- Vol-users - volatilityfoundation.org

Syscan 2014 presentations are now out

by Andrew Case

Syscan 2014 was last week, and they have now released the slides and white papers from each speaker: http://syscan.org/index.php/download Reading through these presentations will be well worth your time no matter which role(s) you might play in security/forensics. -- Thanks, Andrew (@attrc)

10 years, 7 months

1
0
0 0

aquire RAM from Mac OSX 10.9?

by Thomas

Hi, which tool can be used to aquire a RAM dump from Mac OSX 10.9.x Mavericks? OSXPmem doesn't work. Thanks. Thomas

10 years, 7 months

2
1
0 0

KDBG errors

by Carlos Angeles

Hello, I'm getting some KDBG errors when examining a Windows Server 2008 R2 server memory image. I saw a similar post to this list back in August 2012 (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-August/00056…) Here's the output from a few plugins. It was captured by another person and I don't know what tool or version he used. Does it look like the memory image is corrupted? Thanks, Carlos $ vol.py -f memdump.mem imageinfo Volatility Foundation Volatility Framework 2.3.1 Determining profile based on KDBG search... Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (memdump.mem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80001def0a0 Number of Processors : 8 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80001df0d00L Traceback (most recent call last): File "/usr/local/bin/vol.py", line 5, in <module> pkg_resources.run_script('volatility==2.3.1', 'vol.py') File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in <module> main() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 174, in main command.execute() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", line 121, in execute func(outfd, data) File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py", line 35, in render_text for k, v in data: File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py", line 100, in calculate yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), hex(kpcr.obj_offset)) TypeError: hex() argument can't be converted to hex $ $ $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 pslist Volatility Foundation Volatility Framework 2.3.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ Traceback (most recent call last): File "/usr/local/bin/vol.py", line 5, in <module> pkg_resources.run_script('volatility==2.3.1', 'vol.py') File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in <module> main() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 174, in main command.execute() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", line 121, in execute func(outfd, data) File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/taskmods.py", line 140, in render_text for task in data: File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py", line 70, in pslist for p in get_kdbg(addr_space).processes(): File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py", line 42, in processes raise AttributeError("Could not list tasks, please verify your --profile with kdbgscan") AttributeError: Could not list tasks, please verify your --profile with kdbgscan $ $ $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 kdbgscan Volatility Foundation Volatility Framework 2.3.1 ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001def0a0 Offset (P) : 0x1def0a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64 Version64 : 0xf80001def068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) KernelBase : 0xfffff80001c00000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001df0d00 (CPU 0) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001def0a0 Offset (P) : 0x1def0a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64 Version64 : 0xf80001def068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) KernelBase : 0xfffff80001c00000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001df0d00 (CPU 0) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001def0a0 Offset (P) : 0x1def0a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP0x64 Version64 : 0xf80001def068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) KernelBase : 0xfffff80001c00000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001df0d00 (CPU 0) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001def0a0 Offset (P) : 0x1def0a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP0x64 Version64 : 0xf80001def068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) KernelBase : 0xfffff80001c00000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001df0d00 (CPU 0) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) $ $ $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 hivescan Volatility Foundation Volatility Framework 2.3.1 Offset(P) ------------------ 0x0000000000431010 0x00000000051a4010 0x000000000f1d7010 0x0000000013e15410 0x0000000015875410 0x000000005a517410 0x000000006e434410 0x000000007ddce410 0x00000000a143e410 0x00000000a7f8c410 0x00000000c3b83010 0x00000000cbb17410 0x00000000d0768410 $ $ $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 svcscan Volatility Foundation Volatility Framework 2.3.1 Traceback (most recent call last): File "/usr/local/bin/vol.py", line 5, in <module> pkg_resources.run_script('volatility==2.3.1', 'vol.py') File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in <module> main() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 174, in main command.execute() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", line 121, in execute func(outfd, data) File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py", line 360, in render_text for rec in data: File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py", line 275, in calculate for task in tasks.pslist(addr_space): File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py", line 70, in pslist for p in get_kdbg(addr_space).processes(): File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py", line 42, in processes raise AttributeError("Could not list tasks, please verify your --profile with kdbgscan") AttributeError: Could not list tasks, please verify your --profile with kdbgscan

10 years, 7 months

3
2
0 0

Pid=1260 not founded through any plugin

by Nouman Zia

Hey, In images (tigger.vmem, sality.vmem and black energy) the connscan plugin gives an output which shows these images are making connection with some IP and also tells the PID of process which are making such connections but when I used PSLIST, PSSCAN and PSXVIEW plugins then none of them shows the process which is having such PID(which is making connection). P.S: In all the above mentioned images the process id is same i.e. PID=1260 So the problem is why its not showing any detail about PID=1260???

10 years, 7 months

3
2
0 0

help to investigate

by mediomen27

Hi, gmer has found something of suspicious. I have a screenshot of partial logs, here: http://postimg.org/image/bgx0u5xt9/ Now the server looks mysteriously clean thus the only clues I have are that screenshot and the vmware snapshot. Anyone could help me to investigate more deeply ? The following is what I have done alone: # vol pslist|grep logon Volatility Foundation Volatility Framework 2.3.1 0x8967d158 winlogon.exe 412 332 18 535 0 0 2013-06-26 09:16:14 UTC+0000 0x88ea0918 winlogon.exe 9088 332 19 258 1 0 2013-10-30 14:33:34 UTC+0000 # vol dlllist -p 412|grep -i klogon 0x10000000 0x36000 0x1 C:\WINDOWS\system32\klogon.dll klogon looks a kaspersky logon module # vol dlldump -b 0x10000000 -D /root/dumpprocess/ and the dumped dll looks really something about kaspersky.. # vol filescan|grep VC80 Volatility Foundation Volatility Framework 2.3.1 0x08d295d8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x08e684f0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x08f0b920 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0905a530 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x090822d0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09175a90 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09181e50 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09496250 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09509cc8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09555808 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcr80.dll 0x0958f860 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x095cd168 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x095f76a0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x0960b668 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0961d9d8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0961e6c8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x096cda10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x096f1db0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x096f2d10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x097c52d0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x097fbb10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09809e90 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09836350 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09843c68 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0985aa50 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09872738 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0987b340 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09a0fea8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09a3ada8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09a82f90 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09bf9ef8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09d95428 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09dadd18 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 Thanks for any help.

10 years, 7 months

2
3
0 0

Memory forensics training by the Volatility Team is going to Australia!

by Andrew Case

We are happy to announce that we will be bringing our memory forensics and malware analysis training to Australia in August: http://www.memoryanalysis.net/#!New-Event-in-Canberra-AU-August-24th---29th… For information on the course please see: http://www.memoryanalysis.net/#!memory-forensics-training/c1q3n You can also find a number of past reviews of the course here: http://www.memoryanalysis.net/#!testimonials/c1dos This is the only time we will be in Australia until at least 2015, and we have already received significant interest in this offering so please contact us as soon as possible if you would like to attend. Thanks, Andrew (@attrc)

10 years, 7 months

1
0
0 0

windows 8 ?

by mediomen27

Hi, where can I download volatility 2.4 for windows 8 ? Thank you very much.

10 years, 7 months

2
1
0 0

Volatility pleads ignorance (aka "Nope, that window's not there")

by Bridgey

Hi all, I have an interesting scenario where Volatility seems to be telling me a process isn't there. Using Volatility 2.3.1, memory sample is from Win7SP1x86 (in a virtualbox VM) with pagefile turned off and 512MB RAM. Win7SP1x86.png (attached) clearly shows the Win7 desktop with notepad open and DumpIt.exe running. Output from pslist shows: $ python volatility-read-only/vol.py -f memdumps/MEMTEST-PC-20140331-131312/*.raw --profile=Win7SP1x86 pslist Volatility Foundation Volatility Framework 2.3.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x839afa20 System 4 0 79 437 ------ 0 2014-03-31 13:12:08 UTC+0000 0x84836278 smss.exe 268 4 2 29 ------ 0 2014-03-31 13:12:08 UTC+0000 0x84f1b5c0 csrss.exe 344 336 8 333 0 0 2014-03-31 13:12:12 UTC+0000 0x84ef7d40 wininit.exe 380 336 4 79 0 0 2014-03-31 13:12:12 UTC+0000 0x84ef67a0 csrss.exe 392 372 7 187 1 0 2014-03-31 13:12:12 UTC+0000 0x84f04030 winlogon.exe 432 372 5 115 1 0 2014-03-31 13:12:13 UTC+0000 0x84e5fa80 services.exe 460 380 15 183 0 0 2014-03-31 13:12:13 UTC+0000 0x84f4d818 lsass.exe 468 380 7 444 0 0 2014-03-31 13:12:13 UTC+0000 0x84f4e7f8 lsm.exe 476 380 10 142 0 0 2014-03-31 13:12:13 UTC+0000 0x84fd6bc0 svchost.exe 596 460 14 353 0 0 2014-03-31 13:12:15 UTC+0000 0x84fe2af0 VBoxService.ex 660 460 11 107 0 0 2014-03-31 13:12:16 UTC+0000 0x84ff7bb0 svchost.exe 712 460 11 229 0 0 2014-03-31 13:12:16 UTC+0000 0x85127858 svchost.exe 760 460 16 341 0 0 2014-03-31 13:12:17 UTC+0000 0x85197cc8 svchost.exe 888 460 21 433 0 0 2014-03-31 13:12:19 UTC+0000 0x851cf510 svchost.exe 936 460 45 796 0 0 2014-03-31 13:12:20 UTC+0000 0x847fe030 svchost.exe 1036 460 16 244 0 0 2014-03-31 13:12:21 UTC+0000 0x8511b388 svchost.exe 1128 460 17 350 0 0 2014-03-31 13:12:22 UTC+0000 0x851fe390 spoolsv.exe 1232 460 12 287 0 0 2014-03-31 13:12:23 UTC+0000 0x85212c30 svchost.exe 1268 460 24 316 0 0 2014-03-31 13:12:23 UTC+0000 0x852e3030 taskhost.exe 1744 460 10 173 1 0 2014-03-31 13:12:29 UTC+0000 0x852f2bc8 dwm.exe 1816 888 5 73 1 0 2014-03-31 13:12:30 UTC+0000 0x852f39d0 explorer.exe 1828 1788 34 876 1 0 2014-03-31 13:12:30 UTC+0000 0x84fe16d0 VBoxTray.exe 1940 1828 11 94 1 0 2014-03-31 13:12:32 UTC+0000 0x85335a48 GrooveMonitor. 1948 1828 4 96 1 0 2014-03-31 13:12:32 UTC+0000 0x84f34030 SearchIndexer. 1092 460 14 683 0 0 2014-03-31 13:12:40 UTC+0000 0x8537ad40 notepad.exe 1164 1828 1 64 1 0 2014-03-31 13:12:42 UTC+0000 0x8527fd40 SearchProtocol 1848 1092 8 275 0 0 2014-03-31 13:12:43 UTC+0000 0x853a08a0 SearchFilterHo 1780 1092 5 80 0 0 2014-03-31 13:12:43 UTC+0000 0x84eed030 DumpIt.exe 1844 1828 2 37 1 0 2014-03-31 13:13:12 UTC+0000 0x85104638 conhost.exe 540 392 2 58 1 0 2014-03-31 13:13:12 UTC+0000 notepad.exe can be seen: PID = 1164. Parent process is explorer and session is 1 - just as I'd expect. However, when I ran the windows plugin there was no sign of notepad in the output (windows.txt attached). Further, using the screenshot plugin it shows exactly what I'd expect except the notepad process is missing! (session_1.WinSta0.Default.png attached). If anybody has any ideas as to why this situation occurs I'd be really interested. A 7z'd version of the dump is only 82MB and it doesn't contain anything sensitive so I can make it available if needs be.

10 years, 7 months

2
3
0 0

linux syscall table

by mediomen27

Hi, I am trying to make some check on a linux server with kernel 2.6.18. I am not a kernel developer so I don't know if what I am going to say is wrong...anyway. # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_syscall Volatility Foundation Volatility Framework 2.3.1 Table Name Index Address Symbol ---------- ---------- ---------- ------------------------------ 32bit 0x0 0xc0430543 sys_restart_syscall 32bit 0x1 0xc0428888 sys_exit 32bit 0x2 0xc0403190 sys_fork 32bit 0x3 0xc0478826 sys_read ..... SNIP 32bit 0xe 0xc04872bf sys_mknod 32bit 0xf 0xc0476cb8 sys_chmod 32bit 0x10 0xc043cef7 sys_lchown16 32bit 0x11 0xc0437304 compat_sys_futex 32bit 0x12 0xc04808e0 sys_stat 32bit 0x13 0xc047873f sys_lseek 32bit 0x14 0xc042e69f sys_getpid ..... SNIP 32bit 0x13f 0xc0437304 compat_sys_futex 32bit 0x140 0xc0437304 compat_sys_futex 32bit 0x141 0xc0437304 compat_sys_futex 32bit 0x142 0xc0437304 compat_sys_futex 32bit 0x143 0xc049e91f sys_eventfd 32bit 0x144 0xc047691d sys_fallocate 32bit 0x145 0xc0437304 compat_sys_futex 32bit 0x146 0xc0437304 compat_sys_futex 32bit 0x147 0xc0437304 compat_sys_futex 32bit 0x148 0xc0437304 compat_sys_futex 32bit 0x149 0xc0437304 compat_sys_futex 32bit 0x14a 0xc0437304 compat_sys_futex 32bit 0x14b 0xc0437304 compat_sys_futex 32bit 0x14c 0xc0437304 compat_sys_futex 32bit 0x14d 0xc0437304 compat_sys_futex 32bit 0x14e 0xc0437304 compat_sys_futex 32bit 0x14f 0xc0437304 compat_sys_futex 32bit 0x150 0xc0437304 compat_sys_futex 32bit 0x151 0xc05be378 sys_recvmmsg What is this compat_sys_futex ??? I don't find anything like that on kernel source linux-2.6.18/arch/i386/kernelsyscall_table.S compat_sys_futex 32bit 0xf 0xc0476cb8 sys_chmod 32bit 0x10 0xc043cef7 sys_lchown16 32bit 0x11 0xc0437304 compat_sys_futex 32bit 0x12 0xc04808e0 sys_stat 32bit 0x13 0xc047873f sys_lseek should be sys_ni_syscallall .long sys_chmod /* 15 */ .long sys_lchown16 .long sys_ni_syscall /* old break syscall holder */ .long sys_stat .long sys_lseek but... # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_syscall | grep compat_sys_futex | wc -l Volatility Foundation Volatility Framework 2.3.1 41 # and $ grep sys_ni_syscall syscall_table.S | wc -l 21 ?!?!? Anyone have enough patience to explain me this anomaly ? Or this is a syscall hijacking ? An other question... Is it normal that in the idt is missing "double fault" ?? # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_idt Volatility Foundation Volatility Framework 2.3.1 Index Address Symbol ---------- ---------- ------------------------------ 0x0 0xc0405a7c divide_error 0x1 0xc0625498 debug 0x2 0xc0405b14 nmi 0x3 0xc06254dc int3 0x4 0xc0405c04 overflow 0x5 0xc0405c10 bounds 0x6 0xc0405c1c invalid_op 0x7 0xc0405adc device_not_available 0x9 0xc0405c28 coprocessor_segment_overrun 0xa 0xc0405c34 invalid_TSS 0xb 0xc0405c40 segment_not_present 0xc 0xc0405c4c stack_segment 0xd 0xc0625500 general_protection 0xe 0xc062550c page_fault 0xf 0xc0405c74 spurious_interrupt_bug 0x10 0xc0405ac4 coprocessor_error 0x11 0xc0405c58 alignment_check 0x12 0xc0405c64 machine_check 0x13 0xc0405ad0 simd_coprocessor_error 0x80 0xc0404f04 system_call where is 0x8 ? Thank you very much.

10 years, 8 months

2
2
0 0

Output from windows/wintree plugins - what does it mean?

by Bridgey

Hi all, In my continuing exploration of Windows memory and Volatility I'm current looking at Windows, literally, the GUI. Looking at a notepad process, wintree shows me: .Untitled - Notepad (visible) notepad.exe:100 Notepad ..#20128 notepad.exe:100 6.0.7601.17514!msctls_statusbar32 ..#20126 (visible) notepad.exe:100 6.0.7601.17514!Edit .Default IME notepad.exe:100 IME .MSCTFIME UI notepad.exe:100 MSCTFIME UI So, I'm assuming #20128 is the status bar at the bottom of the Notepad window, and #20126 is the edit control, that is, the textarea into which the user types. This is the corresponding output from the windows plugin for the edit control: Window Handle: #20126 at 0xfea0dc70, Name: ClassAtom: 0xc119, Class: 6.0.7601.17514!Edit SuperClassAtom: 0xc018, SuperClass: Edit pti: 0xfe2a4008, Tid: 1692 at 0x8550d368 ppi: 0xffa95550, Process: notepad.exe, Pid: 100 Visible: Yes Left: 10, Top: 52, Bottom: 485, Right: 701 Style Flags: WS_VSCROLL,WS_CHILD,WS_OVERLAPPED,WS_VISIBLE,WS_HSCROLL ExStyle Flags: WS_EX_CLIENTEDGE,WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT Window procedure: 0x744399d0 Question 1: Window Handle: #20126 at 0xfea0dc70 - what is the offset? Physical, virtual? Of what? The Edit control object? (I'm guessing: physical, yes, of the edit control object.) Question 2: I can see that it's Window-esque properties (X, Y, width, height, style flags, et al) are all clearly present., but where can I find information specific to this control (in this instance, an 'Edit'). For example, maybe the text it contains? (I'm guessing, take a look at 0xfea0dc70 and there'll be some kind of structure to parse.) As always, many thanks. (This is all going towards a plugin that I'm hoping to write!) Also as always, if I could've found this information on my own, please let me know where to look. I've read the Command Reference and the associated MoVP posts. Adam

10 years, 8 months

3
6
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users