Hello all,
First congrats on a great tool :)
I'm looking for some iso/distro to be able to do some "coldboot" testing,
and i was thinking on using LiME module.
Does anyone have done anything related to this, like a really small kernel
booting to usb, and dump the mem?
What do you guys use to do memory dumps? (on "real" systems not vm's ?)
Thanks
Thanks both of you for your help and advice. I will try to verify if the memory is allocated. I have to convert the memory image to the crash dmp.
The --base switch works very well. I overlooked it in the help.
Thanks
Jaro
Od: "Michael Hale Ligh" <michael.hale(a)gmail.com<mailto:michael.hale@gmail.com>>
Datum: po, 6. 3, 2013 16:48
Předmět: [Vol-users] DPC procedure localization
Komu: "George M. Garner Jr." <ggarner_online(a)gmgsystemsinc.com<mailto:ggarner_online@gmgsystemsinc.com>>
Kopie: "vol-users" <vol-users(a)volatilesystems.com<mailto:vol-users@volatilesystems.com>>
Thanks for the explanation George!
Jaroslav - to answer your other question "how can I dump this using the
offset 0x80013000?" you can use the moddump plugin with --base= 0x80013000.
MHL
On Mon, Jun 3, 2013 at 10:43 AM, George M. Garner Jr. <
ggarner_online(a)gmgsystemsinc.com<mailto:ggarner_online@gmgsystemsinc.com>> wrote:
> Jaroslav,
>
> Kernel timers come and go at a very high rate which leads to a significant
> number of invalid or spurious timer artifacts which result from the fact
> that the memory dump was acquired from the system while it was running.
> Not that the last two timers are signaled and the periods are not
> coherent. It is possible that the last two "timer" objects reside in
> memory that once was a kernel timer object and has since been freed and
> that some of the timer fields (e.g. the routine address) have been
> overwritten with incoherent data. Try running the !pool command on the
> last two timer addresses (0x863ead10 and 0x85e451e8) and see if that memory
> is currently allocated. (I am assuming that you either have or can convert
> your memory dump to MS crashdump format.)
>
> Regards,
>
> George.
>
>
> On 6/3/2013 9:15 AM, BRTAN Jaroslav wrote:
>
>> Hi all,
>>
>> I'd like to ask you for your help with analysis. The timers module shows
>> that there is a strange DPC at 0x8647e4e0.
>>
>>
>> Timers module output:
>>
>> Offset(V) DueTime Period(ms) Signaled Routine
>> Module
>> ---------- ------------------------ ---------- ---------- ----------
>> ------
>> 0x873097d0 0x0000002f:0x2db9d0c3 0 - 0xa7386d8e
>> arp1394.sys
>> 0x85b9a2c8 0x8000002d:0x6d7d7c8e 0 - 0x80538a98
>> ntoskrnl.exe
>> 0x8a332b20 0x0000002f:0x2ea5d991 0 - 0xb9ddef1a
>> NDIS.sys
>> 0x863ead10 0x00010014:0x863ead28 -205...072 Yes 0x8647e4e0
>> UNKNOWN
>> 0x85e451e8 0x00010014:0x85e45200 -205...072 Yes 0x8647e4e0
>> UNKNOWN
>>
>>
> ______________________________**_________________
> Vol-users mailing list
> Vol-users(a)volatilesystems.com<mailto:Vol-users@volatilesystems.com>
> http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lists.volatilesystems.com/mailman/listinfo/vol-users>
>
The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
Hello,
We wanted to take the opportunity to point you to a blog post which gives a
preview of some of the research we've been working on at 504ENSICS Labs in
the area of Android memory analysis. This time we are demoing a feature
that will allow automatted volatility plugin generation with our Dalvik
Inspector tool. We think our results will be of great interest to the DFIR
community and look forward to your feed back. We plan on releasing the
tool this year at Black Hat.
The blog post can be found here:
http://www.504ensics.com/automated-volatility-plugin-generation-with-dalvik…
---
*Joe T. Sylve, M.S.*
Co-Founder
504ENSICS Labs
(504) 210-8270 (Office)
http://www.504ensics.com
PGP Key: http://www.504ensics.com/pgp_keys/joesylve.asc
Greetings
I am looking at Win 7 x86 SP1 memory and I dont understand why I am seeing
"established connections" but no PID or Process with it.
0x2d07480 TCPv4 10.22.41.40:58767
38.126.225.229:43405ESTABLISHED -------- --------------
0x1367da70 TCPv4 10.22.41.40:59302
151.213.50.211:22031ESTABLISHED -------- --------------
In addition I am seeing stuff "listening" and it contains the PID and
Process.
0xdb838178 TCPv4 0.0.0.0:49154 0.0.0.0:0
LISTENING 996 svchost.exe
0xdb850ab0 TCPv4 0.0.0.0:49155 0.0.0.0:0
LISTENING 1440 spoolsv.exe
0xdb855e78 TCPv4 0.0.0.0:49155 0.0.0.0:0
LISTENING 1440 spoolsv.exe
So my question is why can I see the listening processes but im not getting
the Process that are established?
Thanks for the help
Lou
For those of you interested in applying memory forensics to your
malware analysis and rootkit detection efforts, we've just posted a
new blog with some exciting news and updates:
http://volatility-labs.blogspot.com/2013/05/whats-happening-in-world-of-vol…
* Volatility 2.3 will enter beta this week and we'll introduce the new
features over the next four weeks (Month of Volatility Plugins II).
* There are three training courses open for registration (Reston in
June, Netherlands in September, Vermont in November). Email
voltraining(a)memoryanalysis.net for details.
* The plugin contest submissions are starting to trickle in. Enter to
win over $2250 in cash or a free seat at an upcoming training.
* This year's Open Memory Forensics Workshop will be in Chantilly VA
on November 4th, alongside OSDFC (Open Source Digital Forensics
Conference). CFP to be announced soon.
All the best,
Jamie / @gleeda
The Volatility Project
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
