5:11 p.m.
Hi,
I'm playing with a 5GB Windows 7 SP0 64bit memory dump and I have some
problems with processes mapped over 4GB.
Pslist only shows System process. Maybe it's because System is the
only process mapped under 4GB?
H:\Volatility>python vol.py -f Windows Seven.vmem --profile=Win7SP0x64 pslist
Volatile Systems Volatility Framework 2.1_alpha
Offset(V) Name PID PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ -------------------- --------------------
0xfffffa8005355b30 System 4 0 91 --------
------ 0 2012-06-14 19:42:15
H:\Volatility>python vol.py -f Windows Seven.vmem --profile=Win7SP0x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB
Time created Time exited
------------------ ---------------- ------ ------ ------------------
-------------------- --------------------
0x0000000008755b30 System 4 0 0x0000000000187000
2012-06-14 19:42:15
0x0000000174a4a800 VMwareTray.exe 2028 1164 0x000000018c7c3000
2012-06-14 19:42:47
0x0000000174a55b30 VMwareUser.exe 1324 1164 0x000000018af49000
2012-06-14 19:42:47
0x0000000174a923f0 SearchIndexer. 240 552 0x000000018895a000
2012-06-14 19:42:53
0x0000000174aebb30 SearchFilterHo 2108 240 0x0000000188146000
2012-06-14 19:42:54
0x0000000174b00060 SearchProtocol 2076 240 0x00000001964b2000
2012-06-14 19:42:54
0x0000000174db7630 explorer.exe 1164 1976 0x000000019a477000
2012-06-14 19:42:46
0x0000000174f52b30 vmtoolsd.exe 1392 552 0x0000000190f88000
2012-06-14 19:42:39
0x0000000175015060 svchost.exe 316 552 0x000000019bdd9000
2012-06-14 19:42:33
0x0000000175021b30 spoolsv.exe 1088 552 0x00000001a2a65000
2012-06-14 19:42:38
0x00000001750fb060 svchost.exe 816 552 0x0000000196cde000
2012-06-14 19:42:36
0x0000000175241060 svchost.exe 900 552 0x00000001a020e000
2012-06-14 19:42:29
0x0000000175276060 svchost.exe 828 552 0x00000001a6621000
2012-06-14 19:42:29
0x000000017528c060 audiodg.exe 968 828 0x000000019ddc2000
2012-06-14 19:42:32
0x0000000175294630 VMUpgradeHelpe 1460 552 0x000000019f527000
2012-06-14 19:42:40
0x00000001752b8b30 svchost.exe 1284 552 0x0000000192402000
2012-06-14 19:42:39
0x000000017531b9b0 taskhost.exe 1936 552 0x000000019a163000
2012-06-14 19:42:45
0x000000017531c880 dwm.exe 2008 868 0x000000019b4fc000
2012-06-14 19:42:46
0x000000017538a5f0 svchost.exe 1136 552 0x00000001a3870000
2012-06-14 19:42:38
0x0000000175517b30 csrss.exe 364 356 0x000000000032c000
2012-06-14 19:42:22
0x0000000175521060 svchost.exe 668 552 0x00000001a2b4d000
2012-06-14 19:42:27
0x000000017554bb30 wininit.exe 436 356 0x00000000be0b2000
2012-06-14 19:42:24
0x0000000175553b30 csrss.exe 460 448 0x00000000be284000
2012-06-14 19:42:24
0x0000000175592960 winlogon.exe 504 448 0x00000000bff4a000
2012-06-14 19:42:24
0x00000001755bf060 svchost.exe 744 552 0x00000001a1251000
2012-06-14 19:42:28
0x00000001755d1b30 services.exe 552 436 0x00000001a7184000
2012-06-14 19:42:25
0x00000001755d8060 svchost.exe 868 552 0x00000001a0309000
2012-06-14 19:42:29
0x00000001755e2b30 lsass.exe 560 436 0x00000001a9128000
2012-06-14 19:42:25
0x00000001755e6910 lsm.exe 568 436 0x00000001a9470000
2012-06-14 19:42:25
0x0000000175deb060 userinit.exe 1976 504 0x000000019b3ee000
2012-06-14 19:42:45
0x0000000176263b30 WmiPrvSE.exe 1848 668 0x00000001a8947000
2012-06-14 19:42:45
0x00000001763ff950 smss.exe 264 4 0x0000000041470000
2012-06-14 19:42:15
Does the problem can be related to the vtop function in amd64?
For a physical page size of 4KB, vtop() in amd64.py convert the address:
1- get pml4e
2- get pdpte
3- get pde
4- get pte
5- return get_phys_addr
The function get_phys_addr() in step #5 is in intel.py and is 32bit only:
def get_phys_addr(self, vaddr, pte_value):
return (pte_value & 0xfffff000) | (vaddr & 0xfff)
If the pte_value is 64bit, it get cuts in the get_phys_addr()?
Thanks for your help,
Sébastien
12:26 p.m.
Hi Sebastien,
Thanks for the message. We're going to track this here:
http://code.google.com/p/volatility/issues/detail?id=272 (you should
already be getting CCs).
Thanks,
MHL
On Thu, Jun 14, 2012 at 5:11 PM, Sebastien Bourdon-Richard
<sebastienbr(a)gmail.com> wrote:
Hi,
I'm playing with a 5GB Windows 7 SP0 64bit memory dump and I have some
problems with processes mapped over 4GB.
Pslist only shows System process. Maybe it's because System is the
only process mapped under 4GB?
H:\Volatility>python vol.py -f Windows Seven.vmem --profile=Win7SP0x64 pslist
Volatile Systems Volatility Framework 2.1_alpha
Offset(V) Name PID PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ -------------------- --------------------
0xfffffa8005355b30 System 4 0 91 --------
------ 0 2012-06-14 19:42:15
H:\Volatility>python vol.py -f Windows Seven.vmem --profile=Win7SP0x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB
Time created Time exited
------------------ ---------------- ------ ------ ------------------
-------------------- --------------------
0x0000000008755b30 System 4 0 0x0000000000187000
2012-06-14 19:42:15
0x0000000174a4a800 VMwareTray.exe 2028 1164 0x000000018c7c3000
2012-06-14 19:42:47
0x0000000174a55b30 VMwareUser.exe 1324 1164 0x000000018af49000
2012-06-14 19:42:47
0x0000000174a923f0 SearchIndexer. 240 552 0x000000018895a000
2012-06-14 19:42:53
0x0000000174aebb30 SearchFilterHo 2108 240 0x0000000188146000
2012-06-14 19:42:54
0x0000000174b00060 SearchProtocol 2076 240 0x00000001964b2000
2012-06-14 19:42:54
0x0000000174db7630 explorer.exe 1164 1976 0x000000019a477000
2012-06-14 19:42:46
0x0000000174f52b30 vmtoolsd.exe 1392 552 0x0000000190f88000
2012-06-14 19:42:39
0x0000000175015060 svchost.exe 316 552 0x000000019bdd9000
2012-06-14 19:42:33
0x0000000175021b30 spoolsv.exe 1088 552 0x00000001a2a65000
2012-06-14 19:42:38
0x00000001750fb060 svchost.exe 816 552 0x0000000196cde000
2012-06-14 19:42:36
0x0000000175241060 svchost.exe 900 552 0x00000001a020e000
2012-06-14 19:42:29
0x0000000175276060 svchost.exe 828 552 0x00000001a6621000
2012-06-14 19:42:29
0x000000017528c060 audiodg.exe 968 828 0x000000019ddc2000
2012-06-14 19:42:32
0x0000000175294630 VMUpgradeHelpe 1460 552 0x000000019f527000
2012-06-14 19:42:40
0x00000001752b8b30 svchost.exe 1284 552 0x0000000192402000
2012-06-14 19:42:39
0x000000017531b9b0 taskhost.exe 1936 552 0x000000019a163000
2012-06-14 19:42:45
0x000000017531c880 dwm.exe 2008 868 0x000000019b4fc000
2012-06-14 19:42:46
0x000000017538a5f0 svchost.exe 1136 552 0x00000001a3870000
2012-06-14 19:42:38
0x0000000175517b30 csrss.exe 364 356 0x000000000032c000
2012-06-14 19:42:22
0x0000000175521060 svchost.exe 668 552 0x00000001a2b4d000
2012-06-14 19:42:27
0x000000017554bb30 wininit.exe 436 356 0x00000000be0b2000
2012-06-14 19:42:24
0x0000000175553b30 csrss.exe 460 448 0x00000000be284000
2012-06-14 19:42:24
0x0000000175592960 winlogon.exe 504 448 0x00000000bff4a000
2012-06-14 19:42:24
0x00000001755bf060 svchost.exe 744 552 0x00000001a1251000
2012-06-14 19:42:28
0x00000001755d1b30 services.exe 552 436 0x00000001a7184000
2012-06-14 19:42:25
0x00000001755d8060 svchost.exe 868 552 0x00000001a0309000
2012-06-14 19:42:29
0x00000001755e2b30 lsass.exe 560 436 0x00000001a9128000
2012-06-14 19:42:25
0x00000001755e6910 lsm.exe 568 436 0x00000001a9470000
2012-06-14 19:42:25
0x0000000175deb060 userinit.exe 1976 504 0x000000019b3ee000
2012-06-14 19:42:45
0x0000000176263b30 WmiPrvSE.exe 1848 668 0x00000001a8947000
2012-06-14 19:42:45
0x00000001763ff950 smss.exe 264 4 0x0000000041470000
2012-06-14 19:42:15
Does the problem can be related to the vtop function in amd64?
For a physical page size of 4KB, vtop() in amd64.py convert the address:
1- get pml4e
2- get pdpte
3- get pde
4- get pte
5- return get_phys_addr
The function get_phys_addr() in step #5 is in intel.py and is 32bit only:
def get_phys_addr(self, vaddr, pte_value):
return (pte_value & 0xfffff000) | (vaddr & 0xfff)
If the pte_value is 64bit, it get cuts in the get_phys_addr()?
Thanks for your help,
Sébastien
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
12:30 p.m.
Sebastien,
MHL created a issue for tracking progress:
https://code.google.com/p/volatility/issues/detail?id=272.
If you get a chance to run the suggested commands on your sample, that
would be greatly appreciated. I'm assuming you are not able to share the
sample. We also have a couple of other questions:
What tool was used to collect the sample?
What OS/Hw is the analyst workstation?
Was this a fresh checkout?
Thanks,
AW
On Thu, 14 Jun 2012, Sebastien Bourdon-Richard wrote:
Hi,
I'm playing with a 5GB Windows 7 SP0 64bit memory dump and I have some
problems with processes mapped over 4GB.
Pslist only shows System process. Maybe it's because System is the
only process mapped under 4GB?
H:\Volatility>python vol.py -f Windows Seven.vmem --profile=Win7SP0x64 pslist
Volatile Systems Volatility Framework 2.1_alpha
Offset(V) Name PID PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ -------------------- --------------------
0xfffffa8005355b30 System 4 0 91 --------
------ 0 2012-06-14 19:42:15
H:\Volatility>python vol.py -f Windows Seven.vmem --profile=Win7SP0x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB
Time created Time exited
------------------ ---------------- ------ ------ ------------------
-------------------- --------------------
0x0000000008755b30 System 4 0 0x0000000000187000
2012-06-14 19:42:15
0x0000000174a4a800 VMwareTray.exe 2028 1164 0x000000018c7c3000
2012-06-14 19:42:47
0x0000000174a55b30 VMwareUser.exe 1324 1164 0x000000018af49000
2012-06-14 19:42:47
0x0000000174a923f0 SearchIndexer. 240 552 0x000000018895a000
2012-06-14 19:42:53
0x0000000174aebb30 SearchFilterHo 2108 240 0x0000000188146000
2012-06-14 19:42:54
0x0000000174b00060 SearchProtocol 2076 240 0x00000001964b2000
2012-06-14 19:42:54
0x0000000174db7630 explorer.exe 1164 1976 0x000000019a477000
2012-06-14 19:42:46
0x0000000174f52b30 vmtoolsd.exe 1392 552 0x0000000190f88000
2012-06-14 19:42:39
0x0000000175015060 svchost.exe 316 552 0x000000019bdd9000
2012-06-14 19:42:33
0x0000000175021b30 spoolsv.exe 1088 552 0x00000001a2a65000
2012-06-14 19:42:38
0x00000001750fb060 svchost.exe 816 552 0x0000000196cde000
2012-06-14 19:42:36
0x0000000175241060 svchost.exe 900 552 0x00000001a020e000
2012-06-14 19:42:29
0x0000000175276060 svchost.exe 828 552 0x00000001a6621000
2012-06-14 19:42:29
0x000000017528c060 audiodg.exe 968 828 0x000000019ddc2000
2012-06-14 19:42:32
0x0000000175294630 VMUpgradeHelpe 1460 552 0x000000019f527000
2012-06-14 19:42:40
0x00000001752b8b30 svchost.exe 1284 552 0x0000000192402000
2012-06-14 19:42:39
0x000000017531b9b0 taskhost.exe 1936 552 0x000000019a163000
2012-06-14 19:42:45
0x000000017531c880 dwm.exe 2008 868 0x000000019b4fc000
2012-06-14 19:42:46
0x000000017538a5f0 svchost.exe 1136 552 0x00000001a3870000
2012-06-14 19:42:38
0x0000000175517b30 csrss.exe 364 356 0x000000000032c000
2012-06-14 19:42:22
0x0000000175521060 svchost.exe 668 552 0x00000001a2b4d000
2012-06-14 19:42:27
0x000000017554bb30 wininit.exe 436 356 0x00000000be0b2000
2012-06-14 19:42:24
0x0000000175553b30 csrss.exe 460 448 0x00000000be284000
2012-06-14 19:42:24
0x0000000175592960 winlogon.exe 504 448 0x00000000bff4a000
2012-06-14 19:42:24
0x00000001755bf060 svchost.exe 744 552 0x00000001a1251000
2012-06-14 19:42:28
0x00000001755d1b30 services.exe 552 436 0x00000001a7184000
2012-06-14 19:42:25
0x00000001755d8060 svchost.exe 868 552 0x00000001a0309000
2012-06-14 19:42:29
0x00000001755e2b30 lsass.exe 560 436 0x00000001a9128000
2012-06-14 19:42:25
0x00000001755e6910 lsm.exe 568 436 0x00000001a9470000
2012-06-14 19:42:25
0x0000000175deb060 userinit.exe 1976 504 0x000000019b3ee000
2012-06-14 19:42:45
0x0000000176263b30 WmiPrvSE.exe 1848 668 0x00000001a8947000
2012-06-14 19:42:45
0x00000001763ff950 smss.exe 264 4 0x0000000041470000
2012-06-14 19:42:15
Does the problem can be related to the vtop function in amd64?
For a physical page size of 4KB, vtop() in amd64.py convert the address:
1- get pml4e
2- get pdpte
3- get pde
4- get pte
5- return get_phys_addr
The function get_phys_addr() in step #5 is in intel.py and is 32bit only:
def get_phys_addr(self, vaddr, pte_value):
return (pte_value & 0xfffff000) | (vaddr & 0xfff)
If the pte_value is 64bit, it get cuts in the get_phys_addr()?
Thanks for your help,
S?bastien
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
4889
days inactive
4890
days old
vol-dev@lists.volatilityfoundation.org
2 comments
3 participants
participants (3)
-
AAron Walters -
Michael Hale Ligh -
Sebastien Bourdon-Richard