Hi,
Yesterday during a challenge we had to use the linux_dump_map plugin
to dump a process stack, and the documentation at
https://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_pro…
says it has the -p option to select a process.
However, as far as I can tell looking in the svn history, this plugin
never had the -p option. And it's definitely not working currently.
I've heard a confirmation that the option was working in version
2.2-rc1, so maybe it was a global option?
The reason I'm mailing this is because, if the -s is virtual memory,
would you not get possible overlap in areas? How do you know it dumped
the correct VMA? Note that every time I tried, I got the correct area.
Cheers,
Edwin
Hi
I am running - revision 3164
I get the following error when running: Ignore the import errors
# python2.7 vol.py -f /opt/hiberfil.sys --profile=WinXPSP3x86 imagecopy -O
/opt/winxp_sp3_2nd.raw
Volatile Systems Volatility Framework 2.3_alpha
*** Failed to import volatility.plugins.zeusscan1 (AttributeError: 'module'
object has no attribute 'ImpScan')
*** Failed to import volatility.plugins.zeusscan2 (AttributeError: 'module'
object has no attribute 'ApiHooks')
Writing data (5.00 MB chunks):
|......................................................................................................................................................................................................................................................ERROR
: volatility.plugins.imagecopy: Error when reading from address space
I have tried coping over the .sys file twice. I generated a new .sys file
and same error. It worked wonderfully on lastweek. I tried reverting back
to revision 3159 and no dice. Also Oddly enough it works with an old
version of volatility running on remnux.
Not sure whats up. Also here is the output from imageinfo:
Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated
with WinXPSP2x86)
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS)
AS Layer3 : FileAddressSpace (/opt/hiberfil.sys)
PAE type : PAE
DTB : 0x9300060L
KDBG : 0x80545be0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2013-03-05 06:26:20 UTC+0000
Image local date and time : 2013-03-05 00:26:20 -0600
thanks in advance
Hi,
I am trying to build a profile for the Arch Linux kernel (3.7.9-2),
but I am getting this error:
http://paste.ubuntu.com/5584634/
Is this a problem with newer kernels or am I doing something wrong?
Cheers,
Edwin
Hi All,
I'm trying to make a profile for android device.
I did a memory dump with LiME of an HTC One X (Android 4.0.3, HTC Sense
4.0, kernel 2.6.39.4-g6b459dc).
Now, following the instruction here
https://code.google.com/p/volatility/wiki/LinuxMemoryForensics , I was
trying to understand how to modify the makefile under
volatility/tools/linux/ , in order to point to my kernel source. The thing
is that in from my kernel source folder I couldn't find a proper value for
KDIR and KVER (although they should be pretty straightforward according to
their name) that would fit with the path for make command as from the
following source code:
pmem: pmem.c
$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) modules
dwarf: module.c
$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y
M=$(PWD) modules
dwarfdump -di module.ko > module.dwarf
$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) clean
Did anyone ever created an android profile? Any hint?
I've seen in the mailing list archive a thread "Profile (ZIP) for Android
4.0.3" from Mike (in Cc), any news about that?
Thank you
P.
--
Pasquale Stirparo, MEng
GCFA, OPST, OWSE, ECCE
European Commission - JRC Joint Research Centre
Institute for the Protection and Security of the Citizen (IPSC)
Digital Citizen Security Unit
Via E. Fermi, 2749 - TP 361
21027 Ispra (VA) - Italy
PGP Key: 0x4C589FB2
Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2
Disclaimer: The views expressed are purely those of the writer and may not
in any circumstance be regarded as stating an official position of the
European Commission.
On 2013-02-27 13:51, Ayers, Robert wrote:
> By name alone I'd bet a beer that this is a malicious executable
>
> 0x89152020 qegyas.exe 2364 2236 0 -------- 0
> 0 2013-02-27 15:08:35 2013-02-27 15:08:44
Thanks for the quick response. I believe that qegyas.exe is the
injector (according to my procmon at least). Also, that process has
exited, so I'm out of luck for taking a peak at it (in memory at
least...happily the malware left the file on the drive :))
James
Greetings,
I was adding OS X support to my copy of Volatility per the instructions on https://code.google.com/p/volatility/wiki/MacMemoryForensics. It went well but I thought I'd pull the most recent version while I was at it.
Mac support went away when I did so. setup.py is now missing:
"volatility.plugins.overlays.mac",
Even when I add that back, vol.py --info doesn't show the OS X profiles.
Is this intentional? Is there a different version that I should be using?
Thanks!
-David
Hi there
We are looking to collect memory on an old Windows NT box. Of course, the tools we utilize are too recent to be compatible with Windows NT. Does anyone have any workaround suggestions or tools that may assist with this memory collection?
Regards,
Terrie
Group,
I have a memory image file for a Red Hat 6.3 box with 2.6.32-279.el6.x86_x64 kernel. Is it ok to use the CentOS 6.3 x64 (2.6.32-279.el6.x86_x64) example profile, given it's for the same kernel, or do I need to build a new profile?
Thanks for the help.
Kevin Marker
ACE, CCE, CISSP, EnCE
