Hey David,
Greetings,
I am unable to get a viable profile for two different images. I built V2.2 on a MacBook Pro running 10.8.2.
This one may be a bad image:
<kdbgscan returns silently>
DawnTreader:Mem Analysis kovar$ vol.py -f *dmp kdbgscan
Volatile Systems Volatility Framework 2.2
DawnTreader:Mem Analysis kovar$ vol.py -f *dmp imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : FileAddressSpace (/Users/kovar/Mem Analysis/redacted-27-09-2012-10-47-50.dmp)
PAE type : No PAE
----------------
But this one loads in Mandiant Redline but Volatility will not produce any valid results. I've tried all three profiles with no success.
DawnTreader:Mem Analysis kovar$ vol.py -f *mem imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/Users/kovar/Mem Analysis/redacted_memdump.mem)
PAE type : PAE
DTB : 0x1595000L
KDBG : 0x808943e0
Number of Processors : 2
Image Type (Service Pack) : 2
KPCR for CPU 0 : 0xffdff000
KPCR for CPU 1 : 0xf772f000
KUSER_SHARED_DATA : 0xffdf0000
Image date and time : 2012-10-01 19:31:06 UTC+0000
Image local date and time : 2012-10-01 13:31:06 -0600
DawnTreader:Mem Analysis kovar$ vol.py -f *mem kdbgscan
Volatile Systems Volatility Framework 2.2
**************************************************
Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem Win2003SP0x86 (5.2.3789 32bit)
Offset (P) : 0x8943e0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2003SP1x86
Version64 : 0x8943b8 (Major: 15, Minor: 3790)
PsActiveProcessHead : 0x808ad0c8
PsLoadedModuleList : 0x808a6ea8
KernelBase : 0x80800000
**************************************************
Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem Win2003SP0x86 (5.2.3789 32bit)
Offset (P) : 0x8943e0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2003SP2x86
Version64 : 0x8943b8 (Major: 15, Minor: 3790)
PsActiveProcessHead : 0x808ad0c8
PsLoadedModuleList : 0x808a6ea8
KernelBase : 0x80800000
**************************************************
Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem Win2003SP0x86 (5.2.3789 32bit)
Offset (P) : 0x8943e0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2003SP0x86
Version64 : 0x8943b8 (Major: 15, Minor: 3790)
PsActiveProcessHead : 0x808ad0c8
PsLoadedModuleList : 0x808a6ea8
KernelBase : 0x80800000
DawnTreader:Mem Analysis kovar$ vol.py -f *mem --profile=Win2003SP0x86 pslist
Volatile Systems Volatility Framework 2.2
No suitable address space mapping found
Tried to open image as:
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemory: Module disabled
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64: Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Win2003SP0x86 selected
JKIA32PagedMemory: No valid DTB found
IA32PagedMemoryPae: Module disabled
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
-----
Thanks for any help you might be able to offer.
-David
_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users