>>>>>>>>>>>> offsets reported by strings. And all was
>>>>>>>>>>>> good in the world.
>>>>>>>>>>> 
>>>>>>>>>>>> Thank you very much for the support.
>>>>>>>>>>> 
>>>>>>>>>>>> Adam
>>>>>>>>>>> 
>>>>>>>>>>>> On 23 March 2015 at 19:39, Michael Ligh 
>>>>>>>>>>>> <michael.ligh at mnin.org
>>>>>>>>>>>> <mailto:michael.ligh at mnin.org> 
>>>>>>>>>>>> <mailto:michael.ligh at mnin.org
> <mailto:michael.ligh at mnin.org>>
>>>>>>>>> <mailto:michael.ligh at mnin.org
>>>>>>>>> <mailto:michael.ligh at mnin.org> 
>>>>>>>>> <mailto:michael.ligh at mnin.org
>>>>>>>>> <mailto:michael.ligh at mnin.org>>>
>>>>>>>>>>>> <mailto:michael.ligh at mnin.org
>>>>>>>>>>>> <mailto:michael.ligh at mnin.org> 
>>>>>>>>>>>> <mailto:michael.ligh at mnin.org
> <mailto:michael.ligh at mnin.org>>
>>>>>>>>>>>> <mailto:michael.ligh at mnin.org
>>>>>>>>>>>> <mailto:michael.ligh at mnin.org>
>>> <mailto:michael.ligh at mnin.org
>>> <mailto:michael.ligh at mnin.org>>>>>
>>>>>>>>> wrote:
>>>>>>>>>>> 
>>>>>>>>>>>> Hey Adam,
>>>>>>>>>>> 
>>>>>>>>>>>> A few things:
>>>>>>>>>>> 
>>>>>>>>>>>> * Yes, vmss2core creates a windows crash
>>>>>>>>>>>> dump * You can use volatility on the
>>>>>>>>>>>> original vmem/vmss by doing the following:
>>>>>>>>>>> 
>>>>>>>>>>>> * make sure both vmem and vmss files are in
>>>>>>>>>>>> the same dir * make sure they have the same
>>>>>>>>>>>> base name (i.e. test.vmem and test.vmss) *
>>>>>>>>>>>> run your volatility plugins against the vmem
>>>>>>>>>>> 
>>>>>>>>>>>> In this case, it would also be required to 
>>>>>>>>>>>> generate a raw memory dump before running 
>>>>>>>>>>>> strings. So you would use imagecopy on the 
>>>>>>>>>>>> vmem.
>>>>>>>>>>> 
>>>>>>>>>>>> LMK if that helps! Michael
>>>>>>>>>>> 
>>>>>>>>>>>>> On 3/23/15 10:51 AM, Bridgey theGeek
>>>>>>>>>>>>> wrote: Hi Michael,
>>>>>>>>>>> 
>>>>>>>>>>>>> *sigh* When will I learn to check the
>>>>>>>>>>>>> origin of my samples?!
>>>>>>>>>>> 
>>>>>>>>>>>>> The guy who provided me with the sample 
>>>>>>>>>>>>> tells me that he took a snapshot of a
>>>>>>>>>>>>> VMWare machine and then used vss2core to
>>>>>>>>>>>>> convert it. I BELIEVE that makes it into a
>>>>>>>>>>>>> Windows Memory Core Dump..?
>>>>>>>>>>> 
>>>>>>>>>>>>> I got hold of the original vmem and vmsn 
>>>>>>>>>>>>> files. Trying to use imagecopy on the vmsn 
>>>>>>>>>>>>> just replicated the input file. I think
>>>>>>>>>>>>> the header is not what Volatility would
>>>>>>>>>>>>> expect: $ xxd Windows\ XP\ Pro\ SP2\ 
>>>>>>>>>>>>> \(32-bit\)-Snapshot49.vmsn |head 0000000: 
>>>>>>>>>>>>> d2be d2be 0800 0000 6300 0000 4368 6563 
>>>>>>>>>>>>> ........c...Chec 0000010: 6b70 6f69 6e74
>>>>>>>>>>>>> 0000 0000 0000 0000 0000 kpoint.......... 
>>>>>>>>>>>>> 0000020: 0000 0000 0000 0000 0000 0000
>>>>>>>>>>>>> 0000 0000 ................ 0000030: 0000
>>>>>>>>>>>>> 0000 0000 0000 0000 0000 0000 0000
>>>>>>>>>>>>> ................ 0000040: 0000 0000 0000
>>>>>>>>>>>>> 0000 0000 0000 fc1e 0000 ................
>>>>>>>>>>>>> 0000050: 0000 0000 ab03 0000 0000 0000 4775
>>>>>>>>>>>>> 6573 ............Gues 0000060: 7456 6172
>>>>>>>>>>>>> 7300 0000 0000 0000 0000 0000
>>>>>>>>>>>>> tVars........... 0000070: 0000 0000 0000 
>>>>>>>>>>>>> 0000 0000 0000 0000 0000 ................ 
>>>>>>>>>>>>> 0000080: 0000 0000 0000 0000 0000 0000
>>>>>>>>>>>>> 0000 0000 ................ 0000090: 0000
>>>>>>>>>>>>> 0000 0000 0000 0000 0000 a722 0000
>>>>>>>>>>>>> ............."..
>>>>>>>>>>> 
>>>>>>>>>>>>> Does that mean I can't use this with 
>>>>>>>>>>>>> Volatility?
>>>>>>>>>>> 
>>>>>>>>>>>>> Thank you, Adam
>>>>>>>>>>> 
>>>>>>>>>>>>> On 23 March 2015 at 14:57, Michael Ligh
>>>>>>>>> <michael.ligh at mnin.org
>>>>>>>>> <mailto:michael.ligh at mnin.org> 
>>>>>>>>> <mailto:michael.ligh at mnin.org
>>>>>>>>> <mailto:michael.ligh at mnin.org>>
>>> <mailto:michael.ligh at mnin.org <mailto:michael.ligh at mnin.org>
> <mailto:michael.ligh at mnin.org <mailto:michael.ligh at mnin.org>>>
>>>>>>>>>>>>> <mailto:michael.ligh at mnin.org
> <mailto:michael.ligh at mnin.org>
>>>>>>>>>>>>> <mailto:michael.ligh at mnin.org
> <mailto:michael.ligh at mnin.org>>
>>>>>>>>>>>>> <mailto:michael.ligh at mnin.org
> <mailto:michael.ligh at mnin.org>
>>> <mailto:michael.ligh at mnin.org
>>> <mailto:michael.ligh at mnin.org>>>>
>>>>>>>>> <mailto:michael.ligh at mnin.org
>>>>>>>>> <mailto:michael.ligh at mnin.org> 
>>>>>>>>> <mailto:michael.ligh at mnin.org
>>>>>>>>> <mailto:michael.ligh at mnin.org>> 
>>>>>>>>> <mailto:michael.ligh at mnin.org
>>>>>>>>> <mailto:michael.ligh at mnin.org> 
>>>>>>>>> <mailto:michael.ligh at mnin.org
>>>>>>>>> <mailto:michael.ligh at mnin.org>>>
>>>>>>>>>>>>> <mailto:michael.ligh at mnin.org
> <mailto:michael.ligh at mnin.org>
>>>>>>>>>>>>> <mailto:michael.ligh at mnin.org
> <mailto:michael.ligh at mnin.org>>
>>>>>>>>> <mailto:michael.ligh at mnin.org
>>>>>>>>> <mailto:michael.ligh at mnin.org>
>>> <mailto:michael.ligh at mnin.org
>>> <mailto:michael.ligh at mnin.org>>>>>>
> wrote:
>>>>>>>>>>> 
>>>>>>>>>>>>> Hey Adam,
>>>>>>>>>>> 
>>>>>>>>>>>>> We forgot to ask if the sample was a raw 
>>>>>>>>>>>>> memory dump. For example:
>>>>>>>>>>> 
>>>>>>>>>>>>> $ xxd ~/Desktop/memory.dmp | less
>>>>>>>>>>> 
>>>>>>>>>>>>> 0000000: 5041 4745 4455 4d50 0f00 0000
>>>>>>>>>>>>> 280a 0000 PAGEDUMP....(... 0000010: 8001
>>>>>>>>>>>>> 6c07 00c0 e680 a031 5580 5892 5580 
>>>>>>>>>>>>> ..l......1U.X.U. 0000020: 4c01 0000 0100
>>>>>>>>>>>>> 0000 8000 0000 5444 4f00 L...........TDO.
>>>>>>>>>>>>> 0000030: 0000 0000 0000 0000 0000 0000 5041
>>>>>>>>>>>>> 4745 ............PAGE 0000040: 5041 4745
>>>>>>>>>>>>> 5041 4745 5041 4745 5041 4745
>>>>>>>>>>>>> PAGEPAGEPAGEPAGE
>>>>>>>>>>> 
>>>>>>>>>>>>> If its something like a crash dump, 
>>>>>>>>>>>>> hibernation, etc then the file format 
>>>>>>>>>>>>> headers throw off the offsets. You can 
>>>>>>>>>>>>> convert those special file types into a
>>>>>>>>>>>>> raw memory dump with the imagecopy plugin
>>>>>>>>>>>>> and then your strings translations should
>>>>>>>>>>>>> be accurate.
>>>>>>>>>>> 
>>>>>>>>>>>>> Cheers! MHL
>>>>>>>>>>> 
>>>>>>>>>>>>>> On 3/23/15 8:54 AM, Bridgey theGeek
>>>>>>>>>>>>>> wrote: Hi Andrew,
>>>>>>>>>>> 
>>>>>>>>>>>>>> I was certain I was running the latest 
>>>>>>>>>>>>>> version, but just to be sure I grabbed
>>>>>>>>>>>>>> the latest version. Same result, same
>>>>>>>>>>>>>> offsets.
>>>>>>>>>>> 
>>>>>>>>>>>>>> I can make the sample available, but
>>>>>>>>>>>>>> more than happy to do whatever debugging
>>>>>>>>>>>>>> needs doing (if I can!)
>>>>>>>>>>> 
>>>>>>>>>>>>>> Adam
>>>>>>>>>>> 
>>>>>>>>>>>>>> On 23 March 2015 at 13:03, Andrew Case 
>>>>>>>>>>>>>> <atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com>>
>>>>>>>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com>> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com>>>>
>>>>>>>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com>> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com>>>>>
>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>> <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>
>>>>>>>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>>
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com>> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com>>>
>>>>>>>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>>>>>
>>>>>>>>> wrote:
>>>>>>>>>>> 
>>>>>>>>>>>>>> Are you using the latest git checkout of 
>>>>>>>>>>>>>> Volatility or the 2.4 release? Can you
>>>>>>>>>>>>>> try the latest checkout and re-run
>>>>>>>>>>>>>> Volatility strings (you can run it on
>>>>>>>>>>>>>> just the offsets from PID 123 to make it
>>>>>>>>>>>>>> faster).
>>>>>>>>>>> 
>>>>>>>>>>>>>> If you are already on the latest
>>>>>>>>>>>>>> checkout then we will need to debug
>>>>>>>>>>>>>> further.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>>>> Thanks, Andrew (@attrc)
>>>>>>>>>>> 
>>>>>>>>>>>>>>> On 03/23/2015 04:38 AM, Bridgey
>>>>>>>>>>>>>>> theGeek wrote: Thanks Andrew:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> python vol.py --profile=WinXPSP2x86 -f 
>>>>>>>>>>>>>>> memory.dmp volshell -p 123 Volatility 
>>>>>>>>>>>>>>> Foundation Volatility Framework 2.4 
>>>>>>>>>>>>>>> Current context: myapp.exe @
>>>>>>>>>>>>>>> 0x822042f8, pid=123, ppid=392
>>>>>>>>>>>>>> DTB=0x76c0040
>>>>>>>>>>>>>>> Welcome to volshell! Current memory
>>>>>>>>>>>>>>> image is: file:///home/memory.dmp To
>>>>>>>>>>>>>>> get help, type 'hh()'
>>>>>>>>>>>>>>>>>> db(0x75b6b4d8)
>>>>>>>>>>>>>>> 0x75b6b4d8  c3 7c 15 c7 85 00 ff ff ff 
>>>>>>>>>>>>>>> 01 00 00 00 75 09 8d .|...........u.. 
>>>>>>>>>>>>>>> 0x75b6b4e8 85 0c ff ff ff 50 ff 17 39
>>>>>>>>>>>>>>> 9d 00 ff ff ff 89 85 .....P..9....... 
>>>>>>>>>>>>>>> 0x75b6b4f8 30 ff ff ff 74 12 6a 0c 8d
>>>>>>>>>>>>>>> 85 c4 fe ff ff 50 6a 0...t.j.......Pj 
>>>>>>>>>>>>>>> 0x75b6b508 07 6a fe e8 ea 92 ff ff 83
>>>>>>>>>>>>>>> bd 28 ff ff ff 0c 0f .j........(..... 
>>>>>>>>>>>>>>> 0x75b6b518 84 8c 59 00 00 e9 18 ff ff
>>>>>>>>>>>>>>> ff 90 90 47 00 6c 00 ..Y.........G.l. 
>>>>>>>>>>>>>>> 0x75b6b528  6f 00 62 00 61 00 6c 00 5c
>>>>>>>>>>>>>>> 00 54 00 65 00 72 00 o.b.a.l.\.T.e.r. 
>>>>>>>>>>>>>>> 0x75b6b538  6d 00 53 00 72 00 76 00 52
>>>>>>>>>>>>>>> 00 65 00 61 00 64 00 m.S.r.v.R.e.a.d. 
>>>>>>>>>>>>>>> 0x75b6b548  79 00 45 00 76 00 65 00 6e
>>>>>>>>>>>>>>> 00 74 00 00 00 90 90 y.E.v.e.n.t.....
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Nope, still no banner. But it is 
>>>>>>>>>>>>>>> identical to what I find at
>>>>>>>>>>>>>> 0x1a34d8 in
>>>>>>>>>>>>>>> 123.dmp. (As you'd expect.) 
>>>>>>>>>>>>>>> Double-checked that I was searching 
>>>>>>>>>>>>>>> Unicode and ASCII - still no luck.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Hmmm.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Adam
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> On 23 March 2015 at 04:02, Andrew Case 
>>>>>>>>>>>>>>> <atcuno at gmail.com
>>>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>>> <mailto:atcuno at gmail.com>>
>>>>>>>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>
>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>> <mailto:atcuno at gmail.com>> 
>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>> <mailto:atcuno at gmail.com>>>>
>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>> <mailto:atcuno at gmail.com>> 
>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>> <mailto:atcuno at gmail.com>>>
>>>>>>>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>>>
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com>> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>> <mailto:atcuno at gmail.com>>>
>>>>>>>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>>
>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>> <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>
>>>>>>>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>>>>
>>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>>> <mailto:atcuno at gmail.com>> 
>>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>>>> <mailto:atcuno at gmail.com>>>
>>>>>>>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>>
>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>> <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>
>>>>>>>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>>>
>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>> <mailto:atcuno at gmail.com>> 
>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>>> <mailto:atcuno at gmail.com>>>
>>>>>>>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>>
>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>> <mailto:atcuno at gmail.com> 
>>>>>>>>>>>> <mailto:atcuno at gmail.com
>>>>>>>>>>>> <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>
>>>>>>>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>
>>> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>
> <mailto:atcuno at gmail.com <mailto:atcuno at gmail.com>>>>>>>>
>>>>>>>>> wrote:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Can do you:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> vol.py ... volshell -p 123
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Then in volshell do:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> db(0x75b6b4d8)
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> And see if you get the banner printed
>>>>>>>>>>>>>>> at the beginning?
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Also, how are you searching 123.dmp?
>>>>>>>>>>>>>>> Did you search ascii &
>>>>>>>>>>>>>> unicode
>>>>>>>>>>>>>>> (most common error)
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Thanks, Andrew (@attrc)
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> On 03/20/2015 03:59 PM, Bridgey
>>>>>>>>>>>>>>>> theGeek wrote: Hi all,
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> I can't quite see what's wrong with
>>>>>>>>>>>>>>>> my logic here, but I must be
>>>>>>>>>>>>>>> missing
>>>>>>>>>>>>>>>> something. Hoping someone can help
>>>>>>>>>>>>>>>> me out.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> I'm looking for a private key in a 
>>>>>>>>>>>>>>>> memory sample (WinXPSP2x86). 
>>>>>>>>>>>>>>>> Specifically, to find out which 
>>>>>>>>>>>>>>>> process/es is/are accessing it.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> I can find the key by searching the
>>>>>>>>>>>>>>>> raw memory dump
>>>>>>>>>>>>>> (memory.dmp).
>>>>>>>>>>>>>>>> As you might expect it's between: 
>>>>>>>>>>>>>>>> -----BEGIN RSA PRIVATE KEY----- 
>>>>>>>>>>>>>>>> -----END RSA PRIVATE KEY-----
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> I generated an offset:string file by 
>>>>>>>>>>>>>>>> using strings. Then, using the
>>>>>>>>>>>>>>>> strings plugin I get this output: $
>>>>>>>>>>>>>>>> python vol.py -f memory.dmp 
>>>>>>>>>>>>>>>> --profile=WinXPSP2x86 strings
>>>>>>>>>>>>>> -s pk.txt
>>>>>>>>>>>>>>>> Volatility Foundation Volatility 
>>>>>>>>>>>>>>>> Framework 2.4 188435934 [FREE 
>>>>>>>>>>>>>>>> MEMORY:-1] -----BEGIN RSA PRIVATE 
>>>>>>>>>>>>>>>> KEY----- 188435968 [FREE MEMORY:-1] 
>>>>>>>>>>>>>>>> -----END RSA PRIVATE KEY-----
>>>>>>>>>>>>>>>> 317375704 [kernel:d2ab24d8]
>>>>>>>>>>>>>>>> -----BEGIN RSA PRIVATE KEY-----
>>>>>>>>>>>>>>>> 317376575 [kernel:d2ab283f] -----END
>>>>>>>>>>>>>>>> RSA PRIVATE KEY----- 417203416
>>>>>>>>>>>>>>>> [123:75b6b4d8] -----BEGIN RSA PRIVATE
>>>>>>>>>>>>>>>> KEY----- 417204287 [123:75b6b83f]
>>>>>>>>>>>>>>>> -----END RSA PRIVATE KEY-----
>>>>>>>>>>>>>>>> 419888606 [FREE MEMORY:-1] -----BEGIN
>>>>>>>>>>>>>>>> RSA PRIVATE KEY----- 419888640 [FREE
>>>>>>>>>>>>>>>> MEMORY:-1] -----END RSA PRIVATE
>>>>>>>>>>>>>>>> KEY-----
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Lovely. So I now do a memdump of 
>>>>>>>>>>>>>>>> process 123: $ python vol.py -f 
>>>>>>>>>>>>>>>> memory.dmp --profile=WinXPSP2x86 
>>>>>>>>>>>>>>>> memdump
>>>>>>>>>>>>>> --pid=123
>>>>>>>>>>>>>>>> --dump-dir=123 Volatility Foundation 
>>>>>>>>>>>>>>>> Volatility Framework 2.4
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>> **************************************************************
*
>
>>>>>>>>> 
*
> 
>>>>>>>>> 
> *
> 
>>>>>>>>> 
>> ***
> 
>>>>>>>>> 
>>> *
>>>>>>> 
>>>> *
>>>>>>> **
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>>>>> Writing myapp.exe [   123] to 123.dmp
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> However, if I search 123.dmp neither 
>>>>>>>>>>>>>>>> the BEGIN or END
>>>>>>>>>>>>>> strings are
>>>>>>>>>>>>>>> present.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> So I thought I'd try and find it via 
>>>>>>>>>>>>>>>> the virtual address give,
>>>>>>>>>>>>>>> 0x75b6b4d8:
>>>>>>>>>>>>>>>> $ python vol.py -f memory.dmp 
>>>>>>>>>>>>>>>> --profile=WinXPSP2x86 memmap
>>>>>>>>>>>>>> --pid=123
>>>>>>>>>>>>>>>> Virtual    Physical         Size 
>>>>>>>>>>>>>>>> DumpFileOffset ---------- ---------- 
>>>>>>>>>>>>>>>> ---------- -------------- --SNIP-- 
>>>>>>>>>>>>>>>> 0x75b6b000 0x18de0000     0x1000 
>>>>>>>>>>>>>>>> 0x1a3000 --SNIP--
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> The text is indeed at 0x18de04d8 in 
>>>>>>>>>>>>>>>> memory.dmp, but not at
>>>>>>>>>>>>>> 0x1a34d8 in
>>>>>>>>>>>>>>>> 123.dmp. Again, it's no where to be 
>>>>>>>>>>>>>>>> found in 123.dmp.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Any suggestions..??
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Many thanks, Adam
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>> Vol-users mailing list
>>>>>>>>>>>>>>>> Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>>
>>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>>>
>>>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>>
>>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>>>>
>>>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>>
>>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>>>
>>>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>>
>>>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>>>>>
>>>>>>>>>>>>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-u
s
>
>>>>>>>>>>>>>>>> 
e
> 
>>>>>>>>>>>>>>>> 
> r
> 
>>>>>>>>>>>>>>>> 
>> s
>>>>>>>>> 
>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>> _______________________________________________
>>>>>>>>>>>>>> Vol-users mailing list 
>>>>>>>>>>>>>> Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>>
>>>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>>>
>>>>>>>>>>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-use
r
>
>>>>>>>>>>>>>> 
s
>>>>>>>>> 
>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>>>> 
> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>> _______________________________________________ Vol-users
>>>>>>>>>>> mailing list Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>>>>>
>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>> _______________________________________________ Vol-users
>>>>>>>>>>> mailing list Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>>>>
>>>>>>>
>>>>>>>>>>>
>
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>> _______________________________________________
>>>>>>>>> Vol-users mailing list
>>>>>>>>> Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>>>>>
>>>>>>>>>
>
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>> _______________________________________________ Vol-users
>>>>>>>>> mailing list Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>>>>
>>>>>>>>>
>
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>> _______________________________________________ Vol-users
>> mailing
>>>>>>>> list Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>>
>>>>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>> _______________________________________________ Vol-users
>> mailing
>>>>>>> list Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>
>>>>>>>
>
>>>>>>> 
>>>>>>> 
> _______________________________________________ Vol-users mailing
>>>> list Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> <mailto:Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>>
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 
> 
> 
> 
> 
>>> _______________________________________________ Vol-users 
>>> mailing list Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 
>> _______________________________________________ Vol-users
>> mailing list Vol-users at volatilityfoundation.org
> <mailto:Vol-users at volatilityfoundation.org>
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 
> 
> 
> 
> 
> _______________________________________________ Vol-users mailing
> list Vol-users at volatilityfoundation.org 
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iF4EAREKAAYFAlVWF28ACgkQXnt9v1O0LIuL/AD/YWMd5vaOVFHx7wKzL3wM7unN
Z1GBG5Ft0+C5Tnkcu2EA/0LHD1QEhxgYmGS81RNXIP3G126TEoa2t2igKQHNb9i7
=9Q9W
-----END PGP SIGNATURE-----


More information about the Vol-users mailing list