When imaging memory on a live VM system to do analysis for malware
Volatililty does not recognize it (see below). Is there anyone on this
mailing list that has the knowledge on how I can remedy this without
shutting the system down and grabbing the VMEM file?
Is it possible to substitute a valid DTB from another image into the
memdump of a live VM machine with a Hex editor? And if it can be done does
anyone know the addresses of that space to take out and substitute? I hope
that made sense......
If you look at a normal image of memory in a hex editor you can clearly see
the difference between that and a VM dump from a live system, there seems
to be some extra padded stuff right up front.
Volatile Systems Volatility Framework 2.0
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature fou
WindowsCrashDumpSpace32: Header signature invali
JKIA32PagedMemory: No valid DTB found
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Thanks
Lou
I recall there being an experimental 64 bit branch up at the Google code
site (not the lin64 one)... But when I just went to grab it , it appears to
be gone. Is it somewhere else?
:: Sent from my mobile phone; please excuse any typos ::
I have a foo.dll loaded in memory. Using `dlllist` I can see that the
physical address is 0x252438. How do I get the virtual address?
--
Eknath Venkataramani
I have a text string that I found in memory and I would like to find out what is using/mapped to that address. (a process, a dll, a buffer, unallocated, etc.)
How do I do that? I'm exploring the docs to see how close I can get; for example dumping what I can with memmap, and then searching for my physical offset. (but that only gets me processes)
Any suggestions appreciated.
Mike Lambert
dragonforen(a)hotmail.com
Thanks Mike,
I got the plugin and put it in the plugin directory.
I looked at the plugin help and did not see how to specify the address to translate. I tried this without a switch:
C:\Python27\volatility-2.0>python vol.py pas2kas -f \mem\120129\120129c.w32 --profile=WinXPSP3x86 0x19248000
Volatile Systems Volatility Framework 2.0
YARA is not installed, see http://code.google.com/p/yara-project/
distorm3 is not installed, see http://code.google.com/p/distorm/
Phys AS KAS
C:\Python27\volatility-2.0>
It seems I am not specifying the address to translate properly. Perhaps you can correct my commandline.
Thanks,
Mike
PS. Yara will not install because it does not see a key for python27 in the registry. Do you know what key I should put in the registry so Yara will install?
> From: scudette(a)gmail.com
> Date: Fri, 3 Feb 2012 23:34:43 -0800
> Subject: Re: [Vol-users] what is at that address
> To: dragonforen(a)hotmail.com
> CC: vol-users(a)volatilityfoundation.org
>
> Mike,
> You could also use the pas2kas module:
>
> http://code.google.com/p/volatility/source/browse/branches/scudette/volatil…
>
> Michael.
>
> On 3 February 2012 15:00, Mike Houston <dragonforen(a)hotmail.com> wrote:
> > I have a text string that I found in memory and I would like to find out
> > what is using/mapped to that address. (a process, a dll, a buffer,
> > unallocated, etc.)
> >
> > How do I do that? I'm exploring the docs to see how close I can get; for
> > example dumping what I can with memmap, and then searching for my physical
> > offset. (but that only gets me processes)
> >
> > Any suggestions appreciated.
> >
> > Mike Lambert
> > dragonforen(a)hotmail.com
> >
> >
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users(a)volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
Greetings,
I'm seeing the following errors when attempting to run volatility with
'malfind' and referencing yara. This used to work fine on yara 1.4, but
now fails on 1.6. I'm wondering what might have happened and how to
resolve it.
~/vol.py -f purple.vmem --profile=WinXPSP3x86 malfind -D
/home/apollo/workspace/dump_dir/ --yara-rules="http://" -p 1004
Volatile Systems Volatility Framework 2.1_alpha
Name Pid Start End Tag Hits Protect
Traceback (most recent call last):
File "/home/apollo/vol.py", line 135, in <module>
main()
File "/home/apollo/vol.py", line 126, in main
command.execute()
File "/home/sportivo/tools/Volatility/volatility/commands.py", line
101, in execute
func(outfd, data)
File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
line 1042, in render_text
for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:
File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
line 992, in calculate
for ps_ad, start, end, tag, prx, data in self.get_vads(proc):
File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
line 923, in get_vads
yield (ps_ad, start, end, vad.Tag, vad.Flags.Protection >> 24, data)
File "/home/sportivo/tools/Volatility/volatility/obj.py", line 777, in
__getattr__
return self.m(attr)
File "/home/sportivo/tools/Volatility/volatility/obj.py", line 762, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct VadRoot has no member Flags
Any thoughts or ideas are welcome. Thanks!
Andre'
--
Andre' M. DiMino
DeepEnd REsearch
http://deependresearch.orghttp://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
I just did an svn update to version 1327 and I'm now noticing the
following errors upon execution of any volatility command. For example:
~/tools/Volatility/vol.py -f XP_SP3.vmem imageinfo
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86
(AttributeError: 'module' object has no attribute 'ntkrnlmp_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k8_sp1_x86_vtypes
(AttributeError: 'module' object has no attribute 'ntkrnlmp_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k8_sp2_x86_vtypes
(AttributeError: 'module' object has no attribute 'ntkrnlmp_types')
*** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86
(AttributeError: 'module' object has no attribute 'ntkrnlmp_types')
Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated
with WinXPSP2x86)
:
snip
:
~/tools/Volatility/vol.py -f XP_SP3.vmem --profile=WinXPSP3x86 connscan
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86
(AttributeError: 'module' object has no attribute 'ntkrnlmp_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k8_sp1_x86_vtypes
(AttributeError: 'module' object has no attribute 'ntkrnlmp_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k8_sp2_x86_vtypes
(AttributeError: 'module' object has no attribute 'ntkrnlmp_types')
*** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86
(AttributeError: 'module' object has no attribute 'ntkrnlmp_types')
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ------
0x0219fa40 0.0.0.0:19272 0.0.0.0:55542 2147487916
~/tools/Volatility/vol.py -f XP_SP3.vmem --profile=WinXPSP3x86 modules
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86
(AttributeError: 'module' object has no attribute 'ntkrnlmp_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k8_sp1_x86_vtypes
(AttributeError: 'module' object has no attribute 'ntkrnlmp_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k8_sp2_x86_vtypes
(AttributeError: 'module' object has no attribute 'ntkrnlmp_types')
*** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86
(AttributeError: 'module' object has no attribute 'ntkrnlmp_types')
Offset(V) File Base
Size Name
0x823fc3a0 \WINDOWS\system32\ntkrnlpa.exe
0x00804d7000 0x1f8580 ntoskrnl.exe
0x823fc338 \WINDOWS\system32\hal.dll
0x00806d0000 0x020300 hal.dll
:
snip
:
Everything seems to complete OK so far, but I'm wondering what might
have caused these new error messages.
Thanks!
Andre'
--
Andre' M. DiMino
DeepEnd REsearch
http://deependresearch.orghttp://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
Hello,
in the last view weeks i've tried to analyze Linux memorydumps with the
volatility-linux Version (Revision 1313 from svn).
My goal is to show that it is possible to discover hidden processes,
kernelmodules etc. (for example from a rootkit) from a memory dump. By
comparing the output from the memorydump analysis with the native
execution of the system commands.
I created a profile for the current stable Debian version.
Trying to use this profile leads to the following TypeError:
python volatility.py --profile=LinuxDebian26325 -f ~/Desktop/LF32.ram
linux_task_list_ps Volatile Systems Volatility Framework 1.4_rc1
Name Pid Uid
Traceback (most recent call last):
File "volatility.py", line 129, in <module>
main()
File "volatility.py", line 120, in main
command.execute()
File
"/home/dark-eye/Sources/volatility_linux/volatility/commands.py", line
101, in execute func(outfd, data) File
"/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_task_list_ps.py",
line 59, in render_text for task in data: File
"/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_task_list_ps.py",
line 50, in calculate for task in
linux_common.walk_list_head("task_struct", "tasks", init_task.tasks,
self.addr_space): File
"/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_common.py",
line 110, in walk_list_head yield obj.Object(struct_name, offset =
list_ptr - offset, vm = addr_space) TypeError: unsupported operand
type(s) for -: 'instancemethod' and 'int'
I would really appreciate to debug or help to debug this issue. Sadly I
can't find a way to evaluate the correctness of the kernel-profile. Is
this a known problem from volatility-linux or could it be the result of
a failure i've made while creating the debian profile?
Thanks for every hint!
Greetings
Patrick
In case you may have missed it, Volatility 2.0 has been nominated for the
ISSA Journal's Toolsmith Tool of the Year. If you believe in open source
forensics tools and want to show your support for the Volatility team,
please take a few moments to cast your vote! Feel free to tell all your
friends and family to vote as well! You have until January 31 to vote from
all your machines!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-y…
X September - Volatility for memory analysis
If you need extra motivation, you may want to check out the 64-bit Beta
support recently merged into trunk! Bug reports welcome! Enjoy!
Thanks,
The Volatility Project (TVP)
