March 2014 - Vol-users - volatilityfoundation.org

by Brian Keefer

I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error. chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod Volatile Systems Volatility Framework 2.3_alpha WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemoryPae: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53 WindowsCrashDumpSpace32: Header signature invalid JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected AMD64PagedMemory: Failed valid Address Space check JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected On a hunch I checked the directory I built the profile in (copied headers & source from the target system): chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo * System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq Platform running Volatility (2.3_alpha, latest from svn): Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux Source of memory image: Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux What am I missing? -- chort

9 years, 7 months

3
6
0 0

Extracting document files from hiberfil.sys

by Andy Bellman

Hello again, So, now that I am using the right profile, the plug ins seem to work. My goal is recovering unsaved notepad files from hibernation. I have a hiberfil.sys from a Win 7 SP1 64 bit system. My next step seemed to be using pslist to get the PIDs, and putting those into one of the built in plugins. I've tried dumpfiles, vaddump, memdump, and some others. It looks like I should be able to piece something together between the results of dumpfiles with a PID switch, and of vaddump with a PID switch. I haven't figured that out yet. I'm wondering if there is a more specific switch. They both seem to produce a lot more files than I need. Is there a better way to use volatility's built in tools to pull out files from notepad? Is there an add on that I can download which will pull out something more quickly and cleanly? Thanks, andybellman(a)outlook.com

10 years, 6 months

3
4
0 0

Pid=1260 not founded through any plugin

by Nouman Zia

Hey, In images (tigger.vmem, sality.vmem and black energy) the connscan plugin gives an output which shows these images are making connection with some IP and also tells the PID of process which are making such connections but when I used PSLIST, PSSCAN and PSXVIEW plugins then none of them shows the process which is having such PID(which is making connection). P.S: In all the above mentioned images the process id is same i.e. PID=1260 So the problem is why its not showing any detail about PID=1260???

10 years, 7 months

3
2
0 0

help to investigate

by mediomen27

Hi, gmer has found something of suspicious. I have a screenshot of partial logs, here: http://postimg.org/image/bgx0u5xt9/ Now the server looks mysteriously clean thus the only clues I have are that screenshot and the vmware snapshot. Anyone could help me to investigate more deeply ? The following is what I have done alone: # vol pslist|grep logon Volatility Foundation Volatility Framework 2.3.1 0x8967d158 winlogon.exe 412 332 18 535 0 0 2013-06-26 09:16:14 UTC+0000 0x88ea0918 winlogon.exe 9088 332 19 258 1 0 2013-10-30 14:33:34 UTC+0000 # vol dlllist -p 412|grep -i klogon 0x10000000 0x36000 0x1 C:\WINDOWS\system32\klogon.dll klogon looks a kaspersky logon module # vol dlldump -b 0x10000000 -D /root/dumpprocess/ and the dumped dll looks really something about kaspersky.. # vol filescan|grep VC80 Volatility Foundation Volatility Framework 2.3.1 0x08d295d8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x08e684f0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x08f0b920 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0905a530 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x090822d0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09175a90 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09181e50 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09496250 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09509cc8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09555808 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcr80.dll 0x0958f860 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x095cd168 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x095f76a0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x0960b668 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0961d9d8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0961e6c8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x096cda10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x096f1db0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x096f2d10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x097c52d0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x097fbb10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09809e90 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09836350 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09843c68 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0985aa50 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09872738 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0987b340 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09a0fea8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09a3ada8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09a82f90 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09bf9ef8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09d95428 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09dadd18 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 Thanks for any help.

10 years, 7 months

2
3
0 0

windows 8 ?

by mediomen27

Hi, where can I download volatility 2.4 for windows 8 ? Thank you very much.

10 years, 7 months

2
1
0 0

Volatility pleads ignorance (aka "Nope, that window's not there")

by Bridgey

Hi all, I have an interesting scenario where Volatility seems to be telling me a process isn't there. Using Volatility 2.3.1, memory sample is from Win7SP1x86 (in a virtualbox VM) with pagefile turned off and 512MB RAM. Win7SP1x86.png (attached) clearly shows the Win7 desktop with notepad open and DumpIt.exe running. Output from pslist shows: $ python volatility-read-only/vol.py -f memdumps/MEMTEST-PC-20140331-131312/*.raw --profile=Win7SP1x86 pslist Volatility Foundation Volatility Framework 2.3.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x839afa20 System 4 0 79 437 ------ 0 2014-03-31 13:12:08 UTC+0000 0x84836278 smss.exe 268 4 2 29 ------ 0 2014-03-31 13:12:08 UTC+0000 0x84f1b5c0 csrss.exe 344 336 8 333 0 0 2014-03-31 13:12:12 UTC+0000 0x84ef7d40 wininit.exe 380 336 4 79 0 0 2014-03-31 13:12:12 UTC+0000 0x84ef67a0 csrss.exe 392 372 7 187 1 0 2014-03-31 13:12:12 UTC+0000 0x84f04030 winlogon.exe 432 372 5 115 1 0 2014-03-31 13:12:13 UTC+0000 0x84e5fa80 services.exe 460 380 15 183 0 0 2014-03-31 13:12:13 UTC+0000 0x84f4d818 lsass.exe 468 380 7 444 0 0 2014-03-31 13:12:13 UTC+0000 0x84f4e7f8 lsm.exe 476 380 10 142 0 0 2014-03-31 13:12:13 UTC+0000 0x84fd6bc0 svchost.exe 596 460 14 353 0 0 2014-03-31 13:12:15 UTC+0000 0x84fe2af0 VBoxService.ex 660 460 11 107 0 0 2014-03-31 13:12:16 UTC+0000 0x84ff7bb0 svchost.exe 712 460 11 229 0 0 2014-03-31 13:12:16 UTC+0000 0x85127858 svchost.exe 760 460 16 341 0 0 2014-03-31 13:12:17 UTC+0000 0x85197cc8 svchost.exe 888 460 21 433 0 0 2014-03-31 13:12:19 UTC+0000 0x851cf510 svchost.exe 936 460 45 796 0 0 2014-03-31 13:12:20 UTC+0000 0x847fe030 svchost.exe 1036 460 16 244 0 0 2014-03-31 13:12:21 UTC+0000 0x8511b388 svchost.exe 1128 460 17 350 0 0 2014-03-31 13:12:22 UTC+0000 0x851fe390 spoolsv.exe 1232 460 12 287 0 0 2014-03-31 13:12:23 UTC+0000 0x85212c30 svchost.exe 1268 460 24 316 0 0 2014-03-31 13:12:23 UTC+0000 0x852e3030 taskhost.exe 1744 460 10 173 1 0 2014-03-31 13:12:29 UTC+0000 0x852f2bc8 dwm.exe 1816 888 5 73 1 0 2014-03-31 13:12:30 UTC+0000 0x852f39d0 explorer.exe 1828 1788 34 876 1 0 2014-03-31 13:12:30 UTC+0000 0x84fe16d0 VBoxTray.exe 1940 1828 11 94 1 0 2014-03-31 13:12:32 UTC+0000 0x85335a48 GrooveMonitor. 1948 1828 4 96 1 0 2014-03-31 13:12:32 UTC+0000 0x84f34030 SearchIndexer. 1092 460 14 683 0 0 2014-03-31 13:12:40 UTC+0000 0x8537ad40 notepad.exe 1164 1828 1 64 1 0 2014-03-31 13:12:42 UTC+0000 0x8527fd40 SearchProtocol 1848 1092 8 275 0 0 2014-03-31 13:12:43 UTC+0000 0x853a08a0 SearchFilterHo 1780 1092 5 80 0 0 2014-03-31 13:12:43 UTC+0000 0x84eed030 DumpIt.exe 1844 1828 2 37 1 0 2014-03-31 13:13:12 UTC+0000 0x85104638 conhost.exe 540 392 2 58 1 0 2014-03-31 13:13:12 UTC+0000 notepad.exe can be seen: PID = 1164. Parent process is explorer and session is 1 - just as I'd expect. However, when I ran the windows plugin there was no sign of notepad in the output (windows.txt attached). Further, using the screenshot plugin it shows exactly what I'd expect except the notepad process is missing! (session_1.WinSta0.Default.png attached). If anybody has any ideas as to why this situation occurs I'd be really interested. A 7z'd version of the dump is only 82MB and it doesn't contain anything sensitive so I can make it available if needs be.

10 years, 7 months

2
3
0 0

linux syscall table

by mediomen27

Hi, I am trying to make some check on a linux server with kernel 2.6.18. I am not a kernel developer so I don't know if what I am going to say is wrong...anyway. # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_syscall Volatility Foundation Volatility Framework 2.3.1 Table Name Index Address Symbol ---------- ---------- ---------- ------------------------------ 32bit 0x0 0xc0430543 sys_restart_syscall 32bit 0x1 0xc0428888 sys_exit 32bit 0x2 0xc0403190 sys_fork 32bit 0x3 0xc0478826 sys_read ..... SNIP 32bit 0xe 0xc04872bf sys_mknod 32bit 0xf 0xc0476cb8 sys_chmod 32bit 0x10 0xc043cef7 sys_lchown16 32bit 0x11 0xc0437304 compat_sys_futex 32bit 0x12 0xc04808e0 sys_stat 32bit 0x13 0xc047873f sys_lseek 32bit 0x14 0xc042e69f sys_getpid ..... SNIP 32bit 0x13f 0xc0437304 compat_sys_futex 32bit 0x140 0xc0437304 compat_sys_futex 32bit 0x141 0xc0437304 compat_sys_futex 32bit 0x142 0xc0437304 compat_sys_futex 32bit 0x143 0xc049e91f sys_eventfd 32bit 0x144 0xc047691d sys_fallocate 32bit 0x145 0xc0437304 compat_sys_futex 32bit 0x146 0xc0437304 compat_sys_futex 32bit 0x147 0xc0437304 compat_sys_futex 32bit 0x148 0xc0437304 compat_sys_futex 32bit 0x149 0xc0437304 compat_sys_futex 32bit 0x14a 0xc0437304 compat_sys_futex 32bit 0x14b 0xc0437304 compat_sys_futex 32bit 0x14c 0xc0437304 compat_sys_futex 32bit 0x14d 0xc0437304 compat_sys_futex 32bit 0x14e 0xc0437304 compat_sys_futex 32bit 0x14f 0xc0437304 compat_sys_futex 32bit 0x150 0xc0437304 compat_sys_futex 32bit 0x151 0xc05be378 sys_recvmmsg What is this compat_sys_futex ??? I don't find anything like that on kernel source linux-2.6.18/arch/i386/kernelsyscall_table.S compat_sys_futex 32bit 0xf 0xc0476cb8 sys_chmod 32bit 0x10 0xc043cef7 sys_lchown16 32bit 0x11 0xc0437304 compat_sys_futex 32bit 0x12 0xc04808e0 sys_stat 32bit 0x13 0xc047873f sys_lseek should be sys_ni_syscallall .long sys_chmod /* 15 */ .long sys_lchown16 .long sys_ni_syscall /* old break syscall holder */ .long sys_stat .long sys_lseek but... # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_syscall | grep compat_sys_futex | wc -l Volatility Foundation Volatility Framework 2.3.1 41 # and $ grep sys_ni_syscall syscall_table.S | wc -l 21 ?!?!? Anyone have enough patience to explain me this anomaly ? Or this is a syscall hijacking ? An other question... Is it normal that in the idt is missing "double fault" ?? # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_idt Volatility Foundation Volatility Framework 2.3.1 Index Address Symbol ---------- ---------- ------------------------------ 0x0 0xc0405a7c divide_error 0x1 0xc0625498 debug 0x2 0xc0405b14 nmi 0x3 0xc06254dc int3 0x4 0xc0405c04 overflow 0x5 0xc0405c10 bounds 0x6 0xc0405c1c invalid_op 0x7 0xc0405adc device_not_available 0x9 0xc0405c28 coprocessor_segment_overrun 0xa 0xc0405c34 invalid_TSS 0xb 0xc0405c40 segment_not_present 0xc 0xc0405c4c stack_segment 0xd 0xc0625500 general_protection 0xe 0xc062550c page_fault 0xf 0xc0405c74 spurious_interrupt_bug 0x10 0xc0405ac4 coprocessor_error 0x11 0xc0405c58 alignment_check 0x12 0xc0405c64 machine_check 0x13 0xc0405ad0 simd_coprocessor_error 0x80 0xc0404f04 system_call where is 0x8 ? Thank you very much.

10 years, 8 months

2
2
0 0

Output from windows/wintree plugins - what does it mean?

by Bridgey

Hi all, In my continuing exploration of Windows memory and Volatility I'm current looking at Windows, literally, the GUI. Looking at a notepad process, wintree shows me: .Untitled - Notepad (visible) notepad.exe:100 Notepad ..#20128 notepad.exe:100 6.0.7601.17514!msctls_statusbar32 ..#20126 (visible) notepad.exe:100 6.0.7601.17514!Edit .Default IME notepad.exe:100 IME .MSCTFIME UI notepad.exe:100 MSCTFIME UI So, I'm assuming #20128 is the status bar at the bottom of the Notepad window, and #20126 is the edit control, that is, the textarea into which the user types. This is the corresponding output from the windows plugin for the edit control: Window Handle: #20126 at 0xfea0dc70, Name: ClassAtom: 0xc119, Class: 6.0.7601.17514!Edit SuperClassAtom: 0xc018, SuperClass: Edit pti: 0xfe2a4008, Tid: 1692 at 0x8550d368 ppi: 0xffa95550, Process: notepad.exe, Pid: 100 Visible: Yes Left: 10, Top: 52, Bottom: 485, Right: 701 Style Flags: WS_VSCROLL,WS_CHILD,WS_OVERLAPPED,WS_VISIBLE,WS_HSCROLL ExStyle Flags: WS_EX_CLIENTEDGE,WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT Window procedure: 0x744399d0 Question 1: Window Handle: #20126 at 0xfea0dc70 - what is the offset? Physical, virtual? Of what? The Edit control object? (I'm guessing: physical, yes, of the edit control object.) Question 2: I can see that it's Window-esque properties (X, Y, width, height, style flags, et al) are all clearly present., but where can I find information specific to this control (in this instance, an 'Edit'). For example, maybe the text it contains? (I'm guessing, take a look at 0xfea0dc70 and there'll be some kind of structure to parse.) As always, many thanks. (This is all going towards a plugin that I'm hoping to write!) Also as always, if I could've found this information on my own, please let me know where to look. I've read the Command Reference and the associated MoVP posts. Adam

10 years, 8 months

3
6
0 0

Can not use Volatility through Firewire

by Sebastian Biedermann

Hello guys, I'm trying to use Volatility through Firewire, but actually it's not working. My investigator PC runs Ubuntu Linux Ubuntu 12.04 I'm using the New (JuJu) Firewire stack compiled into kernel and I also installed forensic1394. My Firewire Bus is up and connected to a Firewire Bus on a target win7 system (4GB memory), I can successfully dump the memory with another tool called 'inception'. However, output only says: vol# python vol.py -l firewire://forensic1394/0 --profile=Win7SP1x64 modules Volatility Foundation Volatility Framework 2.3.1 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space FileAddressSpace: Location is not of file scheme ArmAddressSpace: No base Address Space What I am doing wrong? Thank you! -- Sebastian

10 years, 8 months

2
3
0 0

dumping registry hives from memory images

by Roger

Hello Jamie, Apologies for delayed response. Had a short break with family. I tried using dumpfiles plugins as per your adviced. it turned out working against winxp, but seems not against win7sp1x86. is this a known limitation? Thanks again mate. Regards, Roger On Feb 18, 2014, at 5:00 AM, vol-users-request(a)volatilityfoundation.org wrote: > Send Vol-users mailing list submissions to > vol-users(a)volatilityfoundation.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > or, via email, send a message with subject or body 'help' to > vol-users-request(a)volatilityfoundation.org > > You can reach the person managing the list at > vol-users-owner(a)volatilityfoundation.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Vol-users digest..." > > > Today's Topics: > > 1. dumping registry hive(s) from memory image (Roger) > 2. Re: dumping registry hive(s) from memory image (Jamie Levy) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 17 Feb 2014 16:53:01 +1100 > From: Roger <roger.franklin67(a)gmail.com> > Subject: [Vol-users] dumping registry hive(s) from memory image > To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org> > Message-ID: <98444CAC-D5F0-473B-88EB-75CC983F2869(a)gmail.com> > Content-Type: text/plain; charset=us-ascii > > I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files. > > Has any one found a way of doing it? > > Thank you very much in advance. > > Kind regards, > Roger > > ------------------------------ > > Message: 2 > Date: Mon, 17 Feb 2014 10:22:32 -0500 > From: Jamie Levy <jamie.levy(a)gmail.com> > Subject: Re: [Vol-users] dumping registry hive(s) from memory image > To: vol-users(a)volatilityfoundation.org > Message-ID: <53022938.4040302(a)gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi Roger, > > Try using the dumpfiles plugin: > > http://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles > > You can use an example similar to the event logs one in order to dump > the registry file. Let me know if you need help. > > All the best, > > -Jamie > > > > On 2/17/2014 12:53 AM, Roger wrote: >> I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files. >> >> Has any one found a way of doing it? >> >> Thank you very much in advance. >> >> Kind regards, >> Roger_______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > -- > Jamie Levy (@gleeda) > Blog: http://volatility-labs.blogspot.com/ > GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92 > Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 > > > ------------------------------ > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > End of Vol-users Digest, Vol 68, Issue 6 > ****************************************

10 years, 8 months

2
1
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users March 2014