Attached please find a patch against the SVN version of Volatility
that allows the framework to work properly on big endian systems.
While I know big endian systems are not the majority users, I think
it's easy enough to patch. Most of the changes involve explicitly
telling the decode function that the source data was from a little
endian endian system.
cheers,
Here's the original version of the framework on a big endian system:
$ python volatility ident -f xp-laptop-2005-07-04-1430.img
Image Name: xp-laptop-2005-07-04-1430.img
Image Type: UNKNOWN
And the patched:
$ python volatility ident -f memory-images/xp-laptop-2005-07-04-1430.img
Image Name: xp-laptop-2005-07-04-1430.img
Image Type: Service Pack 2
VM Type: nopae
DTB: 0x39000
Datetime: Mon Jul 04 14:30:32 2005
--
Jesse
research(a)jessekornblum.com
Hi,
I am working to make Volatility work for Vista. In file vtypes.py,
there is something named "_ADDRESS_OBJECT". I cannot find it structure
using Windbg, like I can do with other data structs (such as
_EPROCESS).
So where can I find information about _ADDRESS_OBJECT, with Windbg, or
any other tool?
Thanks a lot,
Jun
I know 1.3 is Beta, but is there any reason setup.py references
"memory_objects.Linux" when it's not in the distribution? I'm
packaging this for my own purposes, and used the attached patch to
greatly minimize the amount of work I had to do for installation.
Now, I can use 'python setup.py install' and everything goes where one
would expect them to.
For system-wide installation purposes, it'd be even nicer if
volatility carved out its own namespace/hierarchy (i.e.
'volatility.forensics', 'volatility.vmodules') so as to lessen chance
of collision with other packages, but know that would likely end up
making an API change forcing plugin authors to accomodate.
RB
Hi,
I am using Volatility to list the open sockets on my WinXP file image,
with command "sockets". It should display all the open sockets, like
"netstat -a" does, but it didnt display anything. Is that a bug, or
that is the way it supposes to work?
I tried with "sockscan" on the same image, and yes, this time it shows
a lot of open sockets. The problem is that this command is really
slow: it took a minute or so on a 400MB image.
Meanwhile, "sockscan2" is a lot faster: it returns information almost
immediately.
"connections", "connscan" and "connscan2" shows nothing. is that expected??
I suppose that "connections" and "sockets" are about the same thing.
is that correct?
Thanks,
Jun
I was just looking over the code for the FileAddressSpace class and I didn't
understand something. I jumped into the IRC room and asked the question,
but nobody was home.
I'm not sure what I'm missing here, but something doesn't seem right to me.
When I look at the __init__ function, it seems like the whitespace is all
messed up. For example, lines 37 and 40 are indented with 8 spaces, but
lines 38 and 39 are indented with tabs. Line 42 doesn't even appear to be
part of the __init__ function. I would think that python would throw an
error about this, but it doesn't seem to mind. What am I missing?
Kevin
Hi,
Does the 1.3 support Windows XP SP3? Or only SP2 is supported?
Anybody knows if 1.3 works with XP-SP2 of Windows of all languages
(French, Spain, Japan,...), or only English is supported?
Final question: is there any plan to support Vista in the near future??
Thanks,
J
If you are using object inheritance in your plugins, you will probably
want to contact me before the upcoming 1.3.1 release. We are in the
process of making some changes that will require updates.
Thanks,
AW
Attached please find a patch to prevent the framework from crashing when
attempting to read an Object's value from memory that cannot be accessed
(e.g. marked invalid, paged out, etc). The patch prevents the code from
crashing but adds the condition that the methods to read values (.v and
.value) may return None.
In my work I've encountered memory images where a unicode string in the
ProcessParameters (i.e. Eprocess -> Peb -> ProcessParameters ->
CommandLine) has been marked "in transition". Volatility 1.3 Beta does
not read data from any page marked Invalid and read requests for those
data are returned with None. The methods to read object values do not
error check the read method's return value and always attempt to unpack
the returned value. Attempting to unpack a None value results in an
unhandled exception.
Developers should be advised that the .v and .value methods can now
legally return None and should error check the return values of those
functions before attempting to use them.
The plugin that generated these exceptions, a check for generally suspicious
processes and TrueCrypt in particular, will be posted shortly to the
Vol-users mailing list.
cheers,
--
Jesse
jessek(a)speakeasy.net
--- Volatility-1.3_Beta/forensics/object2.py 2008-06-23 14:43:11.000000000 -0400
+++ Volatility-1.3_Beta2/forensics/object2.py 2008-06-23 14:43:12.000000000 -0400
@@ -313,10 +313,16 @@
VType.__init__(self, profile, 0, False, True)
def v(self, theObject):
+ ## Shortcut to value method
return self.value(theObject)
def value(self, theObject):
- (val, ) = struct.unpack("=L", theObject.vm.read(theObject.offset, 4))
+ ## @return Returns the value of the object if available,
+ ## otherwise None.
+ tmp = theObject.vm.read(theObject.offset, 4)
+ if tmp is None:
+ return None
+ (val, ) = struct.unpack("<L", tmp)
return val
def cdecl(self):
@@ -337,11 +343,16 @@
self.readChar = readChar
def v(self, theObject):
+ ## Shortcut to value method
return self.value(theObject)
def value(self, theObject):
- (val, ) = struct.unpack('='+self.readChar, \
- theObject.vm.read(theObject.offset, self.size))
+ ## @return Returns the value of the object if available,
+ ## otherwise None.
+ tmp = theObject.vm.read(theObject.offset, self.size)
+ if tmp is None:
+ return None
+ (val, ) = struct.unpack('<'+self.readChar, tmp)
return val
def cdecl(self):
Hi everybody,
This is My First Python(tm), so please be kind! Attached you should
find a patch to cache the PDE values during IA32 address translation.
The resulting speed-up is modest but noteworthy.
I've only enabled caching for non-PAE systems, but it should be easy
enough to copy over to PAE systems as well. What do you think? As a
bonus, this code also includes some endian-neutrality-changes (if
there is such a word) to make the code work better on my Mac.
Hopefully it won't screw up anything else.
Please let me know what you think!
cheers,
--
Jesse
research(a)jessekornblum.com
What is the old object model? Can you give an example of how things have changed?
Will the scripts in vmodules be changing as well, or are they already using the
new model?
--
Jesse
jessek(a)speakeasy.net
On Fri Oct 3 18:07 , AAron Walters sent:
>
>
>Jun,
>
>I don't know about a trap, but it is something. By the way, you may want
>to check out the examples in the memory_plugins directory. These plugins
>all use the new object model which everything will be transitioning to in
>the near future.
>
>Thanks,
>
>AW
>
>On Sat, 4 Oct 2008, Jun Koi wrote:
>
>> On Fri, Oct 3, 2008 at 10:36 PM, AAron Walters awalters(a)4tphi.net> wrote:
>>>
>>> Jun,
>>>
>>> The types variable is instantiated from vtypes.py. This is the part of the
>>> Profile used to describe the operating system's data types.
>>
>> What a trap!
>>
>> Thanks,
>> J
>>
>>
>>
>>
>>> On Fri, 3 Oct 2008, Jun Koi wrote:
>>>
>>>> Hi,
>>>>
>>>> I am trying to read the code, and found this in vmodules.py:
>>>>
>>>> def get_connections(cmdname, argv):
>>>
>>> > """
>>>>
>>>> Function prints a list of open connections
>>>> """
>>>> op = get_standard_parser(cmdname)
>>>> opts, args = op.parse_args(argv)
>>>>
>>>> star_line = '*'*72
>>>>
>>>> (addr_space, symtab, types) = load_and_identify_image(op, opts) #
>>>> Here
>>>>
>>>> connections = tcb_connections(addr_space, types, symtab)
>>>> ....
>>>>
>>>> I dont understand what the "types" variable above means. Even track
>>>> back the source, I dont see how it is produced.
>>>>
>>>> Anybody could explain a bit, so I can continue to dig? (sorry that my
>>>> Python skill is still very modest)
>>>>
>>>> Thanks,
>>>> J
>>>> _______________________________________________
>>>> Vol-dev mailing list
>>>> Vol-dev(a)volatilityfoundation.org
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>>>>
>>>
>>
>_______________________________________________
>Vol-dev mailing list
>Vol-dev(a)volatilityfoundation.org
>http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
Hi,
I am trying to read the code, and found this in vmodules.py:
def get_connections(cmdname, argv):
"""
Function prints a list of open connections
"""
op = get_standard_parser(cmdname)
opts, args = op.parse_args(argv)
star_line = '*'*72
(addr_space, symtab, types) = load_and_identify_image(op, opts) # <-- Here
connections = tcb_connections(addr_space, types, symtab)
....
I dont understand what the "types" variable above means. Even track
back the source, I dont see how it is produced.
Anybody could explain a bit, so I can continue to dig? (sorry that my
Python skill is still very modest)
Thanks,
J
Greetings,
This looks to be where the cool kids are hanging out these days, so I
thought I would pop in. I'm just getting familiar with Volatility, and
I think the project is a great idea. I plan on following it closely and
hope to contribute code/debugging in the future.
However, I have run in to a problem. I'm trying to get familiar with
the tools using the Windows XP images available in:
http://www.cfreds.nist.gov/mem/memory-images.rar
When I run things like:
python volatility datetime -f xp-laptop-2005-07-04-1430.img
python volatility pslist -f xp-laptop-2005-07-04-1430.img
I get the following:
Traceback (most recent call last):
File "/usr/local/src/Volatility-1.1.1/volatility", line 143, in <module>
main()
File "/usr/local/src/Volatility-1.1.1/volatility", line 139, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "/usr/local/src/Volatility-1.1.1/vmodules.py", line 54, in execute
self.cmd_execute(module, args)
File "/usr/local/src/Volatility-1.1.1/vmodules.py", line 108, in get_datetime
(addr_space, symtab, types) = load_and_identify_image(op, opts)
File "/usr/local/src/Volatility-1.1.1/vutils.py", line 152, in load_and_identify_image
dtb = guess_dtb(filename, op)
File "/usr/local/src/Volatility-1.1.1/vutils.py", line 69, in guess_dtb
dtb = find_dtb(flat_address_space, types)
File "/usr/local/src/Volatility-1.1.1/forensics/win32/tasks.py", line 104, in find_dtb
return process_dtb(addr_space, types, offset)
File "/usr/local/src/Volatility-1.1.1/forensics/win32/tasks.py", line 138, in process_dtb
['_EPROCESS', 'Pcb', 'DirectoryTableBase', 0], task_vaddr)
File "/usr/local/src/Volatility-1.1.1/forensics/object.py", line 168, in read_obj
return read_value(addr_space, current_type, vaddr + offset)
File "/usr/local/src/Volatility-1.1.1/forensics/object.py", line 70, in read_value
(val, ) = struct.unpack(type_unpack_char, buf)
File "/usr/lib/python2.5/struct.py", line 87, in unpack
return o.unpack(s)
struct.error: unpack requires a string argument of length 8
Since I'm running Volatility 1.1.1, I'd guess that this may have already
been fixed in 1.2.* or 1.3.*. I've read through all of the mailing list
archives and scoured your project site, but I can't seem to find those
newer versions for download. Perhaps I'm just totally missing
something. Could someone point me in the right direction to get the
latest version? SVN or other development repository would be fine, I
don't mind messing with bleeding edge stuff.
The second reason for my post is that I'll be giving an introductory
training course on incident response and digital forensics next month,
and I had considered introducing students to volatility and other memory
analysis tools. Do you folks have suggestions as to which features of
volatility would be the best to showcase in that type of setting?
thanks,
tim
We are getting ready to release Volatility-1.2. If you have some changes you
would like to see in this release, please let me know by the end of the week.
If you are interested in testing the release candidate, send me an email. I've
included the CHANGELOG for this release:
CHANGELOG
09.21.2007 Volatility-1.2.1pre awalters
* New Module: usrdmp
Files:
vmodules.py
Description:
Dumps a processes address space. Thanks Eoghan Casey.
09.20.2007 Volatility-1.2pre awalters
* New Module: modscan
Files:
vmodules.py
forensics/win32/scan.py
forensics/win32/globals.py
Description:
Performs a linear scan for memory resident Windows modules.
Contributed by Andreas Schuster.
* New Module: memmap
Files:
vmodules.py
forensics/x86.py
Description:
Provides a map of the virtual to physical address translations
within a particular address space. Based on similar tools by
Andreas Schuster (memdump.pl) and Brendan Dolan-Gavitt
(memdump.py).
* New Module: dmpchk
Files:
vmodules.py
forensics/win32/crash_addrspace.py
Description:
Prints auxiliary information about the crash dump file.
* New Module: WindowsCrashDumpSpace32
Files:
forensics/x86.py
forensics/win32/crash_addrspace.py
Description:
Provides the ability to use crash dumps as input to Volatility.
This is accomplished through the use of stackable address spaces.
Contributions from Andreas Schuster.
* New Feature: get_available_pages()
Files:
forensics/x86.py
Description:
This functions allows an investigator to find all available pages
within a particular address space. Thanks Brendan Dolan-Gavitt.
* New Feature: zread()
Files:
forensics/x86.py
forensics/addrspace.py
forensics/win32/crash_addrspace.py
Description:
Added the ability to continuing reading even if pages are
unavailable. Invalid pages are replaced with zeros. Thanks Brendan
Dolan-Gavitt.
thanks,
AW
