Hello again,
So, now that I am using the right profile, the plug ins seem to work.
My goal is recovering unsaved notepad files from hibernation. I have a hiberfil.sys from a Win 7 SP1 64 bit system.
My next step seemed to be using pslist to get the PIDs, and putting those into one of the built in plugins.
I've tried dumpfiles, vaddump, memdump, and some others.
It looks like I should be able to piece something together between the results of dumpfiles with a PID switch, and of vaddump with a PID switch. I haven't figured that out yet. I'm wondering if there is a more specific switch. They both seem to produce a lot more files than I need.
Is there a better way to use volatility's built in tools to pull out files from notepad?
Is there an add on that I can download which will pull out something more quickly and cleanly?
Thanks,
andybellman(a)outlook.com
Good afternoon,
I'm having a bit of trouble using Volatility for memory forensics with the
goal of malware detection. I've captured a memory dump of a Windows 7 SP1
x64 machine using winpmem_1.5.5.exe and am using the 2.3.1 standalone
variant of Volatility on a Windows 7 SP1 x64 machine. When i issue commands
such as 'connections' , 'connscan' , 'sockets' i get the error "This
command does not support the profile Win7SP1x64." I've also tried
Volatility Standalone 2.3 and 2.2. Any explanation would be greatly
appreciated. Thanks!
Hi,
is anybody else also running into issues when using mftparser on Win7 64
Bit?
I get the following:
WARNING : volatility.obj : Cant find object NullString in profile
<volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0xb4fc44c>?
Which results in entries like:
(FN)
0x184000|None\None\None\None\None\None\None|153380|---a-----------|0|0|480|1336379877|1336379877|1336379877|1336379877
Thanks,
Markus
I am having problems with my PSXView. On multiple occasions I have
started this command and left it running overnight and by the next
morning there has been no reported data. The command appears to be
stalled. I am not sure where to look for the exact problem. I have
looked into the Python address space with WinDbg and have noted, with
!VAD, a segment of memory that is EXECUTE_READWRITE that is not listed
as a process. It is identified as "Private". When peering into the
segment of memory, I have noted a number of locations where there is
an "MZ" prefix that designates a Windows PE. This is followed by
"This program cannot......" so I know that this block contains
executable code. When analyzing the code further there is a number of
these programs, I have found headers designating that these are DLLs.
Should this code block be present? With my limited training, I
understand that all DLLs should be loaded by the loader and reflected
in the address space with a VAD not burried in a segment of code. Has
anyone else experienced this problem? Is my PSXView problem related
to something else? Is there a way to isolate the issue further from
here? I did a dump of Python using Procexedump but have not reviewed
the IAT of the file or attempted to disassemble the file. I am new to
reverse engineering so I am looking for the closest rope to grab onto.
Hi all,
I've followed the documentation to first dump the memory device cross
compiling lime and then creating the profile for a linux device on arm.
Unfortunately I wasn't able to use volatility on the memory dump.
I'm using volatility 2.3.1, the kernel is a linux vanilla 2.6.31.14 + a
custom grsecurity+pax configuration.
Below some output from the commands, any suggestion on next step to
troubleshoot where is the problem ?
boos@vnoise:~/Downloads/volatility-2.3.1$ python vol.py --info | grep
Profile | grep Linux
Volatility Foundation Volatility Framework 2.3.1
LinuxTESTARM - A Profile for Linux TEST ARM
$ python vol.py -f /home/boos/arm-mem-image imageinfo
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with
LinuxUbuntu1204x64)
AS Layer1 : LimeAddressSpace (Unnamed AS)
AS Layer2 : FileAddressSpace (/home/boos/arm-mem-image)
PAE type : No PAE
DTB : 0x1c0d000L
Traceback (most recent call last):
File "vol.py", line 184, in <module>
main()
File "vol.py", line 175, in main
command.execute()
File "/home/boos/Downloads/volatility-2.3.1/volatility/commands.py", line
122, in execute
func(outfd, data)
File
"/home/boos/Downloads/volatility-2.3.1/volatility/plugins/imageinfo.py",
line 36, in render_text
for k, v in data:
File
"/home/boos/Downloads/volatility-2.3.1/volatility/plugins/imageinfo.py",
line 93, in calculate
kdbgoffset = volmagic.KDBG.v()
File "/home/boos/Downloads/volatility-2.3.1/volatility/obj.py", line 737,
in __getattr__
return self.m(attr)
File "/home/boos/Downloads/volatility-2.3.1/volatility/obj.py", line 719,
in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
boos@vnoise:~/Downloads/volatility-2.3.1$ python vol.py --profile
LinuxTESTARM -f /home/boos/arm-mem-image linux_dmesg
Volatility Foundation Volatility Framework 2.3.1
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0x0
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile LinuxTESTARM selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
--
Roberto Martelloni
boos @ http://boos.core-dumped.info
Hi guys,
I would like to extract the files which are temporary cached by the
Linux page cache from an Ubuntu memory image.
When I read a file in Linux for the first time, it gets read from the
hard drive but gets also cached.
A second read of the same file then goes faster. Same for writing.
/proc/sys/vm/dirty_expire_centiseconds defines how long data remains in
the page cache until it is written to disk.
First I thought I could use Linux_find_file command of volatility,
however this command is only targeting the tmpfs, right?
Is there another way of extracting files from the Linux page cache?
Thank you!
Sebastian
Hello All,
I have published a new blog post analyzing the encrypted shellcode from
the main CVE-2014-0502 attack:
http://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0…
It goes through some functionality of the malicious Flash file followed
by analysis of the shellcode used within the encrypted GIF.
This attack's particular use of a malicious Flash file along with an
"encrypted" GIF shows some of the complexity of modern attacks, and
highlights the diverse set of skills needed to analyze the attacks
(Flash reversing, binary shellcode reversing, and understanding
exploitation techniques, such as ROP, ALSR bypass, etc.). This
particular attack was also noticeable because of how many different
companies published public research on it (I have references in the blog).
I hope that you enjoy the blog post and potentially learn something from
it. I am happy that my anonymous friend allowed me to publish the research.
--
Thanks,
Andrew (@attrc)
Ah, the good old “here’s a partial memory dump for you to analyze”
Sadly, this happens quite often.
Thanks for the update!
Michael
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
Training: http://memoryanalysis.net
On Apr 7, 2014, at 4:45 PM, Carlos Angeles <cangeles(a)gmail.com> wrote:
> Andrew, Michael,
>
> The person that captured the image hasn't been in the office for a
> while and I was finally able to ask him about the capture. He used
> FTK Imager, but he doesn't know the exact version but it's 3.1.x. I
> now know what the problem was/is with image. He told me that he was
> only able to capture 4GB because of a limitation of the tool. Kind of
> wish that information was passed on to me before I started working on
> it. ;-D
>
> Also, Michael, your suggestion to use psscan did reveal some
> processes. It looked rather small, and now I know why.
>
> Thanks for your help!
> Carlos
>
>
> On Sun, Apr 6, 2014 at 1:18 PM, Michael Ligh <michael.ligh(a)mnin.org> wrote:
>> Hi Carlos,
>>
>> There are a few things going on. First, there's a bug in imageinfo which causes Volatility to crash when parsing the CPU addresses - I'll send you a fix for that separately, but it won't affect the rest of your analysis.
>>
>> When a KDBG structure can be found, but there are 0 processes and 0 modules, it almost always indicates a corrupt memory dump. In particular, the acquisition tool probably didn't acquire *all* physical memory ranges (or it failed to align them in the output file properly). Recently, I looked at a similar case where the virtual address of PsActiveProcessHead translated to a physical offset that was higher than the number of bytes in the memory dump (thus the memory dump file was truncated and missing some data).
>>
>> I'd be interested if psscan shows you a partial list of processes. If so, you may be able to perform limited analysis, by passing the physical offsets of the _EPROCESS structures to plugins like handles, dlllist, vaddump, etc (the -o/--offset option).
>>
>> Talk to you soon,
>> MHL
>>
>> --------------------------------------------------
>> Michael Ligh (@iMHLv2)
>> GPG: http://mnin.org/gpg.pubkey.txt
>> Blog: http://volatility-labs.blogspot.com
>> Training: http://memoryanalysis.net
>>
>> On Apr 6, 2014, at 2:29 PM, Andrew Case <atcuno(a)gmail.com> wrote:
>>
>>> Hello,
>>>
>>> Do you know which tool was used to acquire memory? Also, how much RAM
>>> does the system have?
>>>
>>> Thanks,
>>> Andrew (@attrc)
>>>
>>> On 4/2/2014 4:45 PM, Carlos Angeles wrote:
>>>> Hello,
>>>>
>>>> I'm getting some KDBG errors when examining a Windows Server 2008 R2
>>>> server memory image. I saw a similar post to this list back in August
>>>> 2012 (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-August/00056…)
>>>>
>>>> Here's the output from a few plugins. It was captured by another
>>>> person and I don't know what tool or version he used.
>>>>
>>>> Does it look like the memory image is corrupted?
>>>>
>>>> Thanks,
>>>> Carlos
>>>>
>>>>
>>>> $ vol.py -f memdump.mem imageinfo
>>>> Volatility Foundation Volatility Framework 2.3.1
>>>> Determining profile based on KDBG search...
>>>>
>>>> Suggested Profile(s) : Win7SP0x64, Win7SP1x64,
>>>> Win2008R2SP0x64, Win2008R2SP1x64
>>>> AS Layer1 : AMD64PagedMemory (Kernel AS)
>>>> AS Layer2 : FileAddressSpace (memdump.mem)
>>>> PAE type : No PAE
>>>> DTB : 0x187000L
>>>> KDBG : 0xf80001def0a0
>>>> Number of Processors : 8
>>>> Image Type (Service Pack) : 1
>>>> KPCR for CPU 0 : 0xfffff80001df0d00L
>>>> Traceback (most recent call last):
>>>> File "/usr/local/bin/vol.py", line 5, in <module>
>>>> pkg_resources.run_script('volatility==2.3.1', 'vol.py')
>>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script
>>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py",
>>>> line 183, in <module>
>>>> main()
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py",
>>>> line 174, in main
>>>> command.execute()
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py",
>>>> line 121, in execute
>>>> func(outfd, data)
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py",
>>>> line 35, in render_text
>>>> for k, v in data:
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py",
>>>> line 100, in calculate
>>>> yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number),
>>>> hex(kpcr.obj_offset))
>>>> TypeError: hex() argument can't be converted to hex
>>>> $
>>>> $
>>>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 pslist
>>>> Volatility Foundation Volatility Framework 2.3.1
>>>> Offset(V) Name PID PPID Thds Hnds
>>>> Sess Wow64 Start Exit
>>>> ------------------ -------------------- ------ ------ ------ --------
>>>> ------ ------ ------------------------------
>>>> ------------------------------
>>>> Traceback (most recent call last):
>>>> File "/usr/local/bin/vol.py", line 5, in <module>
>>>> pkg_resources.run_script('volatility==2.3.1', 'vol.py')
>>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script
>>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py",
>>>> line 183, in <module>
>>>> main()
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py",
>>>> line 174, in main
>>>> command.execute()
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py",
>>>> line 121, in execute
>>>> func(outfd, data)
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/taskmods.py",
>>>> line 140, in render_text
>>>> for task in data:
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py",
>>>> line 70, in pslist
>>>> for p in get_kdbg(addr_space).processes():
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py",
>>>> line 42, in processes
>>>> raise AttributeError("Could not list tasks, please verify your
>>>> --profile with kdbgscan")
>>>> AttributeError: Could not list tasks, please verify your --profile with kdbgscan
>>>> $
>>>> $
>>>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 kdbgscan
>>>> Volatility Foundation Volatility Framework 2.3.1
>>>> **************************************************
>>>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
>>>> Offset (V) : 0xf80001def0a0
>>>> Offset (P) : 0x1def0a0
>>>> KDBG owner tag check : True
>>>> Profile suggestion (KDBGHeader): Win7SP1x64
>>>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601)
>>>> Service Pack (CmNtCSDVersion) : 1
>>>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr.
>>>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes)
>>>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules)
>>>> KernelBase : 0xfffff80001c00000 (Matches MZ: True)
>>>> Major (OptionalHeader) : 6
>>>> Minor (OptionalHeader) : 1
>>>> KPCR : 0xfffff80001df0d00 (CPU 0)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>>
>>>> **************************************************
>>>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
>>>> Offset (V) : 0xf80001def0a0
>>>> Offset (P) : 0x1def0a0
>>>> KDBG owner tag check : True
>>>> Profile suggestion (KDBGHeader): Win2008R2SP1x64
>>>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601)
>>>> Service Pack (CmNtCSDVersion) : 1
>>>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr.
>>>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes)
>>>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules)
>>>> KernelBase : 0xfffff80001c00000 (Matches MZ: True)
>>>> Major (OptionalHeader) : 6
>>>> Minor (OptionalHeader) : 1
>>>> KPCR : 0xfffff80001df0d00 (CPU 0)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>>
>>>> **************************************************
>>>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
>>>> Offset (V) : 0xf80001def0a0
>>>> Offset (P) : 0x1def0a0
>>>> KDBG owner tag check : True
>>>> Profile suggestion (KDBGHeader): Win2008R2SP0x64
>>>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601)
>>>> Service Pack (CmNtCSDVersion) : 1
>>>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr.
>>>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes)
>>>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules)
>>>> KernelBase : 0xfffff80001c00000 (Matches MZ: True)
>>>> Major (OptionalHeader) : 6
>>>> Minor (OptionalHeader) : 1
>>>> KPCR : 0xfffff80001df0d00 (CPU 0)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>>
>>>> **************************************************
>>>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
>>>> Offset (V) : 0xf80001def0a0
>>>> Offset (P) : 0x1def0a0
>>>> KDBG owner tag check : True
>>>> Profile suggestion (KDBGHeader): Win7SP0x64
>>>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601)
>>>> Service Pack (CmNtCSDVersion) : 1
>>>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr.
>>>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes)
>>>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules)
>>>> KernelBase : 0xfffff80001c00000 (Matches MZ: True)
>>>> Major (OptionalHeader) : 6
>>>> Minor (OptionalHeader) : 1
>>>> KPCR : 0xfffff80001df0d00 (CPU 0)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> KPCR : - (CPU -)
>>>> $
>>>> $
>>>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 hivescan
>>>> Volatility Foundation Volatility Framework 2.3.1
>>>> Offset(P)
>>>> ------------------
>>>> 0x0000000000431010
>>>> 0x00000000051a4010
>>>> 0x000000000f1d7010
>>>> 0x0000000013e15410
>>>> 0x0000000015875410
>>>> 0x000000005a517410
>>>> 0x000000006e434410
>>>> 0x000000007ddce410
>>>> 0x00000000a143e410
>>>> 0x00000000a7f8c410
>>>> 0x00000000c3b83010
>>>> 0x00000000cbb17410
>>>> 0x00000000d0768410
>>>> $
>>>> $
>>>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 svcscan
>>>> Volatility Foundation Volatility Framework 2.3.1
>>>> Traceback (most recent call last):
>>>> File "/usr/local/bin/vol.py", line 5, in <module>
>>>> pkg_resources.run_script('volatility==2.3.1', 'vol.py')
>>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script
>>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py",
>>>> line 183, in <module>
>>>> main()
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py",
>>>> line 174, in main
>>>> command.execute()
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py",
>>>> line 121, in execute
>>>> func(outfd, data)
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py",
>>>> line 360, in render_text
>>>> for rec in data:
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py",
>>>> line 275, in calculate
>>>> for task in tasks.pslist(addr_space):
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py",
>>>> line 70, in pslist
>>>> for p in get_kdbg(addr_space).processes():
>>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py",
>>>> line 42, in processes
>>>> raise AttributeError("Could not list tasks, please verify your
>>>> --profile with kdbgscan")
>>>> AttributeError: Could not list tasks, please verify your --profile with kdbgscan
>>>> _______________________________________________
>>>> Vol-users mailing list
>>>> Vol-users(a)volatilityfoundation.org
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
Sorry for the SPAM if you already knew about this.
https://github.com/halpomeranz/lmg
Ryan Gibson
CISSP, GCFA, GCIH, Security +
Office: 858-651-1689
Mobile: 619-804-8736
Senior IT Security Engineer
