4:53 p.m.
Greetings,
I'm unable to run scan tasks against a memory image and get "AttributeError:
Could not list tasks, please verify your --profile with kdbgscan". I'm using
2.3_alpha updated just a moment ago.
imageinfo:
Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace
(/usr/local/malware/XXXXXXX/XXXX-memdump.mem)
PAE type : PAE
DTB : 0x187000L
KDBG : 0xf80002ff70a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xf80002ff8d00
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2013-02-01 17:40:54 UTC+0000
Image local date and time : 2013-02-01 09:40:54 -0800
kdbgscan:
Praha:Memory Image kovar$ vol.py --profile=Win7SP1x64 kdbgscan -f *.mem
Volatile Systems Volatility Framework 2.3_alpha
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80002ff70a0
Offset (P) : 0x2ff70a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP1x64
Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr.
PsActiveProcessHead : 0xf8000302d370 (0 processes)
PsLoadedModuleList : 0xf8000304b670 (0 modules)
KernelBase : 0xfffff80002e07000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xf80002ff8d00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80002ff70a0
Offset (P) : 0x2ff70a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP0x64
Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr.
PsActiveProcessHead : 0xf8000302d370 (0 processes)
PsLoadedModuleList : 0xf8000304b670 (0 modules)
KernelBase : 0xfffff80002e07000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xf80002ff8d00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80002ff70a0
Offset (P) : 0x2ff70a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008R2SP1x64
Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr.
PsActiveProcessHead : 0xf8000302d370 (0 processes)
PsLoadedModuleList : 0xf8000304b670 (0 modules)
KernelBase : 0xfffff80002e07000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xf80002ff8d00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80002ff70a0
Offset (P) : 0x2ff70a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008R2SP0x64
Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr.
PsActiveProcessHead : 0xf8000302d370 (0 processes)
PsLoadedModuleList : 0xf8000304b670 (0 modules)
KernelBase : 0xfffff80002e07000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xf80002ff8d00 (CPU 0)
Thanks for any help you might be able to offer.
-David