I think I have some issues with a 8+gb VMware snapshot. I can get
psscan and thrdscan output but no other output from other plugins.
Any suggestions from the group on troubleshooting the image.
Fyi I can see all the data when I view it in hbgary responder pro.
Thanks
Dave
Sent from my iPhone
We are pleased to announce the next public Volatility training
opportunity: the Windows Malware and Memory Forensics Training by The
Volatility Project. This course will take place in Reston, VA from
Monday, June 10th through Friday, June 14th 2013. For details, please
see our blog:
http://volatility-labs.blogspot.com/2013/03/official-training-by-volatility…
or email us at: voltraining(a)memoryanalysis.net
All the best,
-gleeda
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
I'm digging through a memory image of a pretty thoroughly compromised
system using Volatility and I've run across something new (to me
anyway...).
There's a rogue process in the image that lists a PID which exceeds the
width allocated by Volatility:
0xdba0f9a8 cmd.exe 5004 True True False True False
True False
0xda247250 chrome.exe 4764 True True False True False
True False
0x6da39918 ☼ 42...2 False False False False False
False True
0xdcd97610 SearchFilterHo 6956 False True False False False
False False
0xdace4568 PrintIsolation 6312 False True False False False
False False
I'd dearly love to get my hands on that executable, but I don't see an
easy way to get the PID.
Any easy way forward on this?
-=[ Steve ]=-
Hi Guys,
I've been messing around for about a week trying to get volatility to
analyse a memory dump of some system.
Since this is part of a puzzle I know I should be able to analyse it
(although I'm not sure volatility can , but it seems to be my best option).
The actual question is this:
I assume that I have a dump of a box running kernel version
2.6.32-45.104-generic-pae . How should I correctly create a profile in
volatility to analyse this dump? I can create a profile but I don't
think it's correct...
Because I do make some assumptions, I'd like to share my workflow below.
Please feel free to comment!
My current setup is:
- Recent ubuntu box
- On which KVM resides
- A "memory.raw" image of the memory of this machine. No other
information was provided.
First I wanted to determine what OS the image is from, and I had a look
by grepping the image like this:
strings memory.raw | grep -i <keyword>
I scanned for keywords like:
- Windows
- Ubuntu
- Debian
- Fedora
- RHEL
Looks like it's actually ubuntu:
boudewijn@ubuntu:~$ strings memory.raw | grep -i ubuntu | wc -l
1668
Okay for determining the kernel version, I started having a look at the
output of grepping ubuntu, and I found:
Linux version 2.6.32-45-generic-pae (buildd@lamiak) (gcc version 4.4.3
(Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb 19 21:36:53 UTC 2013
(Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26
<5>[ 0.000000] Linux version 2.6.32-45-generic-pae (buildd@lamiak)
(gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb
19 21:36:53 UTC 2013 (Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26)
So I installed this kernel version 2.6.32-45.104-generic-pae, and
rebooted (which is less work than changing the makefile etc.... I'm a
lazy sod).
Okay, make the profile:
boudewijn@ubuntu:~/volatility/tools/linux$ make
make -C //lib/modules/2.6.32-45-generic-pae/build CONFIG_DEBUG_INFO=y
M=/home/boudewijn/volatility/tools/linux modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
CC [M] /home/boudewijn/volatility/tools/linux/module.o
/home/boudewijn/volatility/tools/linux/module.c:70:33: error:
linux/net_namespace.h: No such file or directory
make[2]: *** [/home/boudewijn/volatility/tools/linux/module.o] Error 1
make[1]: *** [_module_/home/boudewijn/volatility/tools/linux] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-45-generic-pae'
make: *** [dwarf] Error 2
Fix the include statement , to include
/usr/src/linux-headers-2.6.32-45/include/net/net_namespace.h . make
clean ;make followed...
Created the overlay:
boudewijn@ubuntu:~$ sudo zip
volatility/volatility/plugins/overlays/linux/Ubuntu1004.zip
volatility/tools/linux/module.dwarf /boot/System.map-2.6.32-45-generic-pae
adding: volatility/tools/linux/module.dwarf (deflated 89%)
adding: boot/System.map-2.6.32-45-generic-pae (deflated 74%)
boudewijn@ubuntu:~$
Then I ran volatility with the newly created profile, and it crashed:
boudewijn@ubuntu:~$ python volatility/vol.py -f memory.raw --profile
LinuxUbuntu1004x86 imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with
LinuxUbuntu1004x86)
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace
(/home/boudewijn/memory.raw)
PAE type : PAE
DTB : 0x79b000L
Traceback (most recent call last):
File "volatility/vol.py", line 186, in <module>
main()
File "volatility/vol.py", line 177, in main
command.execute()
File "/home/boudewijn/volatility-2.2/volatility/commands.py", line
111, in execute
func(outfd, data)
File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py",
line 91, in calculate
kdbgoffset = volmagic.KDBG.v()
File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 746, in
__getattr__
return self.m(attr)
File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 728, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
I thought it might a an amd64 box, but grepping the output of strings
memory.raw just renders +- 10 results. Way to few to be an amd64 box.
Can anyone tell me what I'm actually doing wrong? Or is volatility just
not the right tool for the job.
Cheers,
Boudewijn Ector
Hello all,
I thought I'd let you know that we've put together a cheat sheet that
you might find useful when using Volatility in your investigations:
http://volatility-labs.blogspot.com/2013/03/if-youre-going-to-cheat_15.html
Also we plan to announce the next training opportunity for our Windows
Malware and Memory Forensics Training Course on Monday, March 18th
2013 so stay tuned!
All the best,
-gleeda
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
I apologize in advanced if I'm overlooking something. I'm using the Windows binary of Volatility 2.2 on a Windows 7 platform. Could someone tell me how I can extract a certain driver using the offset?
I looked at the moddump help and the offset option is not listed. I tried to use -o anyway and got an error saying there is no such option (--offset=offset didn't work either). The Volatility command wiki doesn't show the moddump help but it does link to this post which shows the offset as an option:
http://moyix.blogspot.com/2008/10/plugin-post-moddump.html
I'm not that familiar with Python so looking at the plugin code wasn't that helpful for me. What I am trying to do is to extract a specific driver from a memory image. The moddump command works for extracting all drivers but it would be nice to extract only the one I need.
Thanks for any help
Corey Harrell
"Journey into Incident Response"
http://journeyintoir.blogspot.com
Hi,
Yesterday during a challenge we had to use the linux_dump_map plugin
to dump a process stack, and the documentation at
https://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_pro…
says it has the -p option to select a process.
However, as far as I can tell looking in the svn history, this plugin
never had the -p option. And it's definitely not working currently.
I've heard a confirmation that the option was working in version
2.2-rc1, so maybe it was a global option?
The reason I'm mailing this is because, if the -s is virtual memory,
would you not get possible overlap in areas? How do you know it dumped
the correct VMA? Note that every time I tried, I got the correct area.
Cheers,
Edwin
Hi
I am running - revision 3164
I get the following error when running: Ignore the import errors
# python2.7 vol.py -f /opt/hiberfil.sys --profile=WinXPSP3x86 imagecopy -O
/opt/winxp_sp3_2nd.raw
Volatile Systems Volatility Framework 2.3_alpha
*** Failed to import volatility.plugins.zeusscan1 (AttributeError: 'module'
object has no attribute 'ImpScan')
*** Failed to import volatility.plugins.zeusscan2 (AttributeError: 'module'
object has no attribute 'ApiHooks')
Writing data (5.00 MB chunks):
|......................................................................................................................................................................................................................................................ERROR
: volatility.plugins.imagecopy: Error when reading from address space
I have tried coping over the .sys file twice. I generated a new .sys file
and same error. It worked wonderfully on lastweek. I tried reverting back
to revision 3159 and no dice. Also Oddly enough it works with an old
version of volatility running on remnux.
Not sure whats up. Also here is the output from imageinfo:
Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated
with WinXPSP2x86)
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS)
AS Layer3 : FileAddressSpace (/opt/hiberfil.sys)
PAE type : PAE
DTB : 0x9300060L
KDBG : 0x80545be0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2013-03-05 06:26:20 UTC+0000
Image local date and time : 2013-03-05 00:26:20 -0600
thanks in advance
Hi,
I am trying to build a profile for the Arch Linux kernel (3.7.9-2),
but I am getting this error:
http://paste.ubuntu.com/5584634/
Is this a problem with newer kernels or am I doing something wrong?
Cheers,
Edwin
