Hey all,
Does the netscan plugin work against Windows 7 64-bit memory samples?
When I'm running it with the latest build (1574), I get the following:
Computer:volatility-read-only $ python vol.py -f
../Documents/Cases/Testing/memory.raw --profile=Win7SP1x64 netscan
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.evtlogs (AttributeError:
'module' object has no attribute 'LdrModules')
*** Failed to import volatility.plugins.timeliner (AttributeError:
'module' object has no attribute 'LdrModules')
Offset(P) Proto Local Address Foreign Address
State Pid Owner Created
0x11747cef0 TCPv4 0.0.0.0:62887 0.0.0.0:0
LISTENING 3212 svchost.exe
0x11785da10 TCPv4 0.0.0.0:3389 0.0.0.0:0
LISTENING 1260 svchost.exe
0x117894ef0 TCPv4 0.0.0.0:3389 0.0.0.0:0
LISTENING 1260 svchost.exe
0x117894ef0 TCPv6 :::3389 :::0
LISTENING 1260 svchost.exe
0x117a00670 TCPv4 0.0.0.0:49601 0.0.0.0:0
LISTENING 2412 vmware-convert
0x117a1ee00 TCPv4 0.0.0.0:62870 0.0.0.0:0
LISTENING 568 services.exe
0x117a1ee00 TCPv6 :::62870 :::0
LISTENING 568 services.exe
WARNING : volatility.obj : Cant find object _IN_ADDR in profile
<volatility.plugins.overlays.windows.win7.Win7SP1x64 object at
0x10b5be390>?
Traceback (most recent call last):
File "vol.py", line 173, in <module>
main()
File "vol.py", line 164, in main
command.execute()
File "/Users/e18529/volatility-read-only/volatility/commands.py",
line 101, in execute
func(outfd, data)
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 266, in render_text
for offset, proto, laddr, lport, raddr, rport, state, p, ctime in data:
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 212, in calculate
for ver, laddr, raddr, owner in self.enumerate_listeners(tcpentry):
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 183, in enumerate_listeners
inaddr = LocalAddr.pData.dereference().dereference().v()
AttributeError: 'NoneType' object has no attribute 'v'
All the other plugins are working, this is the only one I'm having
issues with....I know about the first two "Failed to import" lines...
And I did remember to do a "make clean" after updating this time.... :)
Thanks,
Tom
In case you missed it, this is an interesting paper how how to frustrate
a few free memory forensic tools using one-byte modifications to main
computer memory:
https://media.blackhat.com/bh-eu-12/Haruyama/bh-eu-12-Haruyama-Memory_Foren….
The paper examines potential single points of failure in 3 free memory
forensic tools:
1. Volatility
2. Memoryze
3. Responder Community Edition
The reliability of memory forensic tools (both acquisition and analysis)
is a topic which to date has received very little attention (except on
the part of the "bad guys"). Hence, this paper provides some welcome
relief. The paper is marred however by its focus exclusively on free
tools. The commercial tools which cost $10K or $100K also may have
defects and it would be interesting to know how they compare to the free
tools. As I remember it, at least one of the commercial tools has a
license provision which prevents you from telling anyone if you find a
defect. So perhaps the author limited his focus due to legal constraints.
Hi everybody,
i have tried the scudette branch r1628 for linux memory analysis and
received some Errors. My test-systems were Ubuntu 11.10 (Kernel
3.0.0-17-generic, 64 Bit) and Debian 6.0.2.1 (Kernel 2.6.32-5-686, 32
Bit). The plugins i have tested were pslist, cpuinfo, dmesg, ifconfig and
netstat.
As i followed the instructions at the Wiki-Page the first thing i have
noticed was an NameError after the *vol pslist* command:
$ python vol.py
Welcome to volshell!
To get help, type 'help()'
In [1]: session.filename = "memory.dd"
In [2]: session.profile_file = "myprofile.zip"
In [3]: session.profile = "Linux32"
In [4]: vol pslist
------> vol(pslist)
---------------------------------------------------------------------------
NameError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
NameError: name 'pslist' is not defined
After i changed the *In [4]: vol pslist* command into *In [4]: vol
"pslist"*the NameError disappeared and the pslist plugin worked well
on both systems.
The next plugin was cpuinfo. On both system i've got the right processor
output, but on Ubuntu i additionally received a warning/error:
In [5]: vol "cpuinfo"
------> vol("cpuinfo")
Processor Vendor Model
*ERROR:root:Constant per_cpu__cpu_info does not exist in profile.*
0 GenuineIntel Intel(R) Core(TM)2 Duo CPU P8600 @
2.40GHz
Out[5]: <volatility.plugins.linux.cpuinfo.CpuInfo object at 0x2fc5190>
The ifconfig plugin returned on both systems a ValueError.
*On Ubuntu:*
In [6]: vol "ifconfig"
------> vol("ifconfig")
lo 127.0.0.1 00:00:00:00:00:00
ERROR:root:Error: Unknown format code 's' for object of type 'int'
---------------------------------------------------------------------------
ValueError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls,
fd, debug, output, **kwargs)
194 kwargs['session'] = self
195 result = plugin_cls(**kwargs)
--> 196 result.render(fd)
197
198 return result
/home/vitax/lin64-support/volatility/plugins/linux/ifconfig.py in
render(self, outfd)
97
98 outfd.write("{0:8s} {1:16s} {2:32s}\n".format(
---> 99 net_dev.name, ip, mac_addr))
100
101
ValueError: Unknown format code 's' for object of type 'int'
*On Debian:*
In [6]: vol "ifconfig"
------> vol("ifconfig")
lo 127.0.0.1 00:00:00:00:00:00
eth0 10.0.2.15 08:00:27:f6:0e:dd
ERROR:root:Error: Unknown format code 's' for object of type 'int'
---------------------------------------------------------------------------
ValueError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.pyc in vol(self, plugin_cls,
fd, debug, output, **kwargs)
194 kwargs['session'] = self
195 result = plugin_cls(**kwargs)
--> 196 result.render(fd)
197
198 return result
/home/vitax/lin64-support/volatility/plugins/linux/ifconfig.pyc in
render(self, outfd)
97
98 outfd.write("{0:8s} {1:16s} {2:32s}\n".format(
---> 99 net_dev.name, ip, mac_addr))
100
101
ValueError: Unknown format code 's' for object of type 'int'
After that i tried the netstat plugin. I received on both systems an
AttributeError:
*On Ubuntu:*
*
*
In [7]: vol "netstat"
------> vol("netstat")
---------------------------------------------------------------------------
AttributeError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls,
fd, debug, output, **kwargs)
178 """
179 if isinstance(plugin_cls, basestring):
--> 180 plugin_cls = getattr(self.plugins, plugin_cls)
181
182 if output is not None:
/home/vitax/lin64-support/volatility/session.py in __getattr__(self, attr)
79 return self.plugins[attr]
80 except KeyError:
---> 81 raise AttributeError(attr)
82
83
AttributeError: netstat
*On Debian:*
*
*
In [7]: vol "netstat"
------> vol("netstat")
ERROR: An unexpected error occurred while tokenizing input
The following traceback may be corrupted or invalid
The error message is: ('EOF in multi-line statement', (40, 0))
---------------------------------------------------------------------------
AttributeError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.pyc in vol(self, plugin_cls,
fd, debug, output, **kwargs)
178 """
179 if isinstance(plugin_cls, basestring):
--> 180 plugin_cls = getattr(self.plugins, plugin_cls)
181
182 if output is not None:
/home/vitax/lin64-support/volatility/session.pyc in __getattr__(self, attr)
79 return self.plugins[attr]
80 except KeyError:
---> 81 raise AttributeError(attr)
82
83
AttributeError: netstat
In the end i tried the dmesg plugin. On Debian it worked well, but on
Ubuntu i got this error:
In [8]: vol "dmesg"
------> vol("dmesg")
ERROR:root:Error: 'ascii' codec can't decode byte 0xc2 in position 74140:
ordinal not in range(128)
---------------------------------------------------------------------------
UnicodeDecodeError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls,
fd, debug, output, **kwargs)
194 kwargs['session'] = self
195 result = plugin_cls(**kwargs)
--> 196 result.render(fd)
197
198 return result
/home/vitax/lin64-support/volatility/plugins/linux/dmesg.py in render(self,
outfd)
44
45 def render(self, outfd):
---> 46 outfd.write(self.get_dmesg())
47
48
/home/vitax/lin64-support/volatility/session.py in write(self, data)
111 def write(self, data):
112 # Encode the data according to the output encoding.
--> 113 data = data.encode(self.encoding)
114 try:
115 self.pager.write(data)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 74140:
ordinal not in range(128)
I have read the command reference for the strings plugin and do not see an option to specify the string to look for in anything other than ascii.
Could strings be expanded to include hex values, perhaps in the form of \x55\x5e\xe2\xfd\x83\xc4 or something like that?
Thanks,
Mike Lambert
Thanks Howard, it works like a champ!
Mike
From: Howard.Patterson(a)tn.gov
To: dragonforen(a)hotmail.com
Subject: RE: [Vol-users] Using Windows XP VMs for testing and windows activation
Date: Thu, 12 Apr 2012 23:27:12 +0000
The easiest way I've found, and one I think will work in your situation, is to boot into Safe Mode with the XP system. Then choose "Start, Run" and enter the following:
rundll32.exe syssetup,SetupOobeBnk
Those are both the letter "Ohs" in there and it is case sensitive. If it works you won't see any sign of it until you reboot. If you type it incorrectly an error message will come back. This basically resets how long you have to activate (I believe 30 days).
-Howard
From: vol-users-bounces(a)volatilityfoundation.org [mailto:vol-users-bounces@volatilesystems.com] On Behalf Of Mike Lambert
Sent: Thursday, April 12, 2012 6:06 PM
To: Volatility List
Subject: [Vol-users] Using Windows XP VMs for testing and windows activation
I have not used VMs in the past to do malware testing because of the windows activation problems I run into. Clone, you have to activate; copy, you have to activate; move, you have to activate. I'm surprised that it still activates!
I would like to talk to someone who knows the best way to deal with this. (or not) I'd like to have a clone that is infected that I can go back to later. (I do that now with hard disk images - I can put back a disk image to disk and plug it into the computer and bring it right back up.)
I can continue to use my test system, which I do not have any problem with. I blow a copy of a clean system to disk and then go on testing without any activation problems.
Let me know if you have a solution.
Thanks,
Mike
I have not used VMs in the past to do malware testing because of the windows activation problems I run into. Clone, you have to activate; copy, you have to activate; move, you have to activate. I'm surprised that it still activates!
I would like to talk to someone who knows the best way to deal with this. (or not) I'd like to have a clone that is infected that I can go back to later. (I do that now with hard disk images - I can put back a disk image to disk and plug it into the computer and bring it right back up.)
I can continue to use my test system, which I do not have any problem with. I blow a copy of a clean system to disk and then go on testing without any activation problems.
Let me know if you have a solution.
Thanks,
Mike
All,
Has anyone successfully analyzed memory from a windows 2008 server memory dump? This is my third time attempting to do so, and have yet to have any success with volatility. I took the memory dump so I know the profile, however, volatility reports it as a Windows 7 machine. Any advice on how to approach this persistent problem?
Does anyone have a copy of Brian Kaplan's paper, "RAM is Key, Extracting Disk Encryption Keys From Volatile Memory"
that they could email me at dragonforen(a)hotmail.com
If so, thank you!
Mike
