Hi,
I am trying to read the code, and found this in vmodules.py:
def get_connections(cmdname, argv):
"""
Function prints a list of open connections
"""
op = get_standard_parser(cmdname)
opts, args = op.parse_args(argv)
star_line = '*'*72
(addr_space, symtab, types) = load_and_identify_image(op, opts) # <-- Here
connections = tcb_connections(addr_space, types, symtab)
....
I dont understand what the "types" variable above means. Even track
back the source, I dont see how it is produced.
Anybody could explain a bit, so I can continue to dig? (sorry that my
Python skill is still very modest)
Thanks,
J
Greetings,
This looks to be where the cool kids are hanging out these days, so I
thought I would pop in. I'm just getting familiar with Volatility, and
I think the project is a great idea. I plan on following it closely and
hope to contribute code/debugging in the future.
However, I have run in to a problem. I'm trying to get familiar with
the tools using the Windows XP images available in:
http://www.cfreds.nist.gov/mem/memory-images.rar
When I run things like:
python volatility datetime -f xp-laptop-2005-07-04-1430.img
python volatility pslist -f xp-laptop-2005-07-04-1430.img
I get the following:
Traceback (most recent call last):
File "/usr/local/src/Volatility-1.1.1/volatility", line 143, in <module>
main()
File "/usr/local/src/Volatility-1.1.1/volatility", line 139, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "/usr/local/src/Volatility-1.1.1/vmodules.py", line 54, in execute
self.cmd_execute(module, args)
File "/usr/local/src/Volatility-1.1.1/vmodules.py", line 108, in get_datetime
(addr_space, symtab, types) = load_and_identify_image(op, opts)
File "/usr/local/src/Volatility-1.1.1/vutils.py", line 152, in load_and_identify_image
dtb = guess_dtb(filename, op)
File "/usr/local/src/Volatility-1.1.1/vutils.py", line 69, in guess_dtb
dtb = find_dtb(flat_address_space, types)
File "/usr/local/src/Volatility-1.1.1/forensics/win32/tasks.py", line 104, in find_dtb
return process_dtb(addr_space, types, offset)
File "/usr/local/src/Volatility-1.1.1/forensics/win32/tasks.py", line 138, in process_dtb
['_EPROCESS', 'Pcb', 'DirectoryTableBase', 0], task_vaddr)
File "/usr/local/src/Volatility-1.1.1/forensics/object.py", line 168, in read_obj
return read_value(addr_space, current_type, vaddr + offset)
File "/usr/local/src/Volatility-1.1.1/forensics/object.py", line 70, in read_value
(val, ) = struct.unpack(type_unpack_char, buf)
File "/usr/lib/python2.5/struct.py", line 87, in unpack
return o.unpack(s)
struct.error: unpack requires a string argument of length 8
Since I'm running Volatility 1.1.1, I'd guess that this may have already
been fixed in 1.2.* or 1.3.*. I've read through all of the mailing list
archives and scoured your project site, but I can't seem to find those
newer versions for download. Perhaps I'm just totally missing
something. Could someone point me in the right direction to get the
latest version? SVN or other development repository would be fine, I
don't mind messing with bleeding edge stuff.
The second reason for my post is that I'll be giving an introductory
training course on incident response and digital forensics next month,
and I had considered introducing students to volatility and other memory
analysis tools. Do you folks have suggestions as to which features of
volatility would be the best to showcase in that type of setting?
thanks,
tim
We are getting ready to release Volatility-1.2. If you have some changes you
would like to see in this release, please let me know by the end of the week.
If you are interested in testing the release candidate, send me an email. I've
included the CHANGELOG for this release:
CHANGELOG
09.21.2007 Volatility-1.2.1pre awalters
* New Module: usrdmp
Files:
vmodules.py
Description:
Dumps a processes address space. Thanks Eoghan Casey.
09.20.2007 Volatility-1.2pre awalters
* New Module: modscan
Files:
vmodules.py
forensics/win32/scan.py
forensics/win32/globals.py
Description:
Performs a linear scan for memory resident Windows modules.
Contributed by Andreas Schuster.
* New Module: memmap
Files:
vmodules.py
forensics/x86.py
Description:
Provides a map of the virtual to physical address translations
within a particular address space. Based on similar tools by
Andreas Schuster (memdump.pl) and Brendan Dolan-Gavitt
(memdump.py).
* New Module: dmpchk
Files:
vmodules.py
forensics/win32/crash_addrspace.py
Description:
Prints auxiliary information about the crash dump file.
* New Module: WindowsCrashDumpSpace32
Files:
forensics/x86.py
forensics/win32/crash_addrspace.py
Description:
Provides the ability to use crash dumps as input to Volatility.
This is accomplished through the use of stackable address spaces.
Contributions from Andreas Schuster.
* New Feature: get_available_pages()
Files:
forensics/x86.py
Description:
This functions allows an investigator to find all available pages
within a particular address space. Thanks Brendan Dolan-Gavitt.
* New Feature: zread()
Files:
forensics/x86.py
forensics/addrspace.py
forensics/win32/crash_addrspace.py
Description:
Added the ability to continuing reading even if pages are
unavailable. Invalid pages are replaced with zeros. Thanks Brendan
Dolan-Gavitt.
thanks,
AW
