Attached please find a patch against the SVN version of Volatility
that allows the framework to work properly on big endian systems.
While I know big endian systems are not the majority users, I think
it's easy enough to patch. Most of the changes involve explicitly
telling the decode function that the source data was from a little
endian endian system.
cheers,
Here's the original version of the framework on a big endian system:
$ python volatility ident -f xp-laptop-2005-07-04-1430.img
Image Name: xp-laptop-2005-07-04-1430.img
Image Type: UNKNOWN
And the patched:
$ python volatility ident -f memory-images/xp-laptop-2005-07-04-1430.img
Image Name: xp-laptop-2005-07-04-1430.img
Image Type: Service Pack 2
VM Type: nopae
DTB: 0x39000
Datetime: Mon Jul 04 14:30:32 2005
--
Jesse
research(a)jessekornblum.com
Hi,
I am working to make Volatility work for Vista. In file vtypes.py,
there is something named "_ADDRESS_OBJECT". I cannot find it structure
using Windbg, like I can do with other data structs (such as
_EPROCESS).
So where can I find information about _ADDRESS_OBJECT, with Windbg, or
any other tool?
Thanks a lot,
Jun
I know 1.3 is Beta, but is there any reason setup.py references
"memory_objects.Linux" when it's not in the distribution? I'm
packaging this for my own purposes, and used the attached patch to
greatly minimize the amount of work I had to do for installation.
Now, I can use 'python setup.py install' and everything goes where one
would expect them to.
For system-wide installation purposes, it'd be even nicer if
volatility carved out its own namespace/hierarchy (i.e.
'volatility.forensics', 'volatility.vmodules') so as to lessen chance
of collision with other packages, but know that would likely end up
making an API change forcing plugin authors to accomodate.
RB
Hi,
I am using Volatility to list the open sockets on my WinXP file image,
with command "sockets". It should display all the open sockets, like
"netstat -a" does, but it didnt display anything. Is that a bug, or
that is the way it supposes to work?
I tried with "sockscan" on the same image, and yes, this time it shows
a lot of open sockets. The problem is that this command is really
slow: it took a minute or so on a 400MB image.
Meanwhile, "sockscan2" is a lot faster: it returns information almost
immediately.
"connections", "connscan" and "connscan2" shows nothing. is that expected??
I suppose that "connections" and "sockets" are about the same thing.
is that correct?
Thanks,
Jun
I was just looking over the code for the FileAddressSpace class and I didn't
understand something. I jumped into the IRC room and asked the question,
but nobody was home.
I'm not sure what I'm missing here, but something doesn't seem right to me.
When I look at the __init__ function, it seems like the whitespace is all
messed up. For example, lines 37 and 40 are indented with 8 spaces, but
lines 38 and 39 are indented with tabs. Line 42 doesn't even appear to be
part of the __init__ function. I would think that python would throw an
error about this, but it doesn't seem to mind. What am I missing?
Kevin
Hi,
Does the 1.3 support Windows XP SP3? Or only SP2 is supported?
Anybody knows if 1.3 works with XP-SP2 of Windows of all languages
(French, Spain, Japan,...), or only English is supported?
Final question: is there any plan to support Vista in the near future??
Thanks,
J
If you are using object inheritance in your plugins, you will probably
want to contact me before the upcoming 1.3.1 release. We are in the
process of making some changes that will require updates.
Thanks,
AW
Attached please find a patch to prevent the framework from crashing when
attempting to read an Object's value from memory that cannot be accessed
(e.g. marked invalid, paged out, etc). The patch prevents the code from
crashing but adds the condition that the methods to read values (.v and
.value) may return None.
In my work I've encountered memory images where a unicode string in the
ProcessParameters (i.e. Eprocess -> Peb -> ProcessParameters ->
CommandLine) has been marked "in transition". Volatility 1.3 Beta does
not read data from any page marked Invalid and read requests for those
data are returned with None. The methods to read object values do not
error check the read method's return value and always attempt to unpack
the returned value. Attempting to unpack a None value results in an
unhandled exception.
Developers should be advised that the .v and .value methods can now
legally return None and should error check the return values of those
functions before attempting to use them.
The plugin that generated these exceptions, a check for generally suspicious
processes and TrueCrypt in particular, will be posted shortly to the
Vol-users mailing list.
cheers,
--
Jesse
jessek(a)speakeasy.net
--- Volatility-1.3_Beta/forensics/object2.py 2008-06-23 14:43:11.000000000 -0400
+++ Volatility-1.3_Beta2/forensics/object2.py 2008-06-23 14:43:12.000000000 -0400
@@ -313,10 +313,16 @@
VType.__init__(self, profile, 0, False, True)
def v(self, theObject):
+ ## Shortcut to value method
return self.value(theObject)
def value(self, theObject):
- (val, ) = struct.unpack("=L", theObject.vm.read(theObject.offset, 4))
+ ## @return Returns the value of the object if available,
+ ## otherwise None.
+ tmp = theObject.vm.read(theObject.offset, 4)
+ if tmp is None:
+ return None
+ (val, ) = struct.unpack("<L", tmp)
return val
def cdecl(self):
@@ -337,11 +343,16 @@
self.readChar = readChar
def v(self, theObject):
+ ## Shortcut to value method
return self.value(theObject)
def value(self, theObject):
- (val, ) = struct.unpack('='+self.readChar, \
- theObject.vm.read(theObject.offset, self.size))
+ ## @return Returns the value of the object if available,
+ ## otherwise None.
+ tmp = theObject.vm.read(theObject.offset, self.size)
+ if tmp is None:
+ return None
+ (val, ) = struct.unpack('<'+self.readChar, tmp)
return val
def cdecl(self):
Hi everybody,
This is My First Python(tm), so please be kind! Attached you should
find a patch to cache the PDE values during IA32 address translation.
The resulting speed-up is modest but noteworthy.
I've only enabled caching for non-PAE systems, but it should be easy
enough to copy over to PAE systems as well. What do you think? As a
bonus, this code also includes some endian-neutrality-changes (if
there is such a word) to make the code work better on my Mac.
Hopefully it won't screw up anything else.
Please let me know what you think!
cheers,
--
Jesse
research(a)jessekornblum.com
What is the old object model? Can you give an example of how things have changed?
Will the scripts in vmodules be changing as well, or are they already using the
new model?
--
Jesse
jessek(a)speakeasy.net
On Fri Oct 3 18:07 , AAron Walters sent:
>
>
>Jun,
>
>I don't know about a trap, but it is something. By the way, you may want
>to check out the examples in the memory_plugins directory. These plugins
>all use the new object model which everything will be transitioning to in
>the near future.
>
>Thanks,
>
>AW
>
>On Sat, 4 Oct 2008, Jun Koi wrote:
>
>> On Fri, Oct 3, 2008 at 10:36 PM, AAron Walters awalters(a)4tphi.net> wrote:
>>>
>>> Jun,
>>>
>>> The types variable is instantiated from vtypes.py. This is the part of the
>>> Profile used to describe the operating system's data types.
>>
>> What a trap!
>>
>> Thanks,
>> J
>>
>>
>>
>>
>>> On Fri, 3 Oct 2008, Jun Koi wrote:
>>>
>>>> Hi,
>>>>
>>>> I am trying to read the code, and found this in vmodules.py:
>>>>
>>>> def get_connections(cmdname, argv):
>>>
>>> > """
>>>>
>>>> Function prints a list of open connections
>>>> """
>>>> op = get_standard_parser(cmdname)
>>>> opts, args = op.parse_args(argv)
>>>>
>>>> star_line = '*'*72
>>>>
>>>> (addr_space, symtab, types) = load_and_identify_image(op, opts) #
>>>> Here
>>>>
>>>> connections = tcb_connections(addr_space, types, symtab)
>>>> ....
>>>>
>>>> I dont understand what the "types" variable above means. Even track
>>>> back the source, I dont see how it is produced.
>>>>
>>>> Anybody could explain a bit, so I can continue to dig? (sorry that my
>>>> Python skill is still very modest)
>>>>
>>>> Thanks,
>>>> J
>>>> _______________________________________________
>>>> Vol-dev mailing list
>>>> Vol-dev(a)volatilityfoundation.org
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>>>>
>>>
>>
>_______________________________________________
>Vol-dev mailing list
>Vol-dev(a)volatilityfoundation.org
>http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
