> 1) Where did you gert the Ubuntu profile? It says its missing the
> tcp_seq_afino structure.
# uname -a
Linux luigi-Vostro-3500 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:54:40
UTC 2012 i686 i686 i386 GNU/Linux
# zip volatility/plugins/overlays/linux/Ubuntu1204.zip
tools/linux/module.dwarf /boot/System.map-3.2.0-30-generic
But I copied the tools/linux directory from 2.2_alpha
> Thanks,
> Andrew
>
Thanks Luigi
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Approfitta della speciale offerta 7 giorni al prezzo di 6 all'Hotel Cala
Rosa di Stintino a due passi dall'Asinara dal 10 Settembre al 30
Settembre.Bambini 0-6 anni gratuiti
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12632&d=20120914
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
In forma con il Nordic Walking! Offerte hotel per il Festival Nordic Walking di Riccione e Misano del 7/8/9 settembre. Contattaci per maggiori info 0541607636
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12612&d=14-9
Replying to the list this time ;)
---------- Forwarded message ----------
From: Andrew Case <atcuno(a)gmail.com>
Date: Thu, Sep 13, 2012 at 12:22 PM
Subject: Re: [Vol-users] problem with linux_check_afinfo and others
rootkit plugins
To: bellissimopython(a)email.it
Hello,
1) Where did you gert the Ubuntu profile? It says its missing the
tcp_seq_afino structure.
2) Yes, no output means nothing was detected
3) For check_idt and check_syscall, the output will say HOOKED instead
of the symbol name if an entry is hooked.
Write back if you have anymore questions.
Thanks,
Andrew
On Thu, Sep 13, 2012 at 12:13 PM, <bellissimopython(a)email.it> wrote:
> Hi,
> I have the folloing problem:
>
> # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
> linux_check_afinfo
> Volatile Systems Volatility Framework 2.2_rc1
> Symbol Name Member
> Address
> ------------------------------------------ ------------------------------
> ----------
> WARNING : volatility.obj : Cant find object tcp_seq_afinfo in profile
> <volatility.plugins.overlays.linux.linux.LinuxUbuntu1204x86 object at
> 0x9bbc5ac>?
> Traceback (most recent call last):
> File "vol.py", line 186, in <module>
> main()
> File "vol.py", line 177, in main
> command.execute()
> File
> "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/common.py",
> line 51, in execute
> commands.Command.execute(self, *args, **kwargs)
> File
> "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/commands.py",
> line 111, in execute
> func(outfd, data)
> File
> "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py",
> line 82, in render_text
> for (what, member, address) in data:
> File
> "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py",
> line 73, in calculate
> for (name, member, address) in self.check_afinfo(global_var_name,
> global_var, op_members, seq_members, modules):
> File
> "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py",
> line 41, in check_afinfo
> for (hooked_member, hook_address) in self.check_members(var.seq_fops,
> var_name, op_members, modules):
> AttributeError: 'NoneType' object has no attribute 'seq_fops'
>
>
> Also I want report that the volatility-2.2-rc1 package does not have the
> tools/linux folder. So that it is not possible build dwarf module. Anyway I
> have copied it from the git/alpha release.
>
> And finally I want ask something about rootkit detection plugins. For
> example the following means that everything is ok ?
>
> # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
> linux_check_creds
> Volatile Systems Volatility Framework 2.2_rc1
> PIDs
> --------
> #
>
>
> and the following:
>
> # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
> linux_check_idt
> Volatile Systems Volatility Framework 2.2_rc1
> Index Address Symbol
> ---------- ---------- ------------------------------
> 0x0 0xc1575024 divide_error
> 0x1 0xc15750bc debug
> 0x2 0xc1575114 nmi
> 0x3 0xc1575234 int3
> 0x4 0xc1574fd4 overflow
> 0x5 0xc1574fe0 bounds
> 0x6 0xc1574fec invalid_op
> 0x7 0xc1574fc0 device_not_available
> 0x8 0x00000000 VDSO32_PRELINK
> 0x9 0xc1574ff8 coprocessor_segment_overrun
> 0xa 0xc1575004 invalid_TSS
> 0xb 0xc157500c segment_not_present
> 0xc 0xc1575014 stack_segment
> 0xd 0xc157526c general_protection
> 0xe 0xc1575048 page_fault
> 0xf 0xc157503c spurious_interrupt_bug
> 0x10 0xc1574fa8 coprocessor_error
> 0x11 0xc157501c alignment_check
> 0x12 0xc1575030 machine_check
> 0x13 0xc1574fb4 simd_coprocessor_error
> 0x80 0xc15749b8 system_call
> #
>
> Thanks very much
> luigi
>
> --
> Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
> autenticato? GRATIS solo con Email.it: http://www.email.it/f
>
> Sponsor:
> Speciale Settembre all'hotel Gigliola di Rimini, 7 giorni di pensione
> completa, 2 adulti Euro 420, all inclusive Euro 560
> Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12638&d=20120913
>
>
>
>
> --
> Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
>
> Sponsor:
> Tour culturali nell'entroterra romagnolo con le proposte tutto compreso di Costahotels. Alla scoperta dei borghi medievali e delle tipicita' gastronomiche della zona
> Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12622&d=13-9
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Hi,
I have the folloing problem:
# python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
linux_check_afinfo
Volatile Systems Volatility Framework 2.2_rc1
Symbol Name Member
Address
------------------------------------------ ------------------------------
----------
WARNING : volatility.obj : Cant find object tcp_seq_afinfo in profile
<volatility.plugins.overlays.linux.linux.LinuxUbuntu1204x86 object at
0x9bbc5ac>?
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File
"/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/common.py",
line 51, in execute
commands.Command.execute(self, *args, **kwargs)
File
"/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/commands.py",
line 111, in execute
func(outfd, data)
File
"/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py",
line 82, in render_text
for (what, member, address) in data:
File
"/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py",
line 73, in calculate
for (name, member, address) in self.check_afinfo(global_var_name,
global_var, op_members, seq_members, modules):
File
"/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py",
line 41, in check_afinfo
for (hooked_member, hook_address) in self.check_members(var.seq_fops,
var_name, op_members, modules):
AttributeError: 'NoneType' object has no attribute 'seq_fops'
Also I want report that the volatility-2.2-rc1 package does not have the
tools/linux folder. So that it is not possible build dwarf module. Anyway I
have copied it from the git/alpha release.
And finally I want ask something about rootkit detection plugins. For
example the following means that everything is ok ?
# python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
linux_check_creds
Volatile Systems Volatility Framework 2.2_rc1
PIDs
--------
#
and the following:
# python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86
linux_check_idt
Volatile Systems Volatility Framework 2.2_rc1
Index Address Symbol
---------- ---------- ------------------------------
0x0 0xc1575024 divide_error
0x1 0xc15750bc debug
0x2 0xc1575114 nmi
0x3 0xc1575234 int3
0x4 0xc1574fd4 overflow
0x5 0xc1574fe0 bounds
0x6 0xc1574fec invalid_op
0x7 0xc1574fc0 device_not_available
0x8 0x00000000 VDSO32_PRELINK
0x9 0xc1574ff8 coprocessor_segment_overrun
0xa 0xc1575004 invalid_TSS
0xb 0xc157500c segment_not_present
0xc 0xc1575014 stack_segment
0xd 0xc157526c general_protection
0xe 0xc1575048 page_fault
0xf 0xc157503c spurious_interrupt_bug
0x10 0xc1574fa8 coprocessor_error
0x11 0xc157501c alignment_check
0x12 0xc1575030 machine_check
0x13 0xc1574fb4 simd_coprocessor_error
0x80 0xc15749b8 system_call
#
Thanks very much
luigi
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Speciale Settembre all'hotel Gigliola di Rimini, 7 giorni di pensione
completa, 2 adulti Euro 420, all inclusive Euro 560
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12638&d=20120913
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
Tour culturali nell'entroterra romagnolo con le proposte tutto compreso di Costahotels. Alla scoperta dei borghi medievali e delle tipicita' gastronomiche della zona
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12622&d=13-9
Volatility 2.2 RC1 is available for download!
This release includes over 50 new plugins and the new LiME address space.
About 35 plugins are for support of 32- and 64-bit Linux kernels 2.6.11 -
3.5 on distributions such as Ubuntu, CentOS, Fedora, OpenSuSE, and
Mandriva. About 14 are for analyzing undocumented kernel data structures in
win32k/GUI space on windows. As an added bonus, there are plugins to parse
event records structures, calculate service SIDs from the registry, and
maybe a few additional surprises before the release.
If you haven't checked recently, we've also redone the wiki entirely for
better organization and documentation. There are two pages specifically
that you should know about for 2.2 - the main release page (with direct
downloads to the code) and the linux tutorial:
http://code.google.com/p/volatility/wiki/Release22http://code.google.com/p/volatility/wiki/LinuxMemoryForensics
Please note that the 2.2 command reference will remain unfinished until the
proper 2.2 release.
Enjoy!
Could someone please email me the poison_ivy.py file as an attachment please?
My browser mangles it when I try to get it from Andreas Schuster's blog. (Thanks Andreas for the plugin!)
Thanks for the assist,
Mike
If you are one of those people who likes to stay up to date on the latest
happenings in the world of Volatility, there are a couple of new resources
you should definitely check out:
Volatility Labs: This blog will now be the official blog of The Volatility
Project. To kickstart the new blog and celebrate the upcoming OMFW, we
will also be hosting the Month of Volatility Plugins (MoVP).
http://volatility-labs.blogspot.com/
@Volatility: For those who want to follow the Volatility Development Team
and get the inside track on upcoming events (ie the exiting new training
courses), you should check us out on Twitter.
https://twitter.com/volatility
Thanks,
AAron Walters
The Volatility Project
I'm trying to generate a profile for my android device. This profile
just included the System.map file, obtained from /proc/kallsyms.
How to get a module.dwarf file? I make a new Makefile for the
cross-compilation of module.c and pmem.c for Android but, obviously, is
not working.
Thanks in advance!
Hi,
my question is about the reliability of physical memory acquisition on a
runtime system. I mean, it's theoretically possible hijack memory
acquisition on an infected system ?
If yes, could cold boot attack be useful ?
Or are there any other solutions ?
thanks
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Speciale agriturismo per gli amanti della natura. Offerte tutto compreso
per scoprire l'entroterra romagnolo e le tradizioni locali con le proposte
di Costahotels
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12620&d=20120904
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
Vacanze di divertimento con le offerte hotel + parco Oltremare di Riccione. Cogli le proposte degli hotel per famiglie della riviera con ingresso al parco
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12611&d=4-9
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan
>
> and...
>
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
>
> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com> wrote:
>
>> Can you paste the command line invocation you are running Vol with?
>>
>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote:
>> > I am using the 2.1 Windows standalone exe.
>> >
>> > I have a dd image of memory from the subject operating system and when
>> I try
>> > to use pslist with the Win2008SP1x86 profile I get the following errors:
>> >
>> > Traceback (most recent call last):
>> > File "<string>", line 185, in <module>
>> > File "<string>", line 176, in main
>> > File
>> > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>> > line 111, in execute
>> > File "C:\volatility\volatility\plugins\taskmods.py", line 138, in
>> > render_text
>> > File
>> >
>> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>> > line 72, in pslist
>> > File
>> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>> > line 40, in processes
>> > AttributeError: Could not list tasks, please verify your --profile with
>> > kdbgscan
>> >
>> >
>> > When I try to verify my profile with kdbgscan I get the following for
>> all
>> > profiles:
>> >
>> > **************************************************
>> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
>> > Offset (V) : 0x8193ec90
>> > Offset (P) : 0x193ec90
>> > KDBG owner tag check : True
>> > Profile suggestion (KDBGHeader): Win2008SP1x86
>> > Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
>> > Service Pack (CmNtCSDVersion) : 1
>> > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
>> > PsActiveProcessHead : 0x81954990 (0 processes)
>> > PsLoadedModuleList : 0x8195ec70 (0 modules)
>> > KernelBase : 0x81847000 (Matches MZ: True)
>> > Major (OptionalHeader) : 6
>> > Minor (OptionalHeader) : 0
>> > KPCR : 0x8193f800 (CPU 0)
>> > KPCR : 0x803d1000 (CPU 1)
>> >
>> > Any help would be greatly appreciated.
>> >
>> > Jon
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users(a)volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>>
>
>
