Vol-users December 2013

vol-users@lists.volatilityfoundation.org

4 participants
4 discussions

by Brian Keefer

I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error. chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod Volatile Systems Volatility Framework 2.3_alpha WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemoryPae: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53 WindowsCrashDumpSpace32: Header signature invalid JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected AMD64PagedMemory: Failed valid Address Space check JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected On a hunch I checked the directory I built the profile in (copied headers & source from the target system): chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo * System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq Platform running Volatility (2.3_alpha, latest from svn): Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux Source of memory image: Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux What am I missing? -- chort

9 years, 7 months

Additional assist with hidden PID's

by James Lay

Hey all, Here's what I have: Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x26004da0 UPS_Label_23052 396 False True False False False False False 0x260f7da0 UPS_Label_23052 396 False True False False False False False Offset(P) Name PID PPID PDB Time created Time exited ---------- ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x27808020 explorer.exe 1480 1412 0x0a440200 2013-05-23 17:44:24 UTC+0000 0x26004da0 UPS_Label_23052 396 1480 0x0a4403c0 2013-05-23 17:46:09 UTC+0000 0x260f7da0 UPS_Label_23052 396 1480 0x0a4403c0 2013-05-23 17:46:09 UTC+0000 I'm attempting to find and extract the running UPS_Label_23052, but having difficulty extracting the exe from it. Procmemdump and procexedump fail to find the pid, so I'm kind of lost. Any info would help...thank you. James

10 years, 11 months

OSX 10.9 memory acquisition

by Sebastien Bourdon-Richard

Hey all, Is there any tools available to acquire OSX 10.9 memory? Mac memory reader does not work on 10.9. Thanks in advance, Sebastien

10 years, 11 months

Extracting a running dll from a process

by James Lay

So here's what I got...regsvr32.exe was run as soon below: Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x893614e0 regsvr32.exe 3100 2564 5 97 0 0 2013-12-06 18:28:51 UTC+0000 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x093614e0 regsvr32.exe 3100 True True False True True True False regsvr32.exe pid: 3100 Command line : regsvr32.exe "C:\Documents and Settings\user\Local Settings\Application Data\YrqdPack\normalPaddlg.dll" Service Pack 3 Base Size LoadCount Path ---------- ---------- ---------- ---- 0x10000000 0x9000 0x1 C:\Documents and Settings\user\Local Settings\Application Data\YrqdPack\normalPaddlg.dll I'm dumped pid 3100 to a dmp file with procmemdump. I strings 3100.dmp and I see what I'm looking for (domain names that match a packet capture). I'm trying to extract that running dll from the 3100.dmp file, which is around 200 megs. Any help would be awesome..thank you. James

10 years, 11 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users December 2013