Hey all,
Here's what I have:
Offset(P) Name PID pslist psscan thrdproc pspcid
csrss session deskthrd
---------- -------------------- ------ ------ ------ -------- ------
----- ------- --------
0x26004da0 UPS_Label_23052 396 False True False False
False False False
0x260f7da0 UPS_Label_23052 396 False True False False
False False False
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------------ ------------------------------
0x27808020 explorer.exe 1480 1412 0x0a440200 2013-05-23
17:44:24 UTC+0000
0x26004da0 UPS_Label_23052 396 1480 0x0a4403c0 2013-05-23
17:46:09 UTC+0000
0x260f7da0 UPS_Label_23052 396 1480 0x0a4403c0 2013-05-23
17:46:09 UTC+0000
I'm attempting to find and extract the running UPS_Label_23052, but
having difficulty extracting the exe from it. Procmemdump and
procexedump fail to find the pid, so I'm kind of lost. Any info would
help...thank you.
James
So here's what I got...regsvr32.exe was run as soon below:
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ ------------------------------ ------------------------------
0x893614e0 regsvr32.exe 3100 2564 5 97 0
0 2013-12-06 18:28:51 UTC+0000
Offset(P) Name PID pslist psscan thrdproc pspcid
csrss session deskthrd
---------- -------------------- ------ ------ ------ -------- ------
----- ------- --------
0x093614e0 regsvr32.exe 3100 True True False True
True True False
regsvr32.exe pid: 3100
Command line : regsvr32.exe "C:\Documents and Settings\user\Local
Settings\Application Data\YrqdPack\normalPaddlg.dll"
Service Pack 3
Base Size LoadCount Path
---------- ---------- ---------- ----
0x10000000 0x9000 0x1 C:\Documents and Settings\user\Local
Settings\Application Data\YrqdPack\normalPaddlg.dll
I'm dumped pid 3100 to a dmp file with procmemdump. I strings 3100.dmp
and I see what I'm looking for (domain names that match a packet
capture). I'm trying to extract that running dll from the 3100.dmp
file, which is around 200 megs. Any help would be awesome..thank you.
James
Oh, also if you copied the ethscan plugin to your volatility/plugins directory, don't use the --plugins option
-----Original Message-----
From: David <eterno.comandante(a)gmail.com>
Date: Thu, 14 Nov 2013 13:53:05
To: Jamie Levy<jamie.levy(a)gmail.com>
Cc: Volatility List<vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Help to add new plugin
Hi Jamie
Thanks again...
I executed "sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan”
And i have new errors, (i use vol.py 2.3.1 non instalable version volatility 2.3.1)
Do you know if has anybody a similar problem with ethscan plugin?
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 186, in <module>
main()
File "/usr/local/bin/vol.py", line 143, in main
registry.register_global_options(config, commands.Command)
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 157, in register_global_options
for m in get_plugin_classes(cls, True).values():
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 152, in get_plugin_classes
raise Exception("Object {0} has already been defined by {1}".format(name, plugin))
Exception: Object EthScan has already been defined by <class 'volatility.plugins.ethscan_rc1.EthScan'>
Best regards
El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy(a)gmail.com> escribió:
> Try:
>
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
>
> First: --plugins takes in either a directory or a zipfile, not a plugin
>
> Second: You didn't specify which plugin to run (ethscan)
> From: David <eterno.comandante(a)gmail.com>
> Date: Thu, 14 Nov 2013 10:41:47 +0100
> To: Jamie Levy<jamie.levy(a)gmail.com>
> Cc: Volatility List<vol-users(a)volatilesystems.com>
> Subject: Re: [Vol-users] Help to add new plugin
>
>
> Sorry I had a typo i didn´t write --profile=Win7SP1x64
>
>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
>
>
>
> I have the same error of ever :(
>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>
>
> Thanks!!
>
> El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió:
>
>> Hi @Jamie and list
>>
>> Thanks very much for your support ;)
>>
>> I’ve same errors when i’m executing: :(
>>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>>
>> The error:
>>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>>
>> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about?
>>
>> On the other hand, i found a brief tutorial about ethscan:
>>
>> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t…
>>
>> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>>
>> The execution of the vol.py command is different……. :(
>>
>> He does not the flag —-plugin=
>>
>> Thanks for all!!
>>
>> Ps: My apologies for my level of english
>>
>>
>> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió:
>>
>>> Hi David,
>>>
>>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:
>>>
>>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit…
>>>
>>> Let me know if you have any other questions.
>>>
>>> All the best,
>>>
>>> -gleeda
>>>
>>>
>>>
>>>
>>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote:
>>> Hello list,
>>>
>>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>>
>>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>>
>>> The plugin that I want for add/use is:
>>>
>>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>>
>>> Thanks for your support!!
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilesystems.com
>>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>>
>>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>
>
Hey Gang
I'm a total noob with eForensics so I'm on the learning curve. I can get volitility to work on Windows memory images but not with Mac memory images. I've downloaded the Mac profiles, unzipped it and moves the files to the location indicated in the article, but when I run the info command the profiles aren't listed. Is there another step in the enable process?
TIA
Marty
Sent from my iPad
Type at the prompt:
sudo make clean
and try again
-----Original Message-----
From: David <eterno.comandante(a)gmail.com>
Date: Thu, 14 Nov 2013 13:53:05
To: Jamie Levy<jamie.levy(a)gmail.com>
Cc: Volatility List<vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Help to add new plugin
Hi Jamie
Thanks again...
I executed "sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan”
And i have new errors, (i use vol.py 2.3.1 non instalable version volatility 2.3.1)
Do you know if has anybody a similar problem with ethscan plugin?
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 186, in <module>
main()
File "/usr/local/bin/vol.py", line 143, in main
registry.register_global_options(config, commands.Command)
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 157, in register_global_options
for m in get_plugin_classes(cls, True).values():
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 152, in get_plugin_classes
raise Exception("Object {0} has already been defined by {1}".format(name, plugin))
Exception: Object EthScan has already been defined by <class 'volatility.plugins.ethscan_rc1.EthScan'>
Best regards
El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy(a)gmail.com> escribió:
> Try:
>
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
>
> First: --plugins takes in either a directory or a zipfile, not a plugin
>
> Second: You didn't specify which plugin to run (ethscan)
> From: David <eterno.comandante(a)gmail.com>
> Date: Thu, 14 Nov 2013 10:41:47 +0100
> To: Jamie Levy<jamie.levy(a)gmail.com>
> Cc: Volatility List<vol-users(a)volatilesystems.com>
> Subject: Re: [Vol-users] Help to add new plugin
>
>
> Sorry I had a typo i didn´t write --profile=Win7SP1x64
>
>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
>
>
>
> I have the same error of ever :(
>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>
>
> Thanks!!
>
> El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió:
>
>> Hi @Jamie and list
>>
>> Thanks very much for your support ;)
>>
>> I’ve same errors when i’m executing: :(
>>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>>
>> The error:
>>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>>
>> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about?
>>
>> On the other hand, i found a brief tutorial about ethscan:
>>
>> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t…
>>
>> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>>
>> The execution of the vol.py command is different……. :(
>>
>> He does not the flag —-plugin=
>>
>> Thanks for all!!
>>
>> Ps: My apologies for my level of english
>>
>>
>> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió:
>>
>>> Hi David,
>>>
>>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:
>>>
>>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit…
>>>
>>> Let me know if you have any other questions.
>>>
>>> All the best,
>>>
>>> -gleeda
>>>
>>>
>>>
>>>
>>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote:
>>> Hello list,
>>>
>>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>>
>>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>>
>>> The plugin that I want for add/use is:
>>>
>>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>>
>>> Thanks for your support!!
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilesystems.com
>>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>>
>>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>
>
Try:
sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
First: --plugins takes in either a directory or a zipfile, not a plugin
Second: You didn't specify which plugin to run (ethscan)
-----Original Message-----
From: David <eterno.comandante(a)gmail.com>
Date: Thu, 14 Nov 2013 10:41:47
To: Jamie Levy<jamie.levy(a)gmail.com>
Cc: Volatility List<vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Help to add new plugin
Sorry I had a typo i didn´t write --profile=Win7SP1x64
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
I have the same error of ever :(
> Volatility Foundation Volatility Framework 2.3.1
> ERROR : __main__ : You must specify something to do (try -h)
Thanks!!
El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió:
> Hi @Jamie and list
>
> Thanks very much for your support ;)
>
> I’ve same errors when i’m executing: :(
>
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>
> The error:
>
> Volatility Foundation Volatility Framework 2.3.1
> ERROR : __main__ : You must specify something to do (try -h)
>
> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about?
>
> On the other hand, i found a brief tutorial about ethscan:
>
> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t…
>
> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>
> The execution of the vol.py command is different……. :(
>
> He does not the flag —-plugin=
>
> Thanks for all!!
>
> Ps: My apologies for my level of english
>
>
> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió:
>
>> Hi David,
>>
>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:
>>
>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit…
>>
>> Let me know if you have any other questions.
>>
>> All the best,
>>
>> -gleeda
>>
>>
>>
>>
>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote:
>> Hello list,
>>
>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>
>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>
>> The plugin that I want for add/use is:
>>
>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>
>> Thanks for your support!!
>>
>>
>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilesystems.com
>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>
>>
>>
>>
>> --
>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>
Hello All,
I'm new to Volatility.
Say I found the string "password=hello world" somewhere in the memory, is
there anyway for me to know which process that memory block is currently
allocated to?
--
matt
Hello list,
Please, I need some help about for add/use new plugins in volatility 2.3.1.
Can I use the flag "--plugins=contrib/plugins"? o is there any method?
The plugin that I want for add/use is:
https://code.google.com/p/jamaal-re-tools/source/checkout
Thanks for your support!!
Hi,
I am using winpmem 1.3.1 for imaging in volatility but whenever I tried to use any of feature of winpmem it gives
error: "Cannot open SCM? Are you administrator"
Where as I don't have any administrative passwords... So how can I solve this issue...???
