Re: [Vol-users] KDBG errors

Andrew, Michael, The person that captured the image hasn't been in the office for a while and I was finally able to ask him about the capture. He used FTK Imager, but he doesn't know the exact version but it's 3.1.x. I now know what the problem was/is with image. He told me that he was only able to capture 4GB because of a limitation of the tool. Kind of wish that information was passed on to me before I started working on it. ;-D Also, Michael, your suggestion to use psscan did reveal some processes. It looked rather small, and now I know why. Thanks for your help! Carlos On Sun, Apr 6, 2014 at 1:18 PM, Michael Ligh &lt;michael.ligh(a)mnin.org&gt; wrote: > Hi Carlos, > > There are a few things going on. First, there's a bug in imageinfo which causes Volatility to crash when parsing the CPU addresses - I'll send you a fix for that separately, but it won't affect the rest of your analysis. > > When a KDBG structure can be found, but there are 0 processes and 0 modules, it almost always indicates a corrupt memory dump. In particular, the acquisition tool probably didn't acquire *all* physical memory ranges (or it failed to align them in the output file properly). Recently, I looked at a similar case where the virtual address of PsActiveProcessHead translated to a physical offset that was higher than the number of bytes in the memory dump (thus the memory dump file was truncated and missing some data). > > I'd be interested if psscan shows you a partial list of processes. If so, you may be able to perform limited analysis, by passing the physical offsets of the _EPROCESS structures to plugins like handles, dlllist, vaddump, etc (the -o/--offset option). > > Talk to you soon, > MHL > > -------------------------------------------------- > Michael Ligh (@iMHLv2) > GPG: http://mnin.org/gpg.pubkey.txt > Blog: http://volatility-labs.blogspot.com > Training: http://memoryanalysis.net > > On Apr 6, 2014, at 2:29 PM, Andrew Case &lt;atcuno(a)gmail.com&gt; wrote: > >> Hello, >> >> Do you know which tool was used to acquire memory? Also, how much RAM >> does the system have? >> >> Thanks, >> Andrew (@attrc) >> >> On 4/2/2014 4:45 PM, Carlos Angeles wrote: >>> Hello, >>> >>> I'm getting some KDBG errors when examining a Windows Server 2008 R2 >>> server memory image. I saw a similar post to this list back in August >>> 2012 (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-August/00056…) >>> >>> Here's the output from a few plugins. It was captured by another >>> person and I don't know what tool or version he used. >>> >>> Does it look like the memory image is corrupted? >>> >>> Thanks, >>> Carlos >>> >>> >>> $ vol.py -f memdump.mem imageinfo >>> Volatility Foundation Volatility Framework 2.3.1 >>> Determining profile based on KDBG search... >>> >>> Suggested Profile(s) : Win7SP0x64, Win7SP1x64, >>> Win2008R2SP0x64, Win2008R2SP1x64 >>> AS Layer1 : AMD64PagedMemory (Kernel AS) >>> AS Layer2 : FileAddressSpace (memdump.mem) >>> PAE type : No PAE >>> DTB : 0x187000L >>> KDBG : 0xf80001def0a0 >>> Number of Processors : 8 >>> Image Type (Service Pack) : 1 >>> KPCR for CPU 0 : 0xfffff80001df0d00L >>> Traceback (most recent call last): >>> File "/usr/local/bin/vol.py", line 5, in <module> >>> pkg_resources.run_script('volatility==2.3.1', 'vol.py') >>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script >>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>> line 183, in <module> >>> main() >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>> line 174, in main >>> command.execute() >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", >>> line 121, in execute >>> func(outfd, data) >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py", >>> line 35, in render_text >>> for k, v in data: >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py", >>> line 100, in calculate >>> yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), >>> hex(kpcr.obj_offset)) >>> TypeError: hex() argument can't be converted to hex >>> $ >>> $ >>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 pslist >>> Volatility Foundation Volatility Framework 2.3.1 >>> Offset(V) Name PID PPID Thds Hnds >>> Sess Wow64 Start Exit >>> ------------------ -------------------- ------ ------ ------ -------- >>> ------ ------ ------------------------------ >>> ------------------------------ >>> Traceback (most recent call last): >>> File "/usr/local/bin/vol.py", line 5, in <module> >>> pkg_resources.run_script('volatility==2.3.1', 'vol.py') >>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script >>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>> line 183, in <module> >>> main() >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>> line 174, in main >>> command.execute() >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", >>> line 121, in execute >>> func(outfd, data) >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/taskmods.py", >>> line 140, in render_text >>> for task in data: >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py", >>> line 70, in pslist >>> for p in get_kdbg(addr_space).processes(): >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py", >>> line 42, in processes >>> raise AttributeError("Could not list tasks, please verify your >>> --profile with kdbgscan") >>> AttributeError: Could not list tasks, please verify your --profile with kdbgscan >>> $ >>> $ >>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 kdbgscan >>> Volatility Foundation Volatility Framework 2.3.1 >>> ************************************************** >>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) >>> Offset (V) : 0xf80001def0a0 >>> Offset (P) : 0x1def0a0 >>> KDBG owner tag check : True >>> Profile suggestion (KDBGHeader): Win7SP1x64 >>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601) >>> Service Pack (CmNtCSDVersion) : 1 >>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. >>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) >>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) >>> KernelBase : 0xfffff80001c00000 (Matches MZ: True) >>> Major (OptionalHeader) : 6 >>> Minor (OptionalHeader) : 1 >>> KPCR : 0xfffff80001df0d00 (CPU 0) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> >>> ************************************************** >>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) >>> Offset (V) : 0xf80001def0a0 >>> Offset (P) : 0x1def0a0 >>> KDBG owner tag check : True >>> Profile suggestion (KDBGHeader): Win2008R2SP1x64 >>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601) >>> Service Pack (CmNtCSDVersion) : 1 >>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. >>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) >>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) >>> KernelBase : 0xfffff80001c00000 (Matches MZ: True) >>> Major (OptionalHeader) : 6 >>> Minor (OptionalHeader) : 1 >>> KPCR : 0xfffff80001df0d00 (CPU 0) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> >>> ************************************************** >>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) >>> Offset (V) : 0xf80001def0a0 >>> Offset (P) : 0x1def0a0 >>> KDBG owner tag check : True >>> Profile suggestion (KDBGHeader): Win2008R2SP0x64 >>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601) >>> Service Pack (CmNtCSDVersion) : 1 >>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. >>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) >>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) >>> KernelBase : 0xfffff80001c00000 (Matches MZ: True) >>> Major (OptionalHeader) : 6 >>> Minor (OptionalHeader) : 1 >>> KPCR : 0xfffff80001df0d00 (CPU 0) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> >>> ************************************************** >>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) >>> Offset (V) : 0xf80001def0a0 >>> Offset (P) : 0x1def0a0 >>> KDBG owner tag check : True >>> Profile suggestion (KDBGHeader): Win7SP0x64 >>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601) >>> Service Pack (CmNtCSDVersion) : 1 >>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. >>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) >>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) >>> KernelBase : 0xfffff80001c00000 (Matches MZ: True) >>> Major (OptionalHeader) : 6 >>> Minor (OptionalHeader) : 1 >>> KPCR : 0xfffff80001df0d00 (CPU 0) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> KPCR : - (CPU -) >>> $ >>> $ >>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 hivescan >>> Volatility Foundation Volatility Framework 2.3.1 >>> Offset(P) >>> ------------------ >>> 0x0000000000431010 >>> 0x00000000051a4010 >>> 0x000000000f1d7010 >>> 0x0000000013e15410 >>> 0x0000000015875410 >>> 0x000000005a517410 >>> 0x000000006e434410 >>> 0x000000007ddce410 >>> 0x00000000a143e410 >>> 0x00000000a7f8c410 >>> 0x00000000c3b83010 >>> 0x00000000cbb17410 >>> 0x00000000d0768410 >>> $ >>> $ >>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 svcscan >>> Volatility Foundation Volatility Framework 2.3.1 >>> Traceback (most recent call last): >>> File "/usr/local/bin/vol.py", line 5, in <module> >>> pkg_resources.run_script('volatility==2.3.1', 'vol.py') >>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script >>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>> line 183, in <module> >>> main() >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>> line 174, in main >>> command.execute() >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", >>> line 121, in execute >>> func(outfd, data) >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py", >>> line 360, in render_text >>> for rec in data: >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py", >>> line 275, in calculate >>> for task in tasks.pslist(addr_space): >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py", >>> line 70, in pslist >>> for p in get_kdbg(addr_space).processes(): >>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py", >>> line 42, in processes >>> raise AttributeError("Could not list tasks, please verify your >>> --profile with kdbgscan") >>> AttributeError: Could not list tasks, please verify your --profile with kdbgscan >>> _______________________________________________ >>> Vol-users mailing list >>> Vol-users(a)volatilityfoundation.org >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>> >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >