Hi,
I am looking at the linux_tmpfs plugin and have a problem that I think is
related to Windows. The problem happens when I try to extract tmpfs files.
I'm not a python programmer but it seems to be related to str vs the String
module.
If I patch tmpfs.py and I convert the "String" module into str, everything
works as expected:
new_file = os.path.join(parent, *str(name)*)
(
https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins…
)
Here's my error with tmpfs.py r3097:
H:\Volatility\Volatility2.3SVN-3070>python vol.py -f Evo4GRodeo.lime
--profile=LinuxEvo4Gx86 linux_tmpfs -S 1 -D app-cache
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj : Overlay structure tty_struct not present in
vtypes
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present
in vtypes
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File
"H:\Volatility\Volatility2.3SVN-3070\volatility\plugins\linux\common.py",
line 57, in execute
commands.Command.execute(self, *args, **kwargs)
File "H:\Volatility\Volatility2.3SVN-3070\volatility\commands.py", line
111, in execute
func(outfd, data)
File
"H:\Volatility\Volatility2.3SVN-3070\volatility\plugins\linux\tmpfs.py",
line 177, in render_text
for (i, path) in data:
File
"H:\Volatility\Volatility2.3SVN-3070\volatility\plugins\linux\tmpfs.py",
line 160, in calculate
self.walk_sb(root_dentry)
File
"H:\Volatility\Volatility2.3SVN-3070\volatility\plugins\linux\tmpfs.py",
line 108, in walk_sb
self.process_directory(root_dentry, parent = cur_dir)
File
"H:\Volatility\Volatility2.3SVN-3070\volatility\plugins\linux\tmpfs.py",
line 72, in process_directory
new_file = os.path.join(parent, name)
File "H:\Python27\lib\ntpath.py", line 73, in join
elif isabs(b):
File "H:\Python27\lib\ntpath.py", line 57, in isabs
s = splitdrive(s)[1]
File "H:\Python27\lib\ntpath.py", line 125, in splitdrive
if p[1:2] == ':':
TypeError: 'String' object has no attribute '__getitem__'
Is there something I can do to correct the problem from my side or should I
open an issue on google code?
Regards,
Sebastien
Hello All,
We were writing to announce the first annual Volatility framework
plugin writing contest:
http://volatility-labs.blogspot.com/2013/01/the-1st-annual-volatility-frame…
This contest is modeled after the well-known Hex-Rays plugin contest,
and we hope to attract the same level of high-quality submissions as
seen in the IDA contests.
To the winners we offer a variety of cash prizes, recognition, and a
chance to speak at our yearly conference.
If you have any questions or comments please contact me directly or
use the contact information listed in the blog post.
Thanks,
Andrew
Hello,
We were writing to announce that the next public offering of Windows
malware and memory forensics training by Volatility developers has
been set for March 18-22rd in Chicago.
Full details can be found here:
http://volatility-labs.blogspot.com/2013/01/windows-malware-and-memory-fore…
If you have any questions or comments then please contact me directly
or use the information listed on the blog post.
Thanks,
Andrew (@attrc)
Hi,
I've uploaded a tarball [1] containing a number of Volatility plugins which
provide support for the DalvikVM and Android. I didn't provide a
patch set, because there are only new files included. However, I can do
so or can open an issue, whatever would be most convenient.
The plugins are named:
- dalvik_find_gdvm_offset
- dalvik_vms
- dalvik_loaded_classes
- dalvik_class_information
- dalvik_find_class_instance
- dalvik_app_mirrored
Any comments would be appreciated. This is part of a research project I
need to have finished by the end of the year, so if someone suggests
fundamental changes, I most likely won't have the immediate time to look
at it. Just wanted to provide my code, because obviously there is some
interest (cf. vol-users@).
Ideally, I could get a branch in SVN to get this integrated into
upcoming Volatility releases.
I've attached a README.dalvik which gives some meta information about
the plugins and could become a corresponding wiki article.
Thanks to Joe Sylve and Andrew Case for providing me with some initial
guidelines.
Regards,
Holger
[1] http://www.homac.de/files/Volatility-Dalvik-support-v1.tar.bz2
I've noticed that on an unpatched Windows 7 x64 SP1 machine, the _KTHREAD
structure ends as follows:
+350 ThreadCounters : Ptr64 _KTHREAD_COUNTERS
+358 XSaveState : Ptr64 _XSAVE_STATE
On a version of the machine that is up to date on patches, I see _KTHREAD
ending like this:
+350 ThreadCounters : Ptr64 _KTHREAD_COUNTERS
+358 StateSaveArea : Ptr64 _XSAVE_FORMAT
+360 XSaveState : Ptr64 _XSAVE_STATE
The result is that fields in the _ETHREAD structure are shifted by 8 bytes.
on the patched machine.
I can't be certain that it was a Microsoft Update (I'm only assuming), but
does anyone know which patch causes the update?
At the very least, is there a good method for detecting if a memory image
uses one version of KTHREAD or the other?
Any information would be helpful.
Thanks!
Hi list,
I'm pleased to announce you the Volatility Framework is now available in FreeBSD
ports tree in security/py-volatility [1] since tonight.
It was possible with efforts of Antoine Brodin and Sofian Brabez.
Just make -C /usr/ports/security/py-volatility install clean, then try it with
vol.py and a random dump.
$ vol.py imageinfo -f /tmp/memory.dmp
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x86, Win7SP1x86
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/tmp/memory.dmp)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82948c28
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x82949c00
KUSER_SHARED_DATA : 0xffdf0000
Image date and time : 2012-05-28 02:57:03 UTC+0000
Image local date and time : 2012-05-27 22:57:03 -0400
Regards
--
Sofian Brabez
Hello,
We are writing to announce the public offering of our Windows Memory
Forensics for Analysts training course. This course is taught directly by
Volatility developers, and will provide intense training in memory
forensics for incident response, malware analysis, and digital forensic
investigation. Full details can be found here:
http://volatility-labs.blogspot.com/2012/11/windows-memory-forensics-traini…
Please write or comment on the post if you have any questions or comments.
Thanks,
Andrew (@attrc)
Hello,
I'm currently in need of extracting page tables from a Linux memory
image (with a known profile). Can anyone point me in the direction of
Volatility's code that would handle the page tables ?
Thanks,
Nhan
Hi,
I'm a forensics developer hoping to help out with this project. Let me know
if you have anything that needs working on and hopefully I can contribute
to this great open source project. Thanks.
Regards,
Fuchee Vang
Hi all,
Make that OS X 10.8 (Mountain Lion). 12.1.0 is the kernel version. My apologies. I don't use Macs a lot, and 10.8 doesn't appear in the uname -a output for some unknown reason.
John
From: McCash John-GKJN37
Sent: Tuesday, August 28, 2012 4:34 PM
To: 'vol-dev(a)volatilityfoundation.org'
Subject: problem analyzing dump from MacOSX 12.1.0.x86_64
Hi,
I've got to beg some help again. After finally getting Volatility for Linux to work, I procured a Mac mini to test Volatility in that space. I've carefully followed the instructions at http://code.google.com/p/volatility/wiki/MacMemoryForensics to create a profile file named 12.1.0.64bit.zip, which I placed in the volatility/plugins/overlays/mac folder. When I use the -info option in volatility, I see the profile as Mac12_1_0_64bitx64, so it's getting that far. However when I try to actually analyze an 8GB dump (dumped using MacMemoryreader_3.0.2) from the same Mac mini that I used to generate the profile, I get the following issues:
$ python ./vol.py mac_machine_info --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*
Volatile Systems Volatility Framework 2.1_rc3
WARNING : volatility.obj : Deprecation warning: A plugin is making use of profile.add_types
Major Version: -
Minor Version: -
Memory Size: -
Max CPUs: -
Physical CPUs: -
Logical CPUs: -
$ python ./vol.py mac_dmesg --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*
Volatile Systems Volatility Framework 2.1_rc3
WARNING : volatility.obj : Deprecation warning: A plugin is making use of profile.add_types
Traceback (most recent call last):
File "./vol.py", line 185, in <module>
main()
File "./vol.py", line 176, in main
command.execute()
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/commands.py", line 111, in execute
func(outfd, data)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/mac/mac_dmesg.py", line 57, in render_text
for buf in data:
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/mac/mac_dmesg.py", line 41, in calculate
if bufc[bufx] == 0 and bufc[0] != 0:
TypeError: string indices must be integers, not NoneObject
$ python ./vol.py imageinfo --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*
Volatile Systems Volatility Framework 2.1_rc3
Determining profile based on KDBG search...
Traceback (most recent call last):
File "./vol.py", line 185, in <module>
main()
File "./vol.py", line 176, in main
command.execute()
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/commands.py", line 111, in execute
func(outfd, data)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/imageinfo.py", line 34, in render_text
for k, v in data:
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/imageinfo.py", line 44, in calculate
suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/kdbgscan.py", line 112, in calculate
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/obj.py", line 743, in __getattr__
return self.m(attr)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/obj.py", line 725, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBGHeader
Does anyone know what may be going on here?
Thanks
John
P.S. Here's my -info output:
$ python ./vol.py --info
Volatile Systems Volatility Framework 2.1_rc3
Scanner Checks
--------------
CheckHiveSig - Check for a registry hive signature
CheckPoolIndex - Checks the pool index
CheckPoolSize - Check pool block size
CheckPoolType - Check the pool type
CheckProcess - Check sanity of _EPROCESS
CheckSocketCreateTime - Check that _ADDRESS_OBJECT.CreateTime makes sense
CheckThreads - Check sanity of _ETHREAD
KPCRScannerCheck - Checks the self referential pointers to find KPCRs
MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at the offset
MultiStringFinderCheck - Checks for multiple strings per page
PoolTagCheck - This scanner checks for the occurance of a pool tag
Address Spaces
--------------
AMD64PagedMemory - Standard AMD 64-bit address space.
ArmAddressSpace - No docs
FileAddressSpace - This is a direct file AS.
IA32PagedMemory - Legacy x86 non PAE address space (to use specify --use_old_as)
IA32PagedMemoryPae - Legacy x86 PAE address space (to use specify --use_old_as)
JKIA32PagedMemory - Standard x86 32 bit non PAE address space.
JKIA32PagedMemoryPae - Standard x86 32 bit PAE address space.
LimeAddressSpace - Address space for Lime
MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.
Profiles
--------
LinuxDebian2632x86 - A Profile for Linux Debian2632 x86
Mac12_1_0_64bitx64 - A Profile for Mac 12.1.0.64bit x64
Macmac_profilex64 - A Profile for Mac mac_profile x64
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x86 - A Profile for Windows 7 SP1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86
Plugins
-------
apihooks - Detect API hooks in process and kernel memory
bioskbd - Reads the keyboard buffer from Real Mode memory
callbacks - Print system-wide notification routines
cmdscan - Extract command history by scanning for _COMMAND_HISTORY
connections - Print list of open connections [Windows XP and 2003 Only]
connscan - Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
consoles - Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo - Dump crash-dump information
devicetree - Show device tree
dlldump - Dump DLLs from a process address space
dlllist - Print list of loaded dlls for each process
driverirp - Driver IRP hook detection
driverscan - Scan for driver objects _DRIVER_OBJECT
envars - Display process environment variables
filescan - Scan Physical memory for _FILE_OBJECT pool allocations
gdt - Display Global Descriptor Table
getsids - Print the SIDs owning each process
handles - Print list of open handles for each process
hashdump - Dumps passwords hashes (LM/NTLM) from memory
hibinfo - Dump hibernation file information
hivedump - Prints out a hive
hivelist - Print list of registry hives.
hivescan - Scan Physical memory for _CMHIVE objects (registry hives)
idt - Display Interrupt Descriptor Table
imagecopy - Copies a physical address space out as a raw DD image
imageinfo - Identify information for the image
impscan - Scan for calls to imported functions
kdbgscan - Search for and dump potential KDBG values
kpcrscan - Search for and dump potential KPCR values
ldrmodules - Detect unlinked DLLs
linux_arp - Print the ARP table
linux_cpuinfo - Prints info about each active processor
linux_dmesg - Gather dmesg buffer
linux_dump_map - No docs
linux_ifconfig - Gathers active interfaces
linux_iomem - Provides output similar to /proc/iomem
linux_lsmod - Gather loaded kernel modules
linux_lsof - Lists open files
linux_memmap - Dumps the memory map for linux tasks.
linux_mount - Gather mounted fs/devices
linux_netstat - Lists open sockets
linux_proc_maps - gathers process maps for linux
linux_psaux - gathers processes along with full command line and start time
linux_pslist - Gather active tasks by walking the task_struct->task list
linux_route_cache - Lists routing table
lsadump - Dump (decrypted) LSA secrets from the registry
mac_arp - prints the arp table
mac_dmesg - prints the kernel debug buffer
mac_get_processors - No docs
mac_ifconfig - No docs
mac_ip_filters - No docs
mac_list_open_files - No docs
mac_lsmod - No docs
mac_machine_info - No docs
mac_mount - No docs
mac_netstat - No docs
mac_notifiers - detects rootkits that add hooks into I/O Kit (e.g. LogKext)
mac_proc_maps - No docs
mac_psaux - No docs
mac_pslist - No docs
mac_route - No docs
mac_runq - No docs
mac_trustedbsd - No docs
mac_version - No docs
mac_vfs_events - No docs
mac_wait_queues - No docs
malfind - Find hidden and injected code
memdump - Dump the addressable memory for a process
memmap - Print the memory map
moddump - Dump a kernel driver to an executable file sample
modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules - Print list of loaded modules
mutantscan - Scan for mutant objects _KMUTANT
netscan - Scan a Vista, 2008 or Windows 7 image for connections and sockets
patcher - Patches memory based on page scans
printkey - Print a registry key, and its subkeys and values
procexedump - Dump a process to an executable file sample
procmemdump - Dump a process to an executable memory sample
pslist - print all running processes by following the EPROCESS lists
psscan - Scan Physical memory for _EPROCESS pool allocations
pstree - Print process list as a tree
psxview - Find hidden processes with various process listings
raw2dmp - Converts a physical memory sample to a windbg crash dump
shimcache - Parses the Application Compatibility Shim Cache registry key
sockets - Print list of open sockets
sockscan - Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
ssdt - Display SSDT entries
strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan - Scan for Windows services
symlinkscan - Scan for symbolic link objects
thrdscan - Scan physical memory for _ETHREAD objects
threads - Investigate _ETHREAD and _KTHREADs
timers - Print kernel timers and associated module DPCs
userassist - Print userassist registry keys and information
vaddump - Dumps out the vad sections to a file
vadinfo - Dump the VAD info
vadtree - Walk the VAD tree and display in tree format
vadwalk - Walk the VAD tree
volshell - Shell in the memory image
yarascan - Scan process or kernel memory with Yara signatures
