9:48 a.m.
Note that the Volatility mac version does not support the 10.8 OSX
yet. Apple at that version changed the symbol used to find the kernel
DTB.
See for example volafox which uses _BootPDPT and _BootPML4 for 10.8:
http://code.google.com/p/volafox/source/browse/trunk/volafox/volafox.py#104
if self.build[0:2] == '12': # Mountain Lion
self.base_address = self.catfishlocation -
(self.symbol_list['_lowGlo'] % 0xFFFFFF80) # find table base address
self.idlepdpt = (self.symbol_list['_BootPDPT'] %
0xFFFFFF80) + self.base_address
self.bootpml4 = (self.symbol_list['_BootPML4'] %
0xFFFFFF80) + self.base_address
self.boot_pml4_pt =
IA32PML4MemoryPae(FileAddressSpace(self.mempath), self.bootpml4)
While volatility only uses _IdlePDPT and _IdlePML4:
http://code.google.com/p/volatility/source/browse/branches/mac-trunk/volati…
So right now you would have to change volatility to use those other
symbols to make 10.8 work.
Michael.
On 29 August 2012 14:52, McCash John-GKJN37
<john.mccash(a)motorolasolutions.com> wrote:
Hi all,
Make that OS X 10.8 (Mountain Lion). 12.1.0 is the kernel
version. My apologies. I don’t use Macs a lot, and 10.8 doesn’t appear in
the uname –a output for some unknown reason.
John
From: McCash John-GKJN37
Sent: Tuesday, August 28, 2012 4:34 PM
To: 'vol-dev(a)volatilityfoundation.org'
Subject: problem analyzing dump from MacOSX 12.1.0.x86_64
Hi,
I’ve got to beg some help again. After finally getting
Volatility for Linux to work, I procured a Mac mini to test Volatility in
that space. I’ve carefully followed the instructions at
http://code.google.com/p/volatility/wiki/MacMemoryForensics to create a
profile file named 12.1.0.64bit.zip, which I placed in the
volatility/plugins/overlays/mac folder. When I use the –info option in
volatility, I see the profile as Mac12_1_0_64bitx64, so it’s getting that
far. However when I try to actually analyze an 8GB dump (dumped using
MacMemoryreader_3.0.2) from the same Mac mini that I used to generate the
profile, I get the following issues:
$ python ./vol.py mac_machine_info --profile=Mac12_1_0_64bitx64 -f
/cygdrive/g/Mac*
Volatile Systems Volatility Framework 2.1_rc3
WARNING : volatility.obj : Deprecation warning: A plugin is making use
of profile.add_types
Major Version: -
Minor Version: -
Memory Size: -
Max CPUs: -
Physical CPUs: -
Logical CPUs: -
$ python ./vol.py mac_dmesg --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*
Volatile Systems Volatility Framework 2.1_rc3
WARNING : volatility.obj : Deprecation warning: A plugin is making use
of profile.add_types
Traceback (most recent call last):
File "./vol.py", line 185, in <module>
main()
File "./vol.py", line 176, in main
command.execute()
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/commands.py",
line 111, in execute
func(outfd, data)
File
"/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/mac/mac_dmesg.py",
line 57, in render_text
for buf in data:
File
"/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/mac/mac_dmesg.py",
line 41, in calculate
if bufc[bufx] == 0 and bufc[0] != 0:
TypeError: string indices must be integers, not NoneObject
$ python ./vol.py imageinfo --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*
Volatile Systems Volatility Framework 2.1_rc3
Determining profile based on KDBG search...
Traceback (most recent call last):
File "./vol.py", line 185, in <module>
main()
File "./vol.py", line 176, in main
command.execute()
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/commands.py",
line 111, in execute
func(outfd, data)
File
"/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File
"/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/imageinfo.py",
line 44, in calculate
suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
File
"/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/kdbgscan.py",
line 112, in calculate
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/obj.py", line
743, in __getattr__
return self.m(attr)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/obj.py", line
725, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBGHeader
Does anyone know what may be going on here?
Thanks
John
P.S. Here’s my –info output:
$ python ./vol.py --info
Volatile Systems Volatility Framework 2.1_rc3
Scanner Checks
--------------
CheckHiveSig - Check for a registry hive signature
CheckPoolIndex - Checks the pool index
CheckPoolSize - Check pool block size
CheckPoolType - Check the pool type
CheckProcess - Check sanity of _EPROCESS
CheckSocketCreateTime - Check that _ADDRESS_OBJECT.CreateTime makes sense
CheckThreads - Check sanity of _ETHREAD
KPCRScannerCheck - Checks the self referential pointers to find KPCRs
MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at
the offset
MultiStringFinderCheck - Checks for multiple strings per page
PoolTagCheck - This scanner checks for the occurance of a pool tag
Address Spaces
--------------
AMD64PagedMemory - Standard AMD 64-bit address space.
ArmAddressSpace - No docs
FileAddressSpace - This is a direct file AS.
IA32PagedMemory - Legacy x86 non PAE address space (to use specify
--use_old_as)
IA32PagedMemoryPae - Legacy x86 PAE address space (to use specify
--use_old_as)
JKIA32PagedMemory - Standard x86 32 bit non PAE address space.
JKIA32PagedMemoryPae - Standard x86 32 bit PAE address space.
LimeAddressSpace - Address space for Lime
MachOAddressSpace - Address space for mach-o files to support atc-ny
memory reader
WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
WindowsHiberFileSpace32 - This is a hibernate address space for windows
hibernation files.
Profiles
--------
LinuxDebian2632x86 - A Profile for Linux Debian2632 x86
Mac12_1_0_64bitx64 - A Profile for Mac 12.1.0.64bit x64
Macmac_profilex64 - A Profile for Mac mac_profile x64
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x86 - A Profile for Windows 7 SP1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86
Plugins
-------
apihooks - Detect API hooks in process and kernel memory
bioskbd - Reads the keyboard buffer from Real Mode memory
callbacks - Print system-wide notification routines
cmdscan - Extract command history by scanning for
_COMMAND_HISTORY
connections - Print list of open connections [Windows XP and 2003
Only]
connscan - Scan Physical memory for _TCPT_OBJECT objects (tcp
connections)
consoles - Extract command history by scanning for
_CONSOLE_INFORMATION
crashinfo - Dump crash-dump information
devicetree - Show device tree
dlldump - Dump DLLs from a process address space
dlllist - Print list of loaded dlls for each process
driverirp - Driver IRP hook detection
driverscan - Scan for driver objects _DRIVER_OBJECT
envars - Display process environment variables
filescan - Scan Physical memory for _FILE_OBJECT pool allocations
gdt - Display Global Descriptor Table
getsids - Print the SIDs owning each process
handles - Print list of open handles for each process
hashdump - Dumps passwords hashes (LM/NTLM) from memory
hibinfo - Dump hibernation file information
hivedump - Prints out a hive
hivelist - Print list of registry hives.
hivescan - Scan Physical memory for _CMHIVE objects (registry
hives)
idt - Display Interrupt Descriptor Table
imagecopy - Copies a physical address space out as a raw DD image
imageinfo - Identify information for the image
impscan - Scan for calls to imported functions
kdbgscan - Search for and dump potential KDBG values
kpcrscan - Search for and dump potential KPCR values
ldrmodules - Detect unlinked DLLs
linux_arp - Print the ARP table
linux_cpuinfo - Prints info about each active processor
linux_dmesg - Gather dmesg buffer
linux_dump_map - No docs
linux_ifconfig - Gathers active interfaces
linux_iomem - Provides output similar to /proc/iomem
linux_lsmod - Gather loaded kernel modules
linux_lsof - Lists open files
linux_memmap - Dumps the memory map for linux tasks.
linux_mount - Gather mounted fs/devices
linux_netstat - Lists open sockets
linux_proc_maps - gathers process maps for linux
linux_psaux - gathers processes along with full command line and
start time
linux_pslist - Gather active tasks by walking the task_struct->task
list
linux_route_cache - Lists routing table
lsadump - Dump (decrypted) LSA secrets from the registry
mac_arp - prints the arp table
mac_dmesg - prints the kernel debug buffer
mac_get_processors - No docs
mac_ifconfig - No docs
mac_ip_filters - No docs
mac_list_open_files - No docs
mac_lsmod - No docs
mac_machine_info - No docs
mac_mount - No docs
mac_netstat - No docs
mac_notifiers - detects rootkits that add hooks into I/O Kit (e.g.
LogKext)
mac_proc_maps - No docs
mac_psaux - No docs
mac_pslist - No docs
mac_route - No docs
mac_runq - No docs
mac_trustedbsd - No docs
mac_version - No docs
mac_vfs_events - No docs
mac_wait_queues - No docs
malfind - Find hidden and injected code
memdump - Dump the addressable memory for a process
memmap - Print the memory map
moddump - Dump a kernel driver to an executable file sample
modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules - Print list of loaded modules
mutantscan - Scan for mutant objects _KMUTANT
netscan - Scan a Vista, 2008 or Windows 7 image for connections
and sockets
patcher - Patches memory based on page scans
printkey - Print a registry key, and its subkeys and values
procexedump - Dump a process to an executable file sample
procmemdump - Dump a process to an executable memory sample
pslist - print all running processes by following the EPROCESS
lists
psscan - Scan Physical memory for _EPROCESS pool allocations
pstree - Print process list as a tree
psxview - Find hidden processes with various process listings
raw2dmp - Converts a physical memory sample to a windbg crash
dump
shimcache - Parses the Application Compatibility Shim Cache
registry key
sockets - Print list of open sockets
sockscan - Scan Physical memory for _ADDRESS_OBJECT objects (tcp
sockets)
ssdt - Display SSDT entries
strings - Match physical offsets to virtual addresses (may take
a while, VERY verbose)
svcscan - Scan for Windows services
symlinkscan - Scan for symbolic link objects
thrdscan - Scan physical memory for _ETHREAD objects
threads - Investigate _ETHREAD and _KTHREADs
timers - Print kernel timers and associated module DPCs
userassist - Print userassist registry keys and information
vaddump - Dumps out the vad sections to a file
vadinfo - Dump the VAD info
vadtree - Walk the VAD tree and display in tree format
vadwalk - Walk the VAD tree
volshell - Shell in the memory image
yarascan - Scan process or kernel memory with Yara signatures
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev