- Vol-users - volatilityfoundation.org

Volatility pleads ignorance (aka "Nope, that window's not there")

by Bridgey

Hi all, I have an interesting scenario where Volatility seems to be telling me a process isn't there. Using Volatility 2.3.1, memory sample is from Win7SP1x86 (in a virtualbox VM) with pagefile turned off and 512MB RAM. Win7SP1x86.png (attached) clearly shows the Win7 desktop with notepad open and DumpIt.exe running. Output from pslist shows: $ python volatility-read-only/vol.py -f memdumps/MEMTEST-PC-20140331-131312/*.raw --profile=Win7SP1x86 pslist Volatility Foundation Volatility Framework 2.3.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x839afa20 System 4 0 79 437 ------ 0 2014-03-31 13:12:08 UTC+0000 0x84836278 smss.exe 268 4 2 29 ------ 0 2014-03-31 13:12:08 UTC+0000 0x84f1b5c0 csrss.exe 344 336 8 333 0 0 2014-03-31 13:12:12 UTC+0000 0x84ef7d40 wininit.exe 380 336 4 79 0 0 2014-03-31 13:12:12 UTC+0000 0x84ef67a0 csrss.exe 392 372 7 187 1 0 2014-03-31 13:12:12 UTC+0000 0x84f04030 winlogon.exe 432 372 5 115 1 0 2014-03-31 13:12:13 UTC+0000 0x84e5fa80 services.exe 460 380 15 183 0 0 2014-03-31 13:12:13 UTC+0000 0x84f4d818 lsass.exe 468 380 7 444 0 0 2014-03-31 13:12:13 UTC+0000 0x84f4e7f8 lsm.exe 476 380 10 142 0 0 2014-03-31 13:12:13 UTC+0000 0x84fd6bc0 svchost.exe 596 460 14 353 0 0 2014-03-31 13:12:15 UTC+0000 0x84fe2af0 VBoxService.ex 660 460 11 107 0 0 2014-03-31 13:12:16 UTC+0000 0x84ff7bb0 svchost.exe 712 460 11 229 0 0 2014-03-31 13:12:16 UTC+0000 0x85127858 svchost.exe 760 460 16 341 0 0 2014-03-31 13:12:17 UTC+0000 0x85197cc8 svchost.exe 888 460 21 433 0 0 2014-03-31 13:12:19 UTC+0000 0x851cf510 svchost.exe 936 460 45 796 0 0 2014-03-31 13:12:20 UTC+0000 0x847fe030 svchost.exe 1036 460 16 244 0 0 2014-03-31 13:12:21 UTC+0000 0x8511b388 svchost.exe 1128 460 17 350 0 0 2014-03-31 13:12:22 UTC+0000 0x851fe390 spoolsv.exe 1232 460 12 287 0 0 2014-03-31 13:12:23 UTC+0000 0x85212c30 svchost.exe 1268 460 24 316 0 0 2014-03-31 13:12:23 UTC+0000 0x852e3030 taskhost.exe 1744 460 10 173 1 0 2014-03-31 13:12:29 UTC+0000 0x852f2bc8 dwm.exe 1816 888 5 73 1 0 2014-03-31 13:12:30 UTC+0000 0x852f39d0 explorer.exe 1828 1788 34 876 1 0 2014-03-31 13:12:30 UTC+0000 0x84fe16d0 VBoxTray.exe 1940 1828 11 94 1 0 2014-03-31 13:12:32 UTC+0000 0x85335a48 GrooveMonitor. 1948 1828 4 96 1 0 2014-03-31 13:12:32 UTC+0000 0x84f34030 SearchIndexer. 1092 460 14 683 0 0 2014-03-31 13:12:40 UTC+0000 0x8537ad40 notepad.exe 1164 1828 1 64 1 0 2014-03-31 13:12:42 UTC+0000 0x8527fd40 SearchProtocol 1848 1092 8 275 0 0 2014-03-31 13:12:43 UTC+0000 0x853a08a0 SearchFilterHo 1780 1092 5 80 0 0 2014-03-31 13:12:43 UTC+0000 0x84eed030 DumpIt.exe 1844 1828 2 37 1 0 2014-03-31 13:13:12 UTC+0000 0x85104638 conhost.exe 540 392 2 58 1 0 2014-03-31 13:13:12 UTC+0000 notepad.exe can be seen: PID = 1164. Parent process is explorer and session is 1 - just as I'd expect. However, when I ran the windows plugin there was no sign of notepad in the output (windows.txt attached). Further, using the screenshot plugin it shows exactly what I'd expect except the notepad process is missing! (session_1.WinSta0.Default.png attached). If anybody has any ideas as to why this situation occurs I'd be really interested. A 7z'd version of the dump is only 82MB and it doesn't contain anything sensitive so I can make it available if needs be.

11 years, 5 months

2
3
0 0

linux syscall table

by mediomen27

Hi, I am trying to make some check on a linux server with kernel 2.6.18. I am not a kernel developer so I don't know if what I am going to say is wrong...anyway. # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_syscall Volatility Foundation Volatility Framework 2.3.1 Table Name Index Address Symbol ---------- ---------- ---------- ------------------------------ 32bit 0x0 0xc0430543 sys_restart_syscall 32bit 0x1 0xc0428888 sys_exit 32bit 0x2 0xc0403190 sys_fork 32bit 0x3 0xc0478826 sys_read ..... SNIP 32bit 0xe 0xc04872bf sys_mknod 32bit 0xf 0xc0476cb8 sys_chmod 32bit 0x10 0xc043cef7 sys_lchown16 32bit 0x11 0xc0437304 compat_sys_futex 32bit 0x12 0xc04808e0 sys_stat 32bit 0x13 0xc047873f sys_lseek 32bit 0x14 0xc042e69f sys_getpid ..... SNIP 32bit 0x13f 0xc0437304 compat_sys_futex 32bit 0x140 0xc0437304 compat_sys_futex 32bit 0x141 0xc0437304 compat_sys_futex 32bit 0x142 0xc0437304 compat_sys_futex 32bit 0x143 0xc049e91f sys_eventfd 32bit 0x144 0xc047691d sys_fallocate 32bit 0x145 0xc0437304 compat_sys_futex 32bit 0x146 0xc0437304 compat_sys_futex 32bit 0x147 0xc0437304 compat_sys_futex 32bit 0x148 0xc0437304 compat_sys_futex 32bit 0x149 0xc0437304 compat_sys_futex 32bit 0x14a 0xc0437304 compat_sys_futex 32bit 0x14b 0xc0437304 compat_sys_futex 32bit 0x14c 0xc0437304 compat_sys_futex 32bit 0x14d 0xc0437304 compat_sys_futex 32bit 0x14e 0xc0437304 compat_sys_futex 32bit 0x14f 0xc0437304 compat_sys_futex 32bit 0x150 0xc0437304 compat_sys_futex 32bit 0x151 0xc05be378 sys_recvmmsg What is this compat_sys_futex ??? I don't find anything like that on kernel source linux-2.6.18/arch/i386/kernelsyscall_table.S compat_sys_futex 32bit 0xf 0xc0476cb8 sys_chmod 32bit 0x10 0xc043cef7 sys_lchown16 32bit 0x11 0xc0437304 compat_sys_futex 32bit 0x12 0xc04808e0 sys_stat 32bit 0x13 0xc047873f sys_lseek should be sys_ni_syscallall .long sys_chmod /* 15 */ .long sys_lchown16 .long sys_ni_syscall /* old break syscall holder */ .long sys_stat .long sys_lseek but... # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_syscall | grep compat_sys_futex | wc -l Volatility Foundation Volatility Framework 2.3.1 41 # and $ grep sys_ni_syscall syscall_table.S | wc -l 21 ?!?!? Anyone have enough patience to explain me this anomaly ? Or this is a syscall hijacking ? An other question... Is it normal that in the idt is missing "double fault" ?? # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_idt Volatility Foundation Volatility Framework 2.3.1 Index Address Symbol ---------- ---------- ------------------------------ 0x0 0xc0405a7c divide_error 0x1 0xc0625498 debug 0x2 0xc0405b14 nmi 0x3 0xc06254dc int3 0x4 0xc0405c04 overflow 0x5 0xc0405c10 bounds 0x6 0xc0405c1c invalid_op 0x7 0xc0405adc device_not_available 0x9 0xc0405c28 coprocessor_segment_overrun 0xa 0xc0405c34 invalid_TSS 0xb 0xc0405c40 segment_not_present 0xc 0xc0405c4c stack_segment 0xd 0xc0625500 general_protection 0xe 0xc062550c page_fault 0xf 0xc0405c74 spurious_interrupt_bug 0x10 0xc0405ac4 coprocessor_error 0x11 0xc0405c58 alignment_check 0x12 0xc0405c64 machine_check 0x13 0xc0405ad0 simd_coprocessor_error 0x80 0xc0404f04 system_call where is 0x8 ? Thank you very much.

11 years, 5 months

2
2
0 0

Output from windows/wintree plugins - what does it mean?

by Bridgey

Hi all, In my continuing exploration of Windows memory and Volatility I'm current looking at Windows, literally, the GUI. Looking at a notepad process, wintree shows me: .Untitled - Notepad (visible) notepad.exe:100 Notepad ..#20128 notepad.exe:100 6.0.7601.17514!msctls_statusbar32 ..#20126 (visible) notepad.exe:100 6.0.7601.17514!Edit .Default IME notepad.exe:100 IME .MSCTFIME UI notepad.exe:100 MSCTFIME UI So, I'm assuming #20128 is the status bar at the bottom of the Notepad window, and #20126 is the edit control, that is, the textarea into which the user types. This is the corresponding output from the windows plugin for the edit control: Window Handle: #20126 at 0xfea0dc70, Name: ClassAtom: 0xc119, Class: 6.0.7601.17514!Edit SuperClassAtom: 0xc018, SuperClass: Edit pti: 0xfe2a4008, Tid: 1692 at 0x8550d368 ppi: 0xffa95550, Process: notepad.exe, Pid: 100 Visible: Yes Left: 10, Top: 52, Bottom: 485, Right: 701 Style Flags: WS_VSCROLL,WS_CHILD,WS_OVERLAPPED,WS_VISIBLE,WS_HSCROLL ExStyle Flags: WS_EX_CLIENTEDGE,WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT Window procedure: 0x744399d0 Question 1: Window Handle: #20126 at 0xfea0dc70 - what is the offset? Physical, virtual? Of what? The Edit control object? (I'm guessing: physical, yes, of the edit control object.) Question 2: I can see that it's Window-esque properties (X, Y, width, height, style flags, et al) are all clearly present., but where can I find information specific to this control (in this instance, an 'Edit'). For example, maybe the text it contains? (I'm guessing, take a look at 0xfea0dc70 and there'll be some kind of structure to parse.) As always, many thanks. (This is all going towards a plugin that I'm hoping to write!) Also as always, if I could've found this information on my own, please let me know where to look. I've read the Command Reference and the associated MoVP posts. Adam

11 years, 6 months

3
6
0 0

Can not use Volatility through Firewire

by Sebastian Biedermann

Hello guys, I'm trying to use Volatility through Firewire, but actually it's not working. My investigator PC runs Ubuntu Linux Ubuntu 12.04 I'm using the New (JuJu) Firewire stack compiled into kernel and I also installed forensic1394. My Firewire Bus is up and connected to a Firewire Bus on a target win7 system (4GB memory), I can successfully dump the memory with another tool called 'inception'. However, output only says: vol# python vol.py -l firewire://forensic1394/0 --profile=Win7SP1x64 modules Volatility Foundation Volatility Framework 2.3.1 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space FileAddressSpace: Location is not of file scheme ArmAddressSpace: No base Address Space What I am doing wrong? Thank you! -- Sebastian

11 years, 6 months

2
3
0 0

dumping registry hives from memory images

by Roger

Hello Jamie, Apologies for delayed response. Had a short break with family. I tried using dumpfiles plugins as per your adviced. it turned out working against winxp, but seems not against win7sp1x86. is this a known limitation? Thanks again mate. Regards, Roger On Feb 18, 2014, at 5:00 AM, vol-users-request(a)volatilityfoundation.org wrote: > Send Vol-users mailing list submissions to > vol-users(a)volatilityfoundation.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > or, via email, send a message with subject or body 'help' to > vol-users-request(a)volatilityfoundation.org > > You can reach the person managing the list at > vol-users-owner(a)volatilityfoundation.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Vol-users digest..." > > > Today's Topics: > > 1. dumping registry hive(s) from memory image (Roger) > 2. Re: dumping registry hive(s) from memory image (Jamie Levy) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 17 Feb 2014 16:53:01 +1100 > From: Roger <roger.franklin67(a)gmail.com> > Subject: [Vol-users] dumping registry hive(s) from memory image > To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org> > Message-ID: <98444CAC-D5F0-473B-88EB-75CC983F2869(a)gmail.com> > Content-Type: text/plain; charset=us-ascii > > I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files. > > Has any one found a way of doing it? > > Thank you very much in advance. > > Kind regards, > Roger > > ------------------------------ > > Message: 2 > Date: Mon, 17 Feb 2014 10:22:32 -0500 > From: Jamie Levy <jamie.levy(a)gmail.com> > Subject: Re: [Vol-users] dumping registry hive(s) from memory image > To: vol-users(a)volatilityfoundation.org > Message-ID: <53022938.4040302(a)gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi Roger, > > Try using the dumpfiles plugin: > > http://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles > > You can use an example similar to the event logs one in order to dump > the registry file. Let me know if you need help. > > All the best, > > -Jamie > > > > On 2/17/2014 12:53 AM, Roger wrote: >> I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files. >> >> Has any one found a way of doing it? >> >> Thank you very much in advance. >> >> Kind regards, >> Roger_______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > -- > Jamie Levy (@gleeda) > Blog: http://volatility-labs.blogspot.com/ > GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92 > Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 > > > ------------------------------ > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > End of Vol-users Digest, Vol 68, Issue 6 > ****************************************

11 years, 6 months

2
1
0 0

Are Volatility's Win7 profiles correct for Home Premium 32 bit?

by Andy Bellman

Michael and Jamie, Thanks. I've I found I made a couple of stupid mistakes. The second was sending the below message to the wrong email when I figured out the first late yesterday evening. My apologies, I've figured out that it was 64 bit, and I was completely mistaken about it being 32 bit. I assumed that it was 32 bit, because the the 64 bit profiles took much longer to run, and I'd assumed they were hanging. I think I used a slow computer, and suspect that having everything on usb also slowed things down. I decided I ought to check my work better, and let imageinfo run for the three hours it needed. In hindsight, I think I should have run hibinfo instead, as that seems to have indicated the right profile much faster. I think I can figure the rest out. Thank you, andybellman(a)outlook.com

11 years, 6 months

2
1
0 0

Issue with 'linux_pslist'

by Torres, Geoff (Global Cyber Security)

Hi All, This is an FYI to the maintainers of the Volatility code. I don't need immediate help on this issue but I thought somebody might be interested. I ran into a problem where the 'linux_pslist' command in volatility is hanging on an Ubuntu 13.04 memory dump. All the other 'ps' related commands seem to run just fine. I'm running Volatility 2.3.1 and I can supply any other details you need (including the memory dump). I've attached the debug output (I let it run for over 30 minutes on a 1GB dump). I'm happy to try any suggestions you may have. Thanks for a great product, Geoff ============================== Geoff Torres - HP ==============================

11 years, 6 months

2
1
0 0

Are Volatility's Win7 profiles correct for Home Premium 32 bit?

by Andy Bellman

Members of the list, I have been attempting to recover some unsaved files from a hiberfil.sys from a Windows 7 system. It is from a laptop, I'm pretty sure running Home Premium 32 bit. I use an XP system to run the standalone version of Volatility. Using 'volatility -f hiberfil.sys --profile=Win7SP0x86 imageinfo' I get: ' Suggested Profile(s) : No suggestion (Instantiated with Win7SP0x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS) AS Layer3 : FileAddressSpace (I:\hfr\hiberfil.sys) PAE type : PAE DTB : 0x0L KUSER_SHARED_DATA : 0xffdf0000L' Using 'volatility -f hiberfil.sys --profile=Win7SP1x86 hibinfo' I get: 'Volatility Foundation Volatility Framework 2.3.1 PO_MEMORY_IMAGE: Signature: HIBR SystemTime: 1970-01-01 00:00:00 UTC+0000 Control registers flags CR0: 00000000 CR0[PAGING]: 0 CR3: 00000000 CR4: 00000000 CR4[PSE]: 0 CR4[PAE]: 0 Windows Version is -.- (-)' Other modules seem to hang, or produce no results. I thought I must have a bad file, but I got it from the right place, and changing the name or location doesn't seem easy enough that an OEM would do it. I thought I might be using the tool wrong, but it seems I can get it working better with four out of the five NIST samples linked from the code.google.com/p/volatility/wiki website. I'm wondering if trying to do something volatility doesn't support yet, or if I am simply making a mistake. Thanks, andybellman(a)outlook.com

11 years, 6 months

3
2
0 0

Recovering OpenVPN credentials

by Philip Huppert

Hi, as part of a university course I've developed a Volatility plugin to extract user credentials cached in an OpenVPN process. Currently the extraction is limited to OpenVPN 2.2.2 on Windows. Still, maybe this is useful to someone else. Code is here: https://github.com/Phaeilo/vol-openvpn Philip

11 years, 6 months

3
3
0 0

RE: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64

by Smelkovs, Konrads (London)

Hello Aaron and Michael, This is a machine with a very interesting file corruption case which is most likely malware. I used moonsol's DumpIt to acquire the image from a Win7 64bit SP1 machine with 8 gigs of ram. Here's the output of bin2dmp: bin2dmp - 1.0.20100405 - (Professional Edition - Single User Licence) Convert raw memory dump images into Microsoft crash dump files. Copyright (C) 2007 - 2010, Matthieu Suiche <http://www.msuiche.net> Copyright (C) 2009 - 2010, MoonSols <http://www.moonsols.com> User , () Initializing memory descriptors... Done. Looking for kernel variables... Done. Loading file... Done. Rewritting CONTEXT for Windbg... -> Context->SegCs at physical address 0x0000000006017F78 modified from 00 in o 10 -> Context->SegDs at physical address 0x0000000006017F7A modified from 00 in o 2b -> Context->SegEs at physical address 0x0000000006017F7C modified from 00 in o 2b -> Context->SegFs at physical address 0x0000000006017F7E modified from 00 in [0x000000021E600000 of 0x000000021E600000] MD5 = 2DF9C04AB34D820ACA56B201B1382A880x0000000006017F80 is already equal to 00 Total time for the conversion: 9 minutes 49 seconds.6017F82 modified from 00 in o 18 And here I tried loading the dump file in windbg 64 Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\ xxxx.dmp] Kernel Complete Dump File: Full address space is available Comment: 'Hibernation file converted with MoonSols Memory Toolkit' Symbol search path is: C:\windows\symbols;SRV*C:\windows\symbols*http://msdl.microsoft.com/downloa… Executable search path is: Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. *** WARNING: Unable to verify timestamp for Unknown_Module_8b4820ec`83485540 *** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_8b4820ec`83485540 Debugger can not determine kernel base address Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.18229.amd64fre.win7sp1_gdr.130801-1533 Machine Name: Kernel base = 0xfffff800`02e1b000 PsLoadedModuleList = 0xfffff800`0305e6d0 Debug session time: Sun Mar 2 21:08:59.275 2014 (UTC + 0:00) System Uptime: 0 days 7:22:16.509 Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. *** WARNING: Unable to verify timestamp for Unknown_Module_8b4820ec`83485540 *** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_8b4820ec`83485540 Debugger can not determine kernel base address Loading Kernel Symbols Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. .Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147 Image path too long, possible corrupt data. Loading unloaded module list ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. .Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. ..Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. . WARNING: .reload failed, module list may be incomplete GetContextState failed, 0xD0000147 CS descriptor lookup failed GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get program counter GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 4D415454, {1, 2, 3, 4} GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 ***** Debugger could not find nt in module list, module list might be corrupt, error 0x80070057. Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147 WARNING: .reload failed, module list may be incomplete GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147 WARNING: .reload failed, module list may be incomplete Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147 WARNING: .reload failed, module list may be incomplete Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE ) Followup: MachineOwner --------- GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 -----Original Message----- From: AAron Walters [mailto:awalters@4tphi.net] Sent: 02 March 2014 20:50 To: Smelkovs, Konrads (London) Cc: Michael Ligh Subject: RE: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64 Hi Konrads, Nice to meet you. Thank for joining the mailing list. Is the machine you are trying to analyze part of an investigation or a test machine? A physical machine or a virtual machine? Does it have any unusual devices connected to it? If you convert the sample to windbg format using the MoolSols tools, will it load in windows debugger? Thanks, AAron Walters The Volatility Foundation On Sun, 2 Mar 2014, Smelkovs, Konrads (London) wrote: > Hi, > > Hangs on both Linux and Windows. I used MoonSol's memory acquisition tools. What tools would you suggest to use instead? > > > -----Original Message----- > From: Michael Ligh [mailto:michael.ligh@mnin.org] > Sent: 02 March 2014 16:25 > To: Smelkovs, Konrads (London) > Cc: vol-users(a)volatilityfoundation.org > Subject: Re: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64 > > Hi Konrads, > > Thanks for the output. At the moment, its looks like the page table is corrupt (based on the errors trying to read physical addresses in the range 0xf8b4c0575d000, which is way outside the size of your file). Whether the acquisition tool or Volatility's address space parser is to blame, I'm not currently sure. Can you answer a few additional questions, please: > > * Does it also hang on Linux also, or does it complete sometime after printing those "None object instantiated: Unable to read_long_long_phys" messages? > * What tool did you acquire memory with? Is it possible to re-acquire in a different format, such as a Windows crash dump? > > Thanks, > Michael > > > This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it. > This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it. > Any communications made with KPMG may be monitored and a record may be kept of any communication. > Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter. > A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office. > KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL. > This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it. This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it. Any communications made with KPMG may be monitored and a record may be kept of any communication. Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter. A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office. KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL.

11 years, 6 months

3
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users