5:08 p.m.
How was this sample acquired? Have you tried running any other
plugins, like psscan or modscan on it? It's interesting because some
information is populating correctly there but you have no processes or
modules.... Try psscan and modscan and let us know what happens.
On Mon, Feb 18, 2013 at 4:53 PM, David Kovar <dkovar(a)gmail.com> wrote:
Greetings,
I'm unable to run scan tasks against a memory image and get "AttributeError:
Could not list tasks, please verify your --profile with kdbgscan". I'm using
2.3_alpha updated just a moment ago.
imageinfo:
Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64,
Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace
(/usr/local/malware/XXXXXXX/XXXX-memdump.mem)
PAE type : PAE
DTB : 0x187000L
KDBG : 0xf80002ff70a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xf80002ff8d00
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2013-02-01 17:40:54 UTC+0000
Image local date and time : 2013-02-01 09:40:54 -0800
kdbgscan:
Praha:Memory Image kovar$ vol.py --profile=Win7SP1x64 kdbgscan -f *.mem
Volatile Systems Volatility Framework 2.3_alpha
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80002ff70a0
Offset (P) : 0x2ff70a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP1x64
Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr.
PsActiveProcessHead : 0xf8000302d370 (0 processes)
PsLoadedModuleList : 0xf8000304b670 (0 modules)
KernelBase : 0xfffff80002e07000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xf80002ff8d00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80002ff70a0
Offset (P) : 0x2ff70a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP0x64
Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr.
PsActiveProcessHead : 0xf8000302d370 (0 processes)
PsLoadedModuleList : 0xf8000304b670 (0 modules)
KernelBase : 0xfffff80002e07000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xf80002ff8d00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80002ff70a0
Offset (P) : 0x2ff70a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008R2SP1x64
Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr.
PsActiveProcessHead : 0xf8000302d370 (0 processes)
PsLoadedModuleList : 0xf8000304b670 (0 modules)
KernelBase : 0xfffff80002e07000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xf80002ff8d00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80002ff70a0
Offset (P) : 0x2ff70a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008R2SP0x64
Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr.
PsActiveProcessHead : 0xf8000302d370 (0 processes)
PsLoadedModuleList : 0xf8000304b670 (0 modules)
KernelBase : 0xfffff80002e07000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xf80002ff8d00 (CPU 0)
Thanks for any help you might be able to offer.
-David
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92