Hello Aaron and Michael,
This is a machine with a very interesting file corruption case which is most likely malware. I used moonsol's DumpIt to acquire the image from a Win7 64bit SP1 machine with 8 gigs of ram. Here's the output of bin2dmp:
bin2dmp - 1.0.20100405 - (Professional Edition - Single User Licence)
Convert raw memory dump images into Microsoft crash dump files.
Copyright (C) 2007 - 2010, Matthieu Suiche <http://www.msuiche.net>
Copyright (C) 2009 - 2010, MoonSols <http://www.moonsols.com>
User , ()
Initializing memory descriptors... Done.
Looking for kernel variables... Done.
Loading file... Done.
Rewritting CONTEXT for Windbg...
-> Context->SegCs at physical address 0x0000000006017F78 modified from 00 in
o 10
-> Context->SegDs at physical address 0x0000000006017F7A modified from 00 in
o 2b
-> Context->SegEs at physical address 0x0000000006017F7C modified from 00 in
o 2b
-> Context->SegFs at physical address 0x0000000006017F7E modified from 00 in
[0x000000021E600000 of 0x000000021E600000]
MD5 = 2DF9C04AB34D820ACA56B201B1382A880x0000000006017F80 is already equal to
00
Total time for the conversion: 9 minutes 49 seconds.6017F82 modified from 00 in
o 18
And here I tried loading the dump file in windbg 64
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\ xxxx.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'Hibernation file converted with MoonSols Memory Toolkit'
Symbol search path is: C:\windows\symbols;SRV*C:\windows\symbols*http://msdl.microsoft.com/downloa…
Executable search path is:
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
*** WARNING: Unable to verify timestamp for Unknown_Module_8b4820ec`83485540
*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_8b4820ec`83485540
Debugger can not determine kernel base address
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18229.amd64fre.win7sp1_gdr.130801-1533
Machine Name:
Kernel base = 0xfffff800`02e1b000 PsLoadedModuleList = 0xfffff800`0305e6d0
Debug session time: Sun Mar 2 21:08:59.275 2014 (UTC + 0:00)
System Uptime: 0 days 7:22:16.509
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
*** WARNING: Unable to verify timestamp for Unknown_Module_8b4820ec`83485540
*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_8b4820ec`83485540
Debugger can not determine kernel base address
Loading Kernel Symbols
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
.Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147
Image path too long, possible corrupt data.
Loading unloaded module list
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
..Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.
WARNING: .reload failed, module list may be incomplete
GetContextState failed, 0xD0000147
CS descriptor lookup failed
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get program counter
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 4D415454, {1, 2, 3, 4}
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
***** Debugger could not find nt in module list, module list might be corrupt, error 0x80070057.
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147
WARNING: .reload failed, module list may be incomplete
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147
WARNING: .reload failed, module list may be incomplete
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147
WARNING: .reload failed, module list may be incomplete
Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )
Followup: MachineOwner
---------
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
-----Original Message-----
From: AAron Walters [mailto:awalters@4tphi.net]
Sent: 02 March 2014 20:50
To: Smelkovs, Konrads (London)
Cc: Michael Ligh
Subject: RE: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64
Hi Konrads,
Nice to meet you. Thank for joining the mailing list.
Is the machine you are trying to analyze part of an investigation or a test machine? A physical machine or a virtual machine? Does it have any unusual devices connected to it?
If you convert the sample to windbg format using the MoolSols tools, will it load in windows debugger?
Thanks,
AAron Walters
The Volatility Foundation
On Sun, 2 Mar 2014, Smelkovs, Konrads (London) wrote:
> Hi,
>
> Hangs on both Linux and Windows. I used MoonSol's memory acquisition tools. What tools would you suggest to use instead?
>
>
> -----Original Message-----
> From: Michael Ligh [mailto:michael.ligh@mnin.org]
> Sent: 02 March 2014 16:25
> To: Smelkovs, Konrads (London)
> Cc: vol-users(a)volatilityfoundation.org
> Subject: Re: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64
>
> Hi Konrads,
>
> Thanks for the output. At the moment, its looks like the page table is corrupt (based on the errors trying to read physical addresses in the range 0xf8b4c0575d000, which is way outside the size of your file). Whether the acquisition tool or Volatility's address space parser is to blame, I'm not currently sure. Can you answer a few additional questions, please:
>
> * Does it also hang on Linux also, or does it complete sometime after printing those "None object instantiated: Unable to read_long_long_phys" messages?
> * What tool did you acquire memory with? Is it possible to re-acquire in a different format, such as a Windows crash dump?
>
> Thanks,
> Michael
>
>
> This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it.
> This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it.
> Any communications made with KPMG may be monitored and a record may be kept of any communication.
> Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter.
> A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office.
> KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL.
>
This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it.
This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it.
Any communications made with KPMG may be monitored and a record may be kept of any communication.
Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter.
A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office.
KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL.
Working on a system that has been beaconing out to bad places and noticed
this in the 'pstree' output (abbreviated):
Name Pid PPid
-------------------------------------------------- ------ ------
0x894ca030:csrss.exe 580 484 ...
0x8f25b5b0:wininit.exe 632 484 ...
. 0x8f379d40:services.exe 692 632 ...
.. 0xb12484c0:FireSvc.exe 2064 692 ...
.. 0xaecc6d40:svchost.exe 3332 692 ...
...
.. 0xb3eeb030:svchost.exe 3780 692 ...
.. 0x85e518e8:msdtc.exe 5332 692 ...
... 0x82651d40:explorer.exe 5400 5332 ...
.... 0x85dcc3b0:pmcs.exe 1608 5400 ...
.... 0x85dc9240:EpePcMonitor.e 6108 5400 ...
.... 0x85c92030:BTTray.exe 4744 5400 ...
.... 0x8652c928:iexplore.exe 7028 5400 ...
..... 0x86721030:iexplore.exe 7364 7028 ...
...... 0x866f2030:jp2launcher.ex 5356 7364 ...
....... 0x8678c408:java.exe 7700 5356 ...
...
Is it just me or is msdtc.exe a very odd parent for explorer.exe? I would
normally expect userinit.exe to start explorer and then exit, leaving it
with no visible parent.
Any input appreciated...
-=[ Steve ]=-
Hello,
C:\ >volatility-2.3.1.standalone.exe -f C:\image.raw kdbgscan --profile=Win7SP1x64
Volatility Foundation Volatility Framework 2.3.1
.....
Never finishes - analysing 8 gig dump, CPU max. Help?
This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it.
This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it.
Any communications made with KPMG may be monitored and a record may be kept of any communication.
Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter.
A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office.
KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL.
Hi list,
I'm currently doing some memory analysis, and I'm using Notepad on Windows 7 x64 as an example.
My question is this: is there any way to link a _FILE_OBJECT back to the process that generated it, without a valid handle, or an entry in the VAD tree.
This article discusses it: http://computer.forensikblog.de/en/2009/04/linking-file-objects-to-processe… - however, this approach only works if there is a valid handle for the open file.
Here's an example:
I open notepad, and open a simple text file that contains "This is the contents of the file". Performing a scan over the memory dump reveals this data in two locations:
1 - 0x1448f000 - This is the contents of the file found through the _FILE_OBJECT->SectionObjectPointers->DataSectionObject. This points to a control area, and through that I can locate the Subsection-BasePTE which shows that the page is in transition and has a PFN of 0x1448f. So this allows me to the find the data through the _FILE_OBJECT
2 - 0x39d336b0 - This address is currently part of Notepad's private heap, which is where the data has been mapped into.
So examining the two pages through WinDbg gives me this information:
lkd> !pfn 1448f PFN 0001448F at address FFFFFA80003CDAD0 flink 00015B8F blink / share count 00013ED5 pteaddress FFFFF8A0008AD010 reference count 0000 used entry count 0000 Cached color 0 Priority 5 restore pte FA800325553004C0 containing page 00ABBA Standby P Shared lkd> !pte FFFFF8A0008AD010 1 VA fffff8a0008ad010PXE at FFFFF8A0008AD010 PPE at FFFFF8A0008AD010 PDE at FFFFF8A0008AD010 PTE at FFFFF8A0008AD010contains 000000001448F8C0not valid Transition: 1448f Protect: 6 - ReadWriteExecute
As can be seen, the page containing the original data is shared, is on the standby list, and points to a prototype PTE.
lkd> !pfn 39d33 PFN 00039D33 at address FFFFFA8000AD7990 flink 00039D88 blink / share count 00039D1E pteaddress FFFFF6800001CAC8 reference count 0000 used entry count 0000 Cached color 0 Priority 3 restore pte 1635500000080 containing page 0274B8 Standby
lkd> !pte FFFFF6800001CAC8 1 VA fffff6800001cac8PXE at FFFFF6800001CAC8 PPE at FFFFF6800001CAC8 PDE at FFFFF6800001CAC8 PTE at FFFFF6800001CAC8contains 0000000000000000not valid
The PTE within Notepad's heap is marked as not valid, but also shows that the page is on the standby list.
As the page located through the FILE_OBJECT is marked as shared, and points to a prototype PTE, is there anyway of locating this prototype PTE, and using it to track back to Notepad? So for instance, would it be possible to locate the PPTE by searching memory for the 'MmSt' tag, and then parse the PPTE to gain any information. Or does the PPTE not track backwards in that way?
Essentially, if the page containing the data found through the _FILE_OBJECT is shared, what is it shared with, and is it possible to track this information, using either the PFN database, prototype PTE entries, or something else I haven't thought of.
Any input or advice would be appreciated.
Thanks
Josh.
Hello All,
I was writing to let everyone know that I will be speaking Friday at RSA
on investigating Mac malware with Volatility and Volatility's Mac
support in general. If you are going to the conference you should check
out the talk and come say 'hi' after:
http://www.rsaconference.com/speakers/andrew-case
--
Thanks,
Andrew (@attrc)
C:\Volatility>python vol.py timeliner -f
\CSATLCL\W0137018\W0137018-RAM.dd4.001 --profile=Win7SP1x86
Volatility Foundation Volatility Framework 2.3.1
Traceback (most recent call last):
File "vol.py", line 184, in <module>
main()
File "vol.py", line 175, in main
command.execute()
File "C:\Volatility\volatility\commands.py", line 122, in execute
func(outfd, data)
File "C:\Volatility\volatility\plugins\timeliner.py", line 88, in
render_text
for line in data:
File "C:\Volatility\volatility\plugins\timeliner.py", line 312, in
calculate
o)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xae' in
position 156: ordinal not in range(128)
Looks like I may have a martian character in a string somewhere...
-=[ Steve ]=-
Hello All,
We are writing to announce that we now have public trainings scheduled
in Australia, London, New York, and Virginia! The New York and London
trainings will be selling out soon so we suggest contacting us ASAP if
you wish to attend either of those.
We have also already received significant interest in the Australia
course and have a large notification list for it. Please contact us if
you would like to be added.
Finally, the team is happy to announce that we now have a dedicated
website for training at http://www.memoryanalysis.net.
For full information on each training and the new website, please see
our recent blog post:
http://volatility-labs.blogspot.com/2014/02/training-by-volatility-project-…
If you want to to learn memory forensics skills from the researchers and
developers behind Volatility then you should consider signing up for one
of our courses. Not only will you leave being an expert in Volatility
and Windows internals, but you will also be able to perform malware
analysis and incident response along side the best in the industry.
--
Thanks,
Andrew (@attrc)
I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files.
Has any one found a way of doing it?
Thank you very much in advance.
Kind regards,
Roger
Does anyone have one? Is there a writeup somewhere like there was for Stuxnet?
Ryan Gibson
GCFA, GCIH, Security +
Office: 858-651-1689
Mobile: 619-804-8736
Senior IT Security Engineer
So was the fix just to switch to lime format or did you also need the
patch? This will help us keep better documentation for future bug reports.
Also, is there a reason you need the raw sample? If you are looking for
a sample without any metadata, the best version would be 'padded' since
it zero fills the offsets between RAM sections, but note that you can
get a HUGE file, especially on 64 bit systems.
The raw version of LiME simply concatantes regions together (does not
pad), which make offsets found from virtual address translation off.
This is why Volatility (and other tools) cannot process most raw Lime dumps.
On 2/6/2014 10:45 AM, Torres, Geoff (Global Cyber Security) wrote:
> OK, we're making progress...
>
> Michael Ligh also suggested that article. I had dismissed it as not applicable because it was regarding CentOS 5.3 and the earliest I've been attempting is 5.8. My apologies for not trying it sooner.
>
> It did work for the Lime format, but not the Raw format which is ultimately what I need. Would different offsets work for the raw format? Is it possible to convert a raw format image into Lime format?
>
> Also, does this mean that I need different volatility code for different kernels?
>
> My role is to perform forensic analysis on compromised systems. I can conceivably get any type of system and I get them in large enough volume that I've been developing scripts to automate these sort of tasks.
>
> Thanks for all your help so far,
>
> Geoff
>
>
> -----Original Message-----
> From: Andrew Case [mailto:atcuno@gmail.com]
> Sent: Thursday, February 06, 2014 7:32 AM
> To: Torres, Geoff (Global Cyber Security); 'vol-users(a)volatilityfoundation.org'
> Subject: Re: [Vol-users] Difficulty creating CentOS profiles
>
> Hello,
>
> I believe you are having the same issues that we diagnosed here:
>
> http://lists.volatilityfoundation.org/pipermail/vol-users/2013-February/000…
>
> Could you please edit your code as MHL explains to account for the shift? It only requires two small changes to the existing code. Note that the line numbers may be different since the code has been update since then but if you search for the 0xffffffff80000000 number in each file you will be able to find it.
>
> Also we would recommend acquiring in the lime format "format=lime"
> instead of acquiring in the raw one.
>
> Let me know how it goes.
>
> Thanks,
> Andrew (@attrc)
>
>
> On 2/5/2014 5:26 PM, Torres, Geoff (Global Cyber Security) wrote:
>> Hi,
>>
>>
>>
>> I've been unable to create a working Linux profile for any version of
>> CentOS. It compiles fine but gives a 'No suitable address space
>> mapping found' error when ran against the memory image.
>>
>>
>>
>> I've been successful creating various Debian and Ubuntu profiles, but
>> CentOS has yet to work. I'm sure it's something simple but I can't
>> figure it out. I'm certain that I'm matching kernel versions
>> correctly and that the build process is the same as I use for the Ubuntu versions.
>>
>>
>>
>> I've attached the details of my most recent attempt. It's a vanilla
>> CentOS 5.10 install on VmWare. The memory image is available (250Mb
>> zip) if necessary.
>>
>>
>>
>> Any ideas? None of the solutions I found in Google seem to address my
>> issue.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Geoff
>>
>>
>>
>> BTW - I'm not a kernel programmer so please be detailed if there's
>> something you'd like me to try.
>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
