June 2013 - Vol-users - volatilityfoundation.org

by Brian Keefer

I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error. chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod Volatile Systems Volatility Framework 2.3_alpha WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemoryPae: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53 WindowsCrashDumpSpace32: Header signature invalid JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected AMD64PagedMemory: Failed valid Address Space check JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected On a hunch I checked the directory I built the profile in (copied headers & source from the target system): chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo * System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq Platform running Volatility (2.3_alpha, latest from svn): Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux Source of memory image: Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux What am I missing? -- chort

9 years, 7 months

3
6
0 0

custom Android profile: No suitable address space mapping found

by Antonios Broumas

Good day, As the title suggests I am working with a custom Android installation and I have encountered the "No suitable address space mapping found". I have not cross-compiled lime.ko and module.ko with exactly the same compiler that I used to build the rest of my installation but I have carried out the build pointing to the same kernel directories and lime.ko can successfully be used to get a memory dump. Can this be the reason for the inconsistency? Here is what I did: 1. I have downloaded lime from svn: URL: http://lime-forensics.googlecode.com/svn/trunk/src Repository Root: http://lime-forensics.googlecode.com/svn Repository UUID: e105e084-e930-c66b-6cfa-9f740464420f Revision: 17 Node Kind: directory Schedule: normal Last Changed Author: Joe.Sylve(a)gmail.com Last Changed Rev: 15 Last Changed Date: 2013-03-19 08:10:00 -0700 (Tue, 19 Mar 2013) 2. I have downloaded volatility from svn: URL: https://volatility.googlecode.com/svn/trunk Repository Root: https://volatility.googlecode.com/svn Repository UUID: 8d5d6628-2090-11de-9909-f37ff7dbbc12 Revision: 3444 Node Kind: directory Schedule: normal Last Changed Author: michael.hale(a)gmail.com Last Changed Rev: 3440 Last Changed Date: 2013-06-18 10:08:37 -0700 (Tue, 18 Jun 2013) 3. I have cross-compiled lime for a custom android installation and produced a kernel module and with it I have successfully retrieved a memory dump of size a little less than 2GB. 1951400096 Jun 25 14:50 mem.dump 4. I have also created a profile pointing to the same custom android installatin: *** note that pmem is not visited and pmem.c is not compiled *** cd volatility/tools/linux edit Makefile and cross-compile module.c and produce module.ko dwarfdump -di module.ko > module.dwarf head module.dwarf .debug_info <0><0x0+0xb><DW_TAG_compile_unit> DW_AT_producer<"GNU C 4.6.x-google 20120106 (prerelease)"> DW_AT_language<DW_LANG_C89> DW_AT_name<"/home/antonios/dev/tools/volatility/tools/linux/module.c"> DW_AT_comp_dir<"/media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/out/target/product/jflteatt/obj/KERNEL_OBJ"> DW_AT_low_pc<0x00000000> DW_AT_high_pc<0x00000000> DW_AT_stmt_list<0x00000000> <Unknown AT value 0x2134><0> <Unknown AT value 0x2135><0> <1><0x2d><DW_TAG_typedef> DW_AT_name<"__s8"> DW_AT_decl_file<0x00000001 /media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/kernel/include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000013> DW_AT_type<<0x00000038>> <1><0x38><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_signed_char> DW_AT_name<"signed char"> <1><0x3f><DW_TAG_typedef> DW_AT_name<"__u8"> DW_AT_decl_file<0x00000001 /media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/kernel/include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000014> DW_AT_type<<0x0000004a>> <1><0x4a><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_unsigned_char> DW_AT_name<"unsigned char"> <1><0x51><DW_TAG_typedef> DW_AT_name<"__s16"> DW_AT_decl_file<0x00000001 /media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/kernel/include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000016> DW_AT_type<<0x0000005c>> <1><0x5c><DW_TAG_base_type> DW_AT_byte_size<0x00000002> DW_AT_encoding<DW_ATE_signed> DW_AT_name<"short int"> zip volatility/volatility/plugins/overlays/linux/mylinux.zip module.dwarf System.map adding: home/antonios/dev/tools/volatility/tools/linux/module.dwarf (deflated 92%) adding: media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/out/target/product/jflteatt/obj/KERNEL_OBJ/System.map (deflated 74%) 5. python vol.py --info LinuxmylinuxARM - A Profile for Linux mylinux ARM 6. however python vol.py --profile=LinuxmylinuxARM -f mem.dump linux_pslist results in: Volatile Systems Volatility Framework 2.3_beta Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x0 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile LinuxmylinuxARM selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check I have not cross-compiled lime.ko and module.ko with exactly the same compiler that I used to build the rest of my installation but I have carried out the build pointing to the same kernel directories and lime.ko can successfully be used to get a memory dump. Can this be the reason for the inconsistency? Antonios

11 years, 1 month

3
3
0 0

Problem reading mapped ranges in linux address spaces

by Edwin Smulders

Hi all, I am having a problem reading certain values in an address space. I know for certain that the range I am trying to read is mapped, i.e. there is a vma for it. The specific range in this case is shown in the vma list as this: 1206 0x00007faf9d98f000 0x00007faf9db4d000 r-x 0x0 8 1 241 /lib/x86_64-linux-gnu/libc-2.17.so The offset in this range that I am trying to read is 0x21e9b = 0x7faf9d9b0e9b the call may look like this: proc_as.read(0x7faf9d9b0e9b, 10) and it will return None, meaning it could not read that address. Using the linux_dump_map I exported the whole range and there's a pretty big empty (inaccessible) chunk in the middle, which appears as 0-bytes in the export. I know for a fact that my libc does not have a big area of 0-bytes, so this is pretty weird. It also works just fine for other processes in the same dump (so using the same libc). For research purposes I make my memory dumps with virtualbox, so I don't think it's an issue with memory corruption; as far as i can tell, virtualbox makes complete snapshots. Does anyone know what might cause this problem? Cheers, Edwin

11 years, 4 months

4
7
0 0

Memory Forensics Training by Volatility Developers is headed back to Reston!

by Andrew Case

After quickly selling out our recent course in Reston, we have now scheduled another training there in November: http://volatility-labs.blogspot.com/2013/06/memory-forensics-training-resto… This course is taught directly by Volatility developers, and provides intense training in memory forensics for incident response, malware analysis, and digital forensic investigation. We already have quite a few people signed up and had to turn away people last time, so please contact us ASAP if you are interested in taking it. Thanks, Andrew (@attrc)

11 years, 4 months

1
0
0 0

OT: Using netsh to set ip address of an interface on winfe/winpe 4.0.

by George M. Garner Jr.

This post is off-topic; however, there are a lot of bright people on this list so maybe someone will be able to help. I need to set a static ipv4 address on an interface in WinPE4.0/WinFE4.0. For example the following command works on Windows 8: netsh.exe interface ip set address Ethernet static 192.168.0.5 255.255.255.0 On WinPE 4.0 I am getting an error that the interface is not found which is odd since the interface appears in the list of interfaces. For example: netsh.exe interface ip show interfaces and netsh.exe interface ip show interface Ethernet both work as expected. I can also add a route on the interface in WinPE, e.g.: netsh.exe interface ip add route 192.168.0.0/24 Ethernet works. It is just adding the static ip address that doesn't work. I have also tried using the IF index instead of the interface name; still no joy. Unfortunately I can't use dhcp in some applications because the client broadcasts an announcement that I am present, which wouldn't be prudent. I am wondering if there isn't maybe some dependency that is missing from my winpe installation? Anyone have any thoughts? Regards, George.

11 years, 4 months

2
4
0 0

Problem using bitmaps in overlays

by Carl Pulley

Hi all, I'm currently attempting to code up a bitmap (within an overlay) that consists of an array of 4 ulongs. With (say) a single ulong, the following works great: profile.merge_overlay({ 'XXX': [ None, ['Flags', {'target': 'unsigned long', 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]] }) However, the obvious generalisation to 4 ulongs: profile.merge_overlay({ 'XXX': [ None, ['Flags', {'target': ['array', 4, ['unsigned long']], 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]] }) fails. Looking at the source, the profile.merge_overlay calls: obj.Object(['array', 4, ['unsigned long']], offset=0, ..) and this function in turn raises an exception (i.e. TypeError: unhashable type: 'list') when it calls: vm.profile.has_type(['array', 4, ['unsigned long']]) Attempts at using obj.Array instead also flounder. Does anyone have any hints or tips as to how best to deal with bitmaps that are arrays of bytes, ulongs or similar? Is it a case of having to extend the obj.Flags class so that such things can be handled? Many thanks, Carl.

11 years, 4 months

2
2
0 0

No shimcache data found

by Brian Keefer

I look at mostly Win7/64 systems and have always found shimcache data in memory images before. In the last several weeks only about 50% of the images I looked at had it. I'm running a 2.3 alpha build from a month or two ago (have been all this time). While not strictly a Volatility issue, could someone explain under what circumstances the data wouldn't be available? I'm not a Windows internals expert (yet, I have part 1 and part 2 on my bookshelf, waiting...) Thanks! -- chort

11 years, 4 months

3
5
0 0

Final Week of Month of Volatility Plugins II is posted

by Andrew Case

We are writing as the final week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. This week's posts discussed a number of new and updated plugins used to analyze Mac systems. The first post demonstrated leveraging process cross-view analysis for Mac rootkit detection: http://volatility-labs.blogspot.com/2013/06/movp-ii-41-leveraging-process-c… The second post covered dumping, scanning, and searching process memory: http://volatility-labs.blogspot.com/2013/06/movp-ii-42-dumping-scanning-and… The third post discussed how to recover networking information: http://volatility-labs.blogspot.com/2013/06/movp-ii-43-recovering-mac-os-x-… The fourth post showed a number of artifacts in Mac kernel memory: http://volatility-labs.blogspot.com/2013/06/movp-ii-44-whats-in-your-mac-os… The fifth post analyzed the Rubilyn kernel rootkit and detected it in a number of ways: http://volatility-labs.blogspot.com/2013/06/movp-ii-45-mac-volatility-vs-ru… We hope you have enjoyed this month's posts and will be trying 2.3 when its released! If you have any questions or comments please comment on an individual blog post or reply to this email. Thanks, Andrew (@attrc)

11 years, 5 months

1
0
0 0

Mucho processes

by Glenn Edwards

Background: The user logged off (I know, I know) of the system (WinXP) and the first responder logged back in under a different user and took the memory dump. When running pslist against the memory dump there're 2,423 entries. I'm seeing a lot of entries where the process starts and exits - sometimes in a row: 0x89b3f868 userinit.exe 3808 548 0 -------- 0 0 2013-05-26 10:00:10 UTC+0000 2013-05-26 10:00:10 UTC+0000 0x89b89ad0 userinit.exe 3156 548 0 -------- 0 0 2013-05-26 10:00:28 UTC+0000 2013-05-26 10:00:28 UTC+0000 0x89b2a868 userinit.exe 3672 548 0 -------- 0 0 2013-05-26 11:30:11 UTC+0000 2013-05-26 11:30:11 UTC+0000 0x89afc020 userinit.exe 3388 548 0 -------- 0 0 2013-05-26 12:41:44 UTC+0000 2013-05-26 12:41:44 UTC+0000 0x89b49da0 userinit.exe 1336 548 0 -------- 0 0 2013-05-26 13:22:13 UTC+0000 2013-05-26 13:22:13 UTC+0000 and sometimes more spread out: 0x89c1da98 java.exe 4536 1368 0 -------- 0 0 2013-06-01 01:23:35 UTC+0000 2013-06-01 01:26:15 UTC+0000 0x89141020 cscript.exe 8608 4536 0 -------- 0 0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:24:14 UTC+0000 0x89142da0 wmiprvse.exe 3152 832 0 -------- 0 0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:25:42 UTC+0000 0x89144ac0 minituner.exe 1120 1368 0 -------- 0 0 2013-06-01 01:26:15 UTC+0000 2013-06-01 01:37:41 UTC+0000 0x8934d520 java.exe 9148 1368 0 -------- 0 0 2013-06-01 01:37:41 UTC+0000 2013-06-01 01:43:54 UTC+0000 0x8934e020 cscript.exe 7620 9148 0 -------- 0 0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:42:53 UTC+0000 0x895423b8 wmiprvse.exe 3664 832 0 -------- 0 0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:44:21 UTC+0000 0x895ce8a0 minituner.exe 9940 1368 0 -------- 0 0 2013-06-01 01:43:54 UTC+0000 2013-06-01 01:51:47 UTC+0000 0x893a3838 java.exe 4572 1368 0 -------- 0 0 2013-06-01 01:51:47 UTC+0000 2013-06-01 01:59:58 UTC+0000 Example of top processes by overall count of occurrence: $ cat pslist.txt | awk '{print $2}' | sort | uniq -c | sort -nr 364 java.exe 362 minituner.exe 335 userinit.exe 301 wmiprvse.exe 219 cscript.exe 192 verclsid.exe 91 wuauclt.exe 37 regsvr32.exe 34 winlogon.exe 34 csrss.exe [snip] I've never come across this before so I'm wondering if this could be attributed to the first responder not letting the system fully log them on prior to taking the memory dump and therefore there was a lot of still loading processes observed? -- Glenn Edwards @hiddenillusion

11 years, 5 months

3
4
0 0

hive file dump

by Jaroslav Brtan

Hi everyone, I would like to ask you if it is possible to dump the hive file from a memory image. For some reason the printkey cmd does not return expected values. In my virtualbox Windows xp sp3 image contains vboxtray.exe in the RUN key, but I dont see it in the printkey -K "Software\Microsoft\Windows\CurrentVersion\Run" cmd output I am using volatility version 2.3 beta. I want to use Windows registry recovery tool to check if it is able to get the info I need. Thank you Jaro

11 years, 5 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users June 2013