11:17 a.m.
Looks a little better (at least there is some result):
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss pslist
--profile=Win2008R2SP1x64
Volatile Systems Volatility Framework 2.1_alpha
Offset(V) Name PID PPID Thds Hnds Time
---------- -------------------- ------ ------ ------ ------
-------------------
0xfffffa8003cb7040 System 4 0 103 ------
2012-04-12 07:14:16
Not quite as good with rev 1977:
# /usr/local/src/volatility-read-only-1977/vol.py -f myimage.vmss pslist
--profile=Win2008R2SP1x64
Volatile Systems Volatility Framework 2.1_alpha
Offset(V) Name PID PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ -------------------- --------------------
0xfffffa8003cb7040 System 4 0 103 --------
------ 0 2012-04-12 07:14:16
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-1977/vol.py", line 185, in
<module>
main()
File "/usr/local/src/volatility-read-only-1977/vol.py", line 176, in main
command.execute()
File "/usr/local/src/volatility-read-only-1977/volatility/commands.py",
line 111, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/taskmods.py",
line 154, in render_text
str(task.CreateTime or ''),
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/overlays/windows/windows.py",
line 278, in __nonzero__
return self.v() != 0
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/overlays/windows/windows.py",
line 275, in v
return self.windows_to_unix_time(value)
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/overlays/windows/windows.py",
line 262, in windows_to_unix_time
unix_time = windows_time / 10000000
TypeError: unsupported operand type(s) for /: 'NoneObject' and 'int'
I'll work with folks to get them a copy of this VMSS...
The snapshot was made by pausing the machine, and then copying the vmss
file out from the datastore. This was done on a VMware ESX 4.1.0, 502767
host. Let me know if I can provide any more info on it...
Cheers to all,
Jesse
On Fri, Jul 6, 2012 at 11:00 AM, nir izraeli <nirizr(a)gmail.com> wrote:
Jesse what you're showing looks like it should
work just fine...
could you run a pslist (not psscan) and provide full output?
btw, AAron is looking for a file like yours (it has two regions instead of
0 which imply only a single region).
can you tell us how you've made the vmware snapshot and which
product/versions you've used to make it?
thanks!
On Fri, Jul 6, 2012 at 5:56 PM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
--
Jesse Bowling
Trying imageinfo with a debug flag ends like
this:
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0xb3752d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: Read region count from
file: 2
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 2
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: C0000000
Virtual Address: 100000000, Physical Address: C0000000, Size: 40000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 187000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0xb3754d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
--Return--
/usr/local/src/volatility-read-only-may-01/volatility/debug.py(88)b()->None
-> pdb.set_trace()
(Pdb)
Cheers,
Jesse
On Fri, Jul 6, 2012 at 10:52 AM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
> Ah, actually I see that that is no better... :(
>
> First 1024:
>
> # dd if=myimage.vmss bs=1 count=1024 | xxd
> 1024+0 records in
> 1024+0 records out
> 1024 bytes (1.0 kB) copied, 0.00110567 s, 926 kB/s
> 0000000: d2be d2be 0800 0000 5b00 0000 4368 6563 ........[...Chec
> 0000010: 6b70 6f69 6e74 0000 0000 0000 0000 0000 kpoint..........
> 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000040: 0000 0000 0000 0000 0000 0000 7c1c 0000 ............|...
> 0000050: 0000 0000 ab03 0000 0000 0000 6370 7500 ............cpu.
> 0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000090: 0000 0000 0000 0000 0000 0000 2720 0000 ............' ..
> 00000a0: 0000 0000 cce1 0300 0000 0000 4275 734d ............BusM
> 00000b0: 656d 5361 6d70 6c65 0000 0000 0000 0000 emSample........
> 00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00000e0: 0000 0000 0000 0000 0000 0000 f301 0400 ................
> 00000f0: 0000 0000 4f00 0000 0000 0000 4275 734d ....O.......BusM
> 0000100: 656d 5365 7276 6963 6573 0000 0000 0000 emServices......
> 0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000130: 0000 0000 0000 0000 0000 0000 4202 0400 ............B...
> 0000140: 0000 0000 1200 0000 0000 0000 5555 4944 ............UUID
> 0000150: 564d 5800 0000 0000 0000 0000 0000 0000 VMX.............
> 0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000180: 0000 0000 0000 0000 0000 0000 5402 0400 ............T...
> 0000190: 0000 0000 2e00 0000 0000 0000 5374 6174 ............Stat
> 00001a0: 654c 6f67 6765 7200 0000 0000 0000 0000 eLogger.........
> 00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00001d0: 0000 0000 0000 0000 0000 0000 8202 0400 ................
> 00001e0: 0000 0000 0200 0000 0000 0000 6d65 6d6f ............memo
> 00001f0: 7279 0000 0000 0000 0000 0000 0000 0000 ry..............
> 0000200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000210: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000220: 0000 0000 0000 0000 0000 0000 8402 0400 ................
> 0000230: 0000 0000 7efd 0000 0100 0000 4d53 7461 ....~.......MSta
> 0000240: 7473 0000 0000 0000 0000 0000 0000 0000 ts..............
> 0000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000270: 0000 0000 0000 0000 0000 0000 0200 0500 ................
> 0000280: 0100 0000 3619 0000 0000 0000 536e 6170 ....6.......Snap
> 0000290: 7368 6f74 0000 0000 0000 0000 0000 0000 shot............
> 00002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00002c0: 0000 0000 0000 0000 0000 0000 3819 0500 ............8...
> 00002d0: 0100 0000 a971 0000 0000 0000 7069 6300 .....q......pic.
> 00002e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00002f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000310: 0000 0000 0000 0000 0000 0000 e18a 0500 ................
> 0000320: 0100 0000 0e07 0000 0000 0000 5469 6d65 ............Time
> 0000330: 5472 6163 6b65 7200 0000 0000 0000 0000 Tracker.........
> 0000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000360: 0000 0000 0000 0000 0000 0000 ef91 0500 ................
> 0000370: 0100 0000 9900 0000 0000 0000 466c 6f70 ............Flop
> 0000380: 7079 0000 0000 0000 0000 0000 0000 0000 py..............
> 0000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00003a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00003b0: 0000 0000 0000 0000 0000 0000 8892 0500 ................
> 00003c0: 0100 0000 8c91 0000 0000 0000 4775 6573 ............Gues
> 00003d0: 744d 7367 0000 0000 0000 0000 0000 0000 tMsg............
> 00003e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>
>
>
> On Fri, Jul 6, 2012 at 10:50 AM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
>
>> Seems better:
>>
>> root@Forensic-1:/case2/4132012/biweb/mem#
>> /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
>>
>> Volatile Systems Volatility Framework 2.1_alpha
>> Offset(P) Name PID PPID PDB Time
>> created Time exited
>> ---------- ---------------- ------ ------ ----------
>> ------------------------ ------------------------
>> No suitable address space mapping found
>> Tried to open image as:
>> ...
>>
>> VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>> ...
>>
>>
>>
>>
>>
>> On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy(a)gmail.com>wrote:
>>
>>> Try to place them in volatility/plugins/addrspaces/ instead and then
>>> do a `make clean` before running
>>>
>>>
>>>
>>> On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling
<jessebowling(a)gmail.com>
>>> wrote:
>>> > Disclaimer:
>>> >>> > So I took
Nir's files, and dropped them into my plugins folder...I
>>> did not
>>> > see any new plugins using vol.py -h, and when I tried to do an
>>> imageinfo I
>>> > got:
>>> >>> >
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> imageinfo
>>> >>> > Volatile
Systems Volatility Framework 2.1_alpha
>>> > Determining profile based on KDBG search...
>>> >>> > Traceback
(most recent call last):
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line
>>> 173, in
>>> > <module>
>>> > main()
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line
>>> 164, in
>>> > main
>>> > command.execute()
>>> > File
>>>
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>>> > line 101, in execute
>>> > func(outfd, data)
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>>> > line 34, in render_text
>>> > for k, v in data:
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>>> > line 44, in calculate
>>> > suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>>> > line 119, in calculate
>>> > for offset in scanner.scan(aspace):
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>>> > line 83, in scan
>>> > for offset in scan.BaseScanner.scan(self, address_space, offset,
>>> > maxlen):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 136, in scan
>>> > skip = max(skip, s.skip(data, i))
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>>> > line 49, in skip
>>> > nextval = data.index(self.tag, offset + 1)
>>> > AttributeError: 'NoneType' object has no attribute
'index'
>>> >>> > So:
>>> >>> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> psscan
>>> >>> > Volatile
Systems Volatility Framework 2.1_alpha
>>> > Offset(P) Name PID PPID PDB Time created
>>> > Time exited
>>> > ---------- ---------------- ------ ------ ----------
>>> > ------------------------ ------------------------
>>> > No suitable address space mapping found
>>> > Tried to open image as:
>>> > WindowsHiberFileSpace32: No base Address Space
>>> > VMWareSnapshotFile: No base Address Space
>>> > WindowsCrashDumpSpace32: No base Address Space
>>> > AMD64PagedMemory: No base Address Space
>>> > JKIA32PagedMemory: No base Address Space
>>> > JKIA32PagedMemoryPae: No base Address Space
>>> > IA32PagedMemoryPae: Module disabled
>>> > IA32PagedMemory: Module disabled
>>> > WindowsHiberFileSpace32: No xpress signature found
>>> > WindowsHiberFileSpace32: No xpress signature found
>>> > VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>>> > WindowsCrashDumpSpace32: Header signature invalid
>>> > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
>>> > JKIA32PagedMemory: Failed valid Address Space check
>>> > JKIA32PagedMemoryPae: Failed valid Address Space check
>>> > IA32PagedMemoryPae: Module disabled
>>> > IA32PagedMemory: Module disabled
>>> > FileAddressSpace: Must be first Address Space
>>> >>> > At least it
doesn't crash. So now:
>>> >>> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> > --profile=Win2008R2SP1x64 psscan
>>> >>> > Volatile
Systems Volatility Framework 2.1_alpha
>>> > Offset(P) Name PID PPID PDB Time created
>>> > Time exited
>>> > ---------- ---------------- ------ ------ ----------
>>> > ------------------------ ------------------------
>>> > Traceback (most recent call last):
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line
>>> 173, in
>>> > <module>
>>> > main()
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line
>>> 164, in
>>> > main
>>> > command.execute()
>>> > File
>>>
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>>> > line 101, in execute
>>> > func(outfd, data)
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 415, in render_text
>>> > for eprocess in data:
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 405, in calculate
>>> > for offset in PoolScanProcess().scan(address_space):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 218, in scan
>>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 136, in scan
>>> > skip = max(skip, s.skip(data, i))
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>>> > line 49, in skip
>>> > nextval = data.index(self.tag, offset + 1)
>>> > AttributeError: 'NoneType' object has no attribute
'index'
>>> >>> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> > --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
>>> >>> > Volatile
Systems Volatility Framework 2.1_alpha
>>> > Offset(P) Name PID PPID PDB Time created
>>> > Time exited
>>> > ---------- ---------------- ------ ------ ----------
>>> > ------------------------ ------------------------
>>> > Traceback (most recent call last):
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line
>>> 173, in
>>> > <module>
>>> > main()
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line
>>> 164, in
>>> > main
>>> > command.execute()
>>> > File
>>>
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>>> > line 101, in execute
>>> > func(outfd, data)
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 415, in render_text
>>> > for eprocess in data:
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 405, in calculate
>>> > for offset in PoolScanProcess().scan(address_space):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 218, in scan
>>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 136, in scan
>>> > skip = max(skip, s.skip(data, i))
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>>> > line 49, in skip
>>> > nextval = data.index(self.tag, offset + 1)
>>> > AttributeError: 'NoneType' object has no attribute
'index'
>>> >>> > I have
limited testing time the next couple weeks, so will look to
>>> see if I
>>> > can share this with someone like SA in the meantime...
>>> >>> > Cheers,
>>> >>> > Jesse
>>> >>> >>> > On Fri, Jul 6, 2012 at 7:21
AM, nir izraeli <nirizr(a)gmail.com>
>>> wrote:
>>> >>
>>> >> I assume you need it for something other than test my patch,
>>> >> I can send parts of the vmss of the machine I already noticed more
>>> than
>>> >> one region.
>>> >> could you use that to gather the info you need?
>>> >>
>>> >> btw, I'm also using vmware converter standalone pretty often,
it
>>> might
>>> >> also be related
>>> >>
>>> >>
>>> >> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters
<awalters(a)4tphi.net>
>>> wrote:
>>> >>>
>>> >>>
>>> >>> Nir,
>>> >>>
>>> >>>
>>> >>>> AAron - actually it was quite rare, but the first vmss I
used to
>>> test
>>> >>>> the patch
>>> >>>> had two or three, which made my patch break when i first
tested
>>> it on
>>> >>>> other
>>> >>>> VMs.
>>> >>>> I could try to pinpoint it, but i guess it would be easier
for me
>>> to
>>> >>>> reverse
>>> >>>> the vmware code than try it manually :)
>>> >>>> A thing to note is that that vmss also had two virtual
CPUs,
>>> which might
>>> >>>> have
>>> >>>> caused having more than one region. it also had ~4G of RAM.
most
>>> of the
>>> >>>> other
>>> >>>> VMs i used only had about 512M.
>>> >>>> did you try to run it on other vmss files that resemble the
one i
>>> >>>> described?
>>> >>>
>>> >>>
>>> >>> Interesting. I have never seen a vmss with multiple regions.
If
>>> you
>>> >>> happen to come across one again, please let me know. I'd be
>>> interested in
>>> >>> what conditions or what product leads to more than one region.
>>> >>>
>>> >>> Thanks,
>>> >>>
>>> >>> AW
>>> >>
>>> >>
>>> >>> >>> >>> > --
>>> > Jesse Bowling
>>> >>> >>> >>> > _______________________________________________
>>> > Vol-users mailing list
>>> > Vol-users(a)volatilityfoundation.org
>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> >>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>>
>>
>>
>>
>> --
>> Jesse Bowling
>>
>>
>>
>
>
> --
> Jesse Bowling
>
>
>
--
Jesse Bowling