July 2012 - Vol-users - volatilityfoundation.org

by Skippy VonDrake

Just tried the 2.1 RC3 version and got the errors below. Then did the 'python setup.py clean' command followed by repeating the install command 'python setup.py install'. Still no difference. No errors produced during install. Egg was built and copied. Using Win7 and Python 2.7.3. D:\Forensics>python %PYTHON_SCRIPTS%\vol.py -h Volatile Systems Volatility Framework 2.1_rc3 *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.win7_sp0_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp1_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.vista_sp1_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.win7_sp1_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.vista_sp2_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.xp_sp3_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp0_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.xp_sp2_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.vista_sp0_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp2_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') Usage: Volatility - A memory forensics analysis platform.

12 years, 3 months

2
1
0 0

no conf-file option in Vol 2.0

by Skippy VonDrake

Using help on the command line I see no reference to the "--conf-file" option. Was it removed?

12 years, 3 months

2
1
0 0

Linux memory analysis with scudettesbranch

by Sebastien Bourdon-Richard

Hi, I'm trying to analyze linux memory dumps with scudettesbranch r2040, but it doesn't seems to work. Is there something I do wrong? *Ubuntu 11.04 64bit (acquired with lime, padded format)* H:\Volatility\Scudette>h:\Python27\python.exe vol.py Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] Type "copyright", "credits" or "license" for more information. IPython 0.13 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. Welcome to the volatility interactive shell! To get help, type 'vhelp()' In [1]: session.filename = "N:\Lime\Ubuntu-11.04-64-bit\u64.padded" In [2]: session.profile_file = "N:\Lime\Ubuntu-11.04-64-bit\myprofile.zip" In [3]: session.profile = profiles.Linux64 In [4]: vol plugins.pslist ------> vol(plugins.pslist) WARNING:root:comm has no offset in object task_struct. Check that vtypes has a concrete definition for it. WARNING:root:name has no offset in object net_device. Check that vtypes has a concrete definition for it. WARNING:root:s_id has no offset in object super_block. Check that vtypes has a concrete definition for it. WARNING:root:sun_path has no offset in object sockaddr_un. Check that vtypes has a concrete definition for it. WARNING:root:x86_model_id has no offset in object cpuinfo_x86. Check that vtypes has a concrete definition for it. WARNING:root:x86_vendor_id has no offset in object cpuinfo_x86. Check that vtypes has a concrete definition for it. WARNING:root:name has no offset in object module. Check that vtypes has a concrete definition for it. Offset Name Pid Uid ERROR:root:Error: Type task_struct has no member tasks --------------------------------------------------------------------------- AttributeError Traceback (most recent call last) <ipython-input-4-a5edbfb3c155> in <module>() ----> 1 vol(plugins.pslist) H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls, *args, **kwargs) 217 result = plugin_cls(*args, **kwargs) 218 try: --> 219 result.render(ui_renderer) 220 except KeyboardInterrupt: 221 self.report_progress("Aborted!\r\n", force=True) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self, outfd) 49 "Offset", "Name", "Pid", "Uid")) 50 ---> 51 for task in self.pslist(): 52 outfd.write("0x{0:08x} {1:20s} {2:15s} {3:15s}\n".format( 53 task.obj_offset, task.comm, str(task.pid), str(task.uid))) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self) 42 43 # walk the ->tasks list, note that this will *not* display "swapper" ---> 44 for task in init_task.tasks: 45 yield task 46 H:\Volatility\Scudette\volatility\obj.pyc in __getattr__(self, attr) 921 if attr not in self.members: 922 raise AttributeError("Type {0} has no member {1}".format( --> 923 self.obj_name, attr)) 924 925 return self.m(attr) AttributeError: Type task_struct has no member tasks *Ubuntu 11.04 64bit (acquired with lime, raw format)* * * H:\Volatility\Scudette>h:\Python27\python.exe vol.py Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] Type "copyright", "credits" or "license" for more information. IPython 0.13 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. Welcome to the volatility interactive shell! To get help, type 'vhelp()' In [1]: session.filename = "N:\\Lime\\Ubuntu-11.04-64-bit\\u64.raw" In [2]: session.profile_file = "N:\\Lime\\Ubuntu-11.04-64-bit\\myprofile.zip" In [3]: session.profile = profiles.Linux64 In [4]: vol plugins.pslist ------> vol(plugins.pslist) WARNING:root:comm has no offset in object task_struct. Check that vtypes has a concrete definition for it. WARNING:root:name has no offset in object net_device. Check that vtypes has a concrete definition for it. WARNING:root:s_id has no offset in object super_block. Check that vtypes has a concrete definition for it. WARNING:root:sun_path has no offset in object sockaddr_un. Check that vtypes has a concrete definition for it. WARNING:root:x86_model_id has no offset in object cpuinfo_x86. Check that vtypes has a concrete definition for it. WARNING:root:x86_vendor_id has no offset in object cpuinfo_x86. Check that vtypes has a concrete definition for it. WARNING:root:name has no offset in object module. Check that vtypes has a concrete definition for it. Offset Name Pid Uid Out[4]: <volatility.plugins.linux.pslist.LinuxPsList at 0x2e50930> *Fedora 15 32bit (acquired with lime, raw format)* H:\Volatility\Scudette>h:\Python27\python.exe vol.py Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] Type "copyright", "credits" or "license" for more information. IPython 0.13 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. Welcome to the volatility interactive shell! To get help, type 'vhelp()' In [1]: session.filename = "N:\\Lime\\Fedora-15-32bit\\f32.raw" In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip" In [3]: session.profile = profiles.Linux32 In [4]: vol plugins.pslist ------> vol(plugins.pslist) ERROR:root:Fatal Error: invalid literal for int() with base 10: 'Attribute' ERROR:root:Failed running plugin pslist: kernel_address_space not specified. In [5]: session.kernel_address_space = "standard" In [6]: vol plugins.pslist ------> vol(plugins.pslist) Offset Name Pid Uid ERROR:root:Error: 'init_task' --------------------------------------------------------------------------- KeyError Traceback (most recent call last) <ipython-input-6-a5edbfb3c155> in <module>() ----> 1 vol(plugins.pslist) H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls, *args, **kwargs) 217 result = plugin_cls(*args, **kwargs) 218 try: --> 219 result.render(ui_renderer) 220 except KeyboardInterrupt: 221 self.report_progress("Aborted!\r\n", force=True) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self, outfd) 49 "Offset", "Name", "Pid", "Uid")) 50 ---> 51 for task in self.pslist(): 52 outfd.write("0x{0:08x} {1:20s} {2:15s} {3:15s}\n".format( 53 task.obj_offset, task.comm, str(task.pid), str(task.uid))) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self) 35 def pslist(self): 36 """A generator of task_struct objects for all running tasks.""" ---> 37 init_task_addr = self.profile.constants["init_task"] 38 39 init_task = self.profile.Object(theType="task_struct", KeyError: 'init_task' *Fedora 15 32bit (virtual box snapshot)* * * H:\Volatility\Scudette>h:\Python27\python.exe vol.py Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] Type "copyright", "credits" or "license" for more information. IPython 0.13 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. Welcome to the volatility interactive shell! To get help, type 'vhelp()' In [1]: session.filename = "V:\\VM\\Fedora Core 15 32-bit\\Snapshots\\2012-07-17T14-50-40-994836400Z.sav" In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip" In [3]: session.profile = profiles.Linux32 In [4]: vol plugins.pslist ------> vol(plugins.pslist) ERROR:root:Fatal Error: invalid literal for int() with base 10: 'Attribute' ERROR:root:Failed running plugin pslist: kernel_address_space not specified. In [5]: session.kernel_address_space = "vboxelf" In [6]: vol plugins.pslist ------> vol(plugins.pslist) Offset Name Pid Uid ERROR:root:Error: 'init_task' --------------------------------------------------------------------------- KeyError Traceback (most recent call last) <ipython-input-7-a5edbfb3c155> in <module>() ----> 1 vol(plugins.pslist) H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls, *args, **kwargs) 217 result = plugin_cls(*args, **kwargs) 218 try: --> 219 result.render(ui_renderer) 220 except KeyboardInterrupt: 221 self.report_progress("Aborted!\r\n", force=True) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self, outfd) 49 "Offset", "Name", "Pid", "Uid")) 50 ---> 51 for task in self.pslist(): 52 outfd.write("0x{0:08x} {1:20s} {2:15s} {3:15s}\n".format( 53 task.obj_offset, task.comm, str(task.pid), str(task.uid))) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self) 35 def pslist(self): 36 """A generator of task_struct objects for all running tasks.""" ---> 37 init_task_addr = self.profile.constants["init_task"] 38 39 init_task = self.profile.Object(theType="task_struct", KeyError: 'init_task' *The analysis works with Windows XP SP3* H:\Volatility\Scudette>h:\Python27\python.exe vol.py Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] Type "copyright", "credits" or "license" for more information. IPython 0.13 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. Welcome to the volatility interactive shell! To get help, type 'vhelp()' In [1]: session.filename = "W:\XP SP3\XP SP3-Snapshot7.vmem" In [2]: session.profile = profiles.WinXPSP3x86 In [3]: vol plugins.pslist ------> vol(plugins.pslist) Offset (V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- -------------------- 0x867c49c8 System 4 0 54 216 ------ False - - 0x8656b020 smss.exe 556 4 3 17 ------ False 2008-11-19 19:30:19 - [...] Out[3]: <volatility.plugins.windows.taskmods.WinPsList at 0x21668f0> Thanks in advance for your help! Sebastien

12 years, 4 months

2
3
0 0

Volatility 2.1 RC1 is available

by Michael Hale Ligh

Hey everyone, The 2.1 RC1 downloads are now available [1]. Per the usual, there are zip and tar archives of the source code, a windows module installer, and a standalone windows executable (with python and all dependencies build-in). We ask that you test vigorously over the next 2 weeks, especially with any x64 images, and let us know via the issue tracker [2] if you run into any bugs. At the end of July, we'll announce the official release of 2.1. Also, a lot of the documentation [3] has been updated, including the FAQ, command reference, features by plugin matrix, and roadmap, so that may be a useful resource to you when using 2.1. Thank you very much! [1]. http://code.google.com/p/volatility/downloads/list [2]. http://code.google.com/p/volatility/issues/list [3]. http://code.google.com/p/volatility/w/list

12 years, 4 months

2
3
0 0

understanding impscan and Zeus 1.0

by Michael Felber

Hi folks, Testing impscan with zeus.vmem I have a little question about the capabilities of impscan: Malfind finds 2 regions with injected code as seen many times: C:\Micha\Forensics\Volatility-2.1a>python vol.py malfind -f D:\X-Ways-Images\zeus.vmem -p 1724 Volatile Systems Volatility Framework 2.1_rc1 Process: explorer.exe Pid: 1724 Address: 0x1600000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x01600000 b8 35 00 00 00 e9 cd d7 30 7b b8 91 00 00 00 e9 .5......0{...... . Process: explorer.exe Pid: 1724 Address: 0x15d0000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 38, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x015d0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. . Base 0x015d0000 is a "real" exe-module and impscan can detect the hooked calls very well: C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x015d0000 Volatile Systems Volatility Framework 2.1_rc1 IAT Call Module Function ---------- ---------- -------------------- -------- 0x015d1000 0x77dea43c ADVAPI32.dll CryptGetHashParam 0x015d1004 0x77dd7535 ADVAPI32.dll RegCreateKeyExW 0x015d1008 0x77de8546 ADVAPI32.dll CryptReleaseContext 0x015d100c 0x77dd6fc8 ADVAPI32.dll RegQueryValueExW 0x015d1010 0x77dd778e ADVAPI32.dll InitializeSecurityDescriptor 0x015d1014 0x77df986b ADVAPI32.dll GetSidSubAuthorityCount 0x015d1018 0x77dd77b3 ADVAPI32.dll SetSecurityDescriptorDacl 0x015d101c 0x77df1285 ADVAPI32.dll SetNamedSecurityInfoW 0x015d1020 0x77dfcaf6 ADVAPI32.dll LookupPrivilegeValueW 0x015d1024 0x77dea2f9 ADVAPI32.dll CryptCreateHash 0x015d1028 0x77de2cde ADVAPI32.dll ConvertStringSecurityDescriptorToSecurityDescriptorW 0x015d102c 0x77dd6a78 ADVAPI32.dll RegOpenKeyExW . Base 0x01600000 contains jump instructions to other addresses: 0x1600000 b835000000 MOV EAX, 0x35 0x1600005 e9cdd7307b JMP 0x7c90d7d7 0x160000a b891000000 MOV EAX, 0x91 0x160000f e94fdf307b JMP 0x7c90df63 0x1600014 8bff MOV EDI, EDI 0x1600016 55 PUSH EBP 0x1600017 8bec MOV EBP, ESP 0x1600019 e9ef17c175 JMP 0x7721180d So it seems to be consistent that impscan is unable to find hooked calls there: C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x01600000 Volatile Systems Volatility Framework 2.1_rc1 IAT Call Module Function ---------- ---------- -------------------- -------- Traceback (most recent call last): File "vol.py", line 185, in <module> main() File "vol.py", line 176, in main command.execute() File "C:\Micha\Forensics\Volatility-2.1a\volatility\commands.py", line 111, in execute func(outfd, data) File "C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py", line 358, in render_text for iat, call, mod, func in data: File "C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py", line 338, in calculate forward = True) File "C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py", line 130, in _vicinity_scan start_addr = sortedlist[0] IndexError: list index out of range Or does the error message mean something other? Looked at the first jump target there is the "detoured" call as expected: C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7c90d7d7 Volatile Systems Volatility Framework 2.1_rc1 IAT Call Module Function ---------- ---------- -------------------- -------- 0x7c97d280 0x7c832b5c kernel32.dll BaseQueryModuleData So impscan is not able to directly handle such trampoline calls, is it? Following the trace of the jump targets there are two imports of BaseQueryModuleData: C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7c90df63 Volatile Systems Volatility Framework 2.1_rc1 IAT Call Module Function ---------- ---------- -------------------- -------- 0x7c97d280 0x7c832b5c kernel32.dll BaseQueryModuleData Also the next jump targets import the same api calls: C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7721180d Volatile Systems Volatility Framework 2.1_rc1 IAT Call Module Function ---------- ---------- -------------------- -------- 0x77261000 0x77dd761b ADVAPI32.dll RegOpenKeyExA 0x77261004 0x77dfd4c9 ADVAPI32.dll GetUserNameA 0x77261034 0x77dfc41b ADVAPI32.dll RegOpenKeyA . C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x771c76bd Volatile Systems Volatility Framework 2.1_rc1 IAT Call Module Function ---------- ---------- -------------------- -------- 0x77261000 0x77dd761b ADVAPI32.dll RegOpenKeyExA 0x77261004 0x77dfd4c9 ADVAPI32.dll GetUserNameA 0x77261034 0x77dfc41b ADVAPI32.dll RegOpenKeyA . I have no clue why theses api-call are hooked twice. Does anybody have an idea? Regards Michael

12 years, 4 months

2
2
0 0

got a rootkit or what?

by phocean

Hi list, I believe that one of my lab VM is owned by a sophisticated rootkit. There are many signs of that: Rootkit in my lab? Rootkit in my lab? (part II) Live analysis was a dead end. Needless to say that common live analysis tools and AV found nothing. So I have been focussed for days on analyzing the RAM with Volatility. And I found absolutely nothing. I am just afraid that now it is beyond my skills at this moment. If some of you are curious, do not hesitate to have a look. Of course, I would love to learn more and get some tips and feedbacks. I can provide more volatility output if necessary, or even the dump. Thank you! --- phocean

12 years, 4 months

1
0
0 0

Windows Server 2008

by Mike Lambert

I know we can't work on Windows Server 2008 with Volatility at this time. What products are capable of examining Windows Server 2008? Thanks, Mike

12 years, 4 months

13
49
0 0

Impact on memory images when suspending a virtual machine

by Stefan Vömel

Hi everyone, in prior threads, Michael and Aaron pointed out changes in memory structures when suspending a virtual machine. I think this is an important observation and would therefore suggest moving the respective discussion to a separate thread. I have summarized the relevant passages below. ---- Michael H. Ligh (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-June/000441.…) > Also, if you're analyzing a memory dump by suspending the VM, that has > significant impact on the lifetime and availability of network > structures. When you suspend/pause a VMware guest, VMware tools runs a > bat script on the guest (I think its vm-suspend.bat) which forcefully > closes TCP/UDP and frees the IP. Jesse Bowling (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-July/000470.…) > This was a VMWare 4.1 virtual machine that was paused, and the vmss file > copied out. > Much later I head referenced that pausing the virtual machine actually > causes a lot of information to be removed from memory due to the way VMWare > prepares the OS to pause... :( (Can you or anyone speak to the truth-iness > of this?) AAron Walters (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-July/000473.…) > This is definitely something to take in consideration with this particular > acquisition method. I think you are referring to a comment that MHL made > previously about vmware tools. A similar thing happens when people > attempt to use hibernation files. Intuitively, what does it mean to resume > a network connection that disappeared hours, if not days, earlier? In some > instances, it is possible to still extract associated artifacts from > unallocated regions, a technique most debuggers don't handle very well. ---- Last year, I wrote a survey article about memory acquisition and analysis techniques (http://www.sciencedirect.com/science/article/pii/S1742287611000508) and stated in a short section about virtual machines that, by suspending a system, a memory snapshot with a high level of atomicity and correctness could be produced. With respect to the issues raised by Michael, this statement is maybe a bit too optimistic now?! I have recently done a lot of research in the area of memory acquisition, specifically with regard to software-based utilities. We have tried to formalize criteria for sound memory imaging in a different paper (http://www.sciencedirect.com/science/article/pii/S1742287612000254) and I'm currently working on a platform that may help evaluating the correctness, impact, etc. of a utility more accurately. As the discussion about virtual machines roughly touches my research interests, I would like to know if there's any more information on this topic. Specifically: - Has anyone ever measured the impact on a memory image when suspending a system? - I have briefly looked at the vm-suspend-default.bat file which is located in the folder of the VMware tools. It just includes an "ipconfig /release" command, so it appears "only" network-related information would be affected. Is anyone aware of any other structures that would be changed/destroyed when going into suspensed mode? - Is the batch script (or similar operations) actually executed every time a machine is suspended? I have just run a quick google query on the file and only saw that its use was optional? I would very much appreciate if anyone had some more details on this or could share some references. Best regards, Stefan

12 years, 4 months

2
1
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users July 2012