Thanks for the detailed response. I would be more than happy to share the image. Just tell me where to upload it to.

On Aug 22, 2012 6:39 PM, "Michael Hale Ligh" <michael.hale@gmail.com> wrote:
Hey Jon, 

On Wed, Aug 22, 2012 at 1:54 PM, Jon Nelson <dotcop@gmail.com> wrote:
psscan, modscan, driverscan, filescan, mutantscan, symlinkscan, thrdscan, and netscan produced no output other than the header.

So the main three reasons I can think of for these scanners failing are:

1) the image is corrupt (i.e. the acquisition tool didn't capture several areas of memory)
2) malware modified pool tags (i.e. DKOM)
3) the wrong profile is being used

So they are all possibilities, but let's discuss their likelihood. #1 is unlikely IMO because kdbgscan was able to print lines like these:

Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab)     : 6001.18000.x86fre.longhorn_rtm.0

Those values are extracted from the ntoskrnl.exe kernel driver, which means at least one module is in memory...yet modscan doesn't pick it up. #2 is unlikely because malware that uses DKOM typically does so to hide an individual process, not overwrite an object's pool tags (although its possible). Plus I'd expect if malware did overwrite pool tags, it would do it for certain objects only (i.e. just processes and threads or just network objects) and not all tags associated with all objects. #3 is unlikely - we know from kdbgscan output that its SP1 something. We know its x86 and not x64 because kdbgscan is able to find a valid DTB. Out of the kdbgscan suggestions, you've already tried both VistaSP1x86 and Win2008SP1x86 and neither seemed to work. 

So pretty strange, I don't know what the problem is at this point. If its just a testing/training image (i.e. doesn't contain sensitive information) and you can share it with the volatility dev team, we'll be glad to take a look and report back what we find. That would reduce the number of emails back and forth and is probably your best bet to figuring it out. If you want, we have private drop boxes where you can upload the image and it will only be accessible by a few devs. Let me know. 
 
impscan, svcscan, and cmdscan all returned errors.

That makes sense. Although they have "scan" in the name, these three plugins scan process memory as opposed to the ones you listed above (psscan, modscan, etc...). Thus if no processes can be found (i.e. pslist fails) then all 3 of these will fail with the same error. 
 
hivescan returned a bunch of offsets with no other info

That's OK. The output of hivescan is supposed to only contain offsets. See [1]. Perhaps you could try hivelist which lists the offsets plus the path to the hive. See [2]. 

[1]. http://code.google.com/p/volatility/wiki/CommandReference21#hivescan
[2]. http://code.google.com/p/volatility/wiki/CommandReference21#hivelist
 
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=VistaSP1x86 --kdbg=0x8193ec90 cmdscan
Volatile Systems Volatility Framework 2.1
Traceback (most recent call last):
  File "<string>", line 185, in <module>
  File "<string>", line 176, in main
  File "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", line 111, in execute
  File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line 670, in render_text
  File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line 656, in calculate
  File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line 624, in cmdhistory_process_filter
  File "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", line 72, in pslist
  File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with kdbgscan

C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
=VistaSP1x86 --kdbg=0x8193ec90 hivescan
Volatile Systems Volatility Framework 2.1
Offset(P)
----------
0x00553008
0x01ca9008
0x01d09008
0x0cbea008
0x4072b008
0x48c31008
0x4cdfa008
0x4f4ee008
0x53217850
0x5841d008
0x62aa0008
0x6dc6a850
0x7d5a6850

C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
=VistaSP1x86 --kdbg=0x8193ec90 svcscan
Volatile Systems Volatility Framework 2.1
Traceback (most recent call last):
  File "<string>", line 185, in <module>
  File "<string>", line 176, in main
  File "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", line 111, in execute
  File "C:\volatility\volatility\plugins\malware\svcscan.py", line 307, in render_text
  File "C:\volatility\volatility\plugins\malware\svcscan.py", line 271, in calculate
  File "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", line 72, in pslist
  File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with kdbgscan

C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
=VistaSP1x86 --kdbg=0x8193ec90 impscan
Volatile Systems Volatility Framework 2.1
IAT        Call       Module               Function
---------- ---------- -------------------- --------
Traceback (most recent call last):
  File "<string>", line 185, in <module>
  File "<string>", line 176, in main
  File "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", line 111, in execute
  File "C:\volatility\volatility\plugins\malware\impscan.py", line 361, in render_text
  File "C:\volatility\volatility\plugins\malware\impscan.py", line 253, in calculate
  File "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", line 72, in pslist
  File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with kdbgscan


On Wed, Aug 22, 2012 at 1:02 PM, Jamie Levy <jamie.levy@gmail.com> wrote:
Cool, no worries.  I'm guessing it was missed in the crossfire.

Just looking at your directory listing I might have guessed it was
FTK: G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd

of course I could be wrong since "AD" may refer to something else...

Try as many "scanning" plugins as you can muster and see if anything
comes out while we think of something else.  BTW, we aren't helping
you cheat are we?  ;-) The thought occurred to me that this sample
could be intentionally broken.



On Wed, Aug 22, 2012 at 12:59 PM, Jon Nelson <dotcop@gmail.com> wrote:
> The answer to that question was in previous email where I posted the entire
> kdbgscan output. I believe the mdd was used to acquire the image.
>
>
> On Wed, Aug 22, 2012 at 12:54 PM, Michael Hale Ligh <michael.hale@gmail.com>
> wrote:
>>
>> Hey Jon,
>>
>> > Was there any more output from kdbgscan (other than what you pasted
>> > in the first email)? If so can you paste the entire output of kdbgscan,
>> > please?
>>
>> You didn't answer that question above...does that mean there is *not* any
>> additional kdbgscan output other than what you pasted in the first email?
>>
>> Any you're supplying --profile=Win2008SP1x86 to the psscan and modscan
>> commands also? What software was used to acquire the memory dump?
>>
>> Thanks,
>> MHL
>>
>> On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson <dotcop@gmail.com> wrote:
>>>
>>> As far as modscan I also just get the header and nothing further.
>>>
>>>
>>> On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh
>>> <michael.hale@gmail.com> wrote:
>>>>
>>>> Hey Jon,
>>>>
>>>> Was there any more output from kdbgscan (other than what you pasted in
>>>> the first email)? If so can you paste the entire output of kdbgscan, please?
>>>>
>>>> The fact that psscan doesn't show results is definitely strange. What
>>>> about the modscan command?
>>>>
>>>> Thanks!
>>>> MHL
>>>>
>>>>
>>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop@gmail.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop@gmail.com> wrote:
>>>>>>
>>>>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan
>>>>>>
>>>>>> and...
>>>>>>
>>>>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
>>>>>>
>>>>>> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno@gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> Can you paste the command line invocation you are running Vol with?
>>>>>>>
>>>>>>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop@gmail.com> wrote:
>>>>>>> > I am using the 2.1 Windows standalone exe.
>>>>>>> >
>>>>>>> > I have a dd image of memory from the subject operating system and
>>>>>>> > when I try
>>>>>>> > to use pslist with the Win2008SP1x86 profile I get the following
>>>>>>> > errors:
>>>>>>> >
>>>>>>> > Traceback (most recent call last):
>>>>>>> >   File "<string>", line 185, in <module>
>>>>>>> >   File "<string>", line 176, in main
>>>>>>> >   File
>>>>>>> >
>>>>>>> > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>>>>>>> > line 111, in execute
>>>>>>> >   File "C:\volatility\volatility\plugins\taskmods.py", line 138, in
>>>>>>> > render_text
>>>>>>> >   File
>>>>>>> >
>>>>>>> > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>>>>>>> > line 72, in pslist
>>>>>>> >   File
>>>>>>> > "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>>>>>>> > line 40, in processes
>>>>>>> > AttributeError: Could not list tasks, please verify your --profile
>>>>>>> > with
>>>>>>> > kdbgscan
>>>>>>> >
>>>>>>> >
>>>>>>> > When I try to verify my profile with kdbgscan I get the following
>>>>>>> > for all
>>>>>>> > profiles:
>>>>>>> >
>>>>>>> >  **************************************************
>>>>>>> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
>>>>>>> > Offset (V)                    : 0x8193ec90
>>>>>>> > Offset (P)                    : 0x193ec90
>>>>>>> > KDBG owner tag check          : True
>>>>>>> > Profile suggestion (KDBGHeader): Win2008SP1x86
>>>>>>> > Version64                     : 0x8193ec68 (Major: 15, Minor: 6001)
>>>>>>> > Service Pack (CmNtCSDVersion) : 1
>>>>>>> > Build string (NtBuildLab)     : 6001.18000.x86fre.longhorn_rtm.0
>>>>>>> > PsActiveProcessHead           : 0x81954990 (0 processes)
>>>>>>> > PsLoadedModuleList            : 0x8195ec70 (0 modules)
>>>>>>> > KernelBase                    : 0x81847000 (Matches MZ: True)
>>>>>>> > Major (OptionalHeader)        : 6
>>>>>>> > Minor (OptionalHeader)        : 0
>>>>>>> > KPCR                          : 0x8193f800 (CPU 0)
>>>>>>> > KPCR                          : 0x803d1000 (CPU 1)
>>>>>>> >
>>>>>>> > Any help would be greatly appreciated.
>>>>>>> >
>>>>>>> > Jon
>>>>>>> >
>>>>>>> > _______________________________________________
>>>>>>> > Vol-users mailing list
>>>>>>> > Vol-users@volatilityfoundation.org
>>>>>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>>> >
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Vol-users mailing list
>>>>> Vol-users@volatilityfoundation.org
>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>



--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92