Re: [Vol-users] KDBG errors

6 Apr 2014

      Hi Carlos, 

There are a few things going on. First, there’s a bug in imageinfo which causes Volatility
to crash when parsing the CPU addresses - I’ll send you a fix for that separately, but it
won’t affect the rest of your analysis. 

When a KDBG structure can be found, but there are 0 processes and 0 modules, it almost
always indicates a corrupt memory dump. In particular, the acquisition tool probably
didn’t acquire *all* physical memory ranges (or it failed to align them in the output file
properly). Recently, I looked at a similar case where the virtual address of
PsActiveProcessHead translated to a physical offset that was higher than the number of
bytes in the memory dump (thus the memory dump file was truncated and missing some data).

I’d be interested if psscan shows you a partial list of processes. If so, you may be able
to perform limited analysis, by passing the physical offsets of the _EPROCESS structures
to plugins like handles, dlllist, vaddump, etc (the -o/--offset option). 

Talk to you soon,
MHL

--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com 
Training: http://memoryanalysis.net

On Apr 6, 2014, at 2:29 PM, Andrew Case &lt;atcuno(a)gmail.com&gt; wrote:

...
  Hello,

 Do you know which tool was used to acquire memory? Also, how much RAM
 does the system have?

 Thanks,
 Andrew (@attrc)

 On 4/2/2014 4:45 PM, Carlos Angeles wrote:
  Hello,

 I'm getting some KDBG errors when examining a Windows Server 2008 R2
 server memory image.  I saw a similar post to this list back in August
 2012
(http://lists.volatilityfoundation.org/pipermail/vol-users/2012-August/00056…)

 Here's the output from a few plugins.  It was captured by another
 person and I don't know what tool or version he used.

 Does it look like the memory image is corrupted?

 Thanks,
 Carlos

 $ vol.py -f memdump.mem imageinfo
 Volatility Foundation Volatility Framework 2.3.1
 Determining profile based on KDBG search...

          Suggested Profile(s) : Win7SP0x64, Win7SP1x64,
 Win2008R2SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (memdump.mem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80001def0a0
          Number of Processors : 8
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80001df0d00L
 Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 5, in <module>
    pkg_resources.run_script('volatility==2.3.1', 'vol.py')
  File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script
  File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in
run_script
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py",
 line 183, in <module>
    main()
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py",
 line 174, in main
    command.execute()
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py",
 line 121, in execute
    func(outfd, data)
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py",
 line 35, in render_text
    for k, v in data:
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py",
 line 100, in calculate
    yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number),
 hex(kpcr.obj_offset))
 TypeError: hex() argument can't be converted to hex
 $
 $
 $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 pslist
 Volatility Foundation Volatility Framework 2.3.1
 Offset(V)          Name                    PID   PPID   Thds     Hnds
 Sess  Wow64 Start                          Exit
 ------------------ -------------------- ------ ------ ------ --------
 ------ ------ ------------------------------
 ------------------------------
 Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 5, in <module>
    pkg_resources.run_script('volatility==2.3.1', 'vol.py')
  File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script
  File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in
run_script
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py",
 line 183, in <module>
    main()
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py",
 line 174, in main
    command.execute()
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py",
 line 121, in execute
    func(outfd, data)
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/taskmods.py",
 line 140, in render_text
    for task in data:
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py",
 line 70, in pslist
    for p in get_kdbg(addr_space).processes():
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py",
 line 42, in processes
    raise AttributeError("Could not list tasks, please verify your
 --profile with kdbgscan")
 AttributeError: Could not list tasks, please verify your --profile with kdbgscan
 $
 $
 $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 kdbgscan
 Volatility Foundation Volatility Framework 2.3.1
 **************************************************
 Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
 Offset (V)                    : 0xf80001def0a0
 Offset (P)                    : 0x1def0a0
 KDBG owner tag check          : True
 Profile suggestion (KDBGHeader): Win7SP1x64
 Version64                     : 0xf80001def068 (Major: 15, Minor: 7601)
 Service Pack (CmNtCSDVersion) : 1
 Build string (NtBuildLab)     : 7601.18247.amd64fre.win7sp1_gdr.
 PsActiveProcessHead           : 0xfffff80001e253d0 (0 processes)
 PsLoadedModuleList            : 0xfffff80001e436d0 (0 modules)
 KernelBase                    : 0xfffff80001c00000 (Matches MZ: True)
 Major (OptionalHeader)        : 6
 Minor (OptionalHeader)        : 1
 KPCR                          : 0xfffff80001df0d00 (CPU 0)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)

 **************************************************
 Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
 Offset (V)                    : 0xf80001def0a0
 Offset (P)                    : 0x1def0a0
 KDBG owner tag check          : True
 Profile suggestion (KDBGHeader): Win2008R2SP1x64
 Version64                     : 0xf80001def068 (Major: 15, Minor: 7601)
 Service Pack (CmNtCSDVersion) : 1
 Build string (NtBuildLab)     : 7601.18247.amd64fre.win7sp1_gdr.
 PsActiveProcessHead           : 0xfffff80001e253d0 (0 processes)
 PsLoadedModuleList            : 0xfffff80001e436d0 (0 modules)
 KernelBase                    : 0xfffff80001c00000 (Matches MZ: True)
 Major (OptionalHeader)        : 6
 Minor (OptionalHeader)        : 1
 KPCR                          : 0xfffff80001df0d00 (CPU 0)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)

 **************************************************
 Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
 Offset (V)                    : 0xf80001def0a0
 Offset (P)                    : 0x1def0a0
 KDBG owner tag check          : True
 Profile suggestion (KDBGHeader): Win2008R2SP0x64
 Version64                     : 0xf80001def068 (Major: 15, Minor: 7601)
 Service Pack (CmNtCSDVersion) : 1
 Build string (NtBuildLab)     : 7601.18247.amd64fre.win7sp1_gdr.
 PsActiveProcessHead           : 0xfffff80001e253d0 (0 processes)
 PsLoadedModuleList            : 0xfffff80001e436d0 (0 modules)
 KernelBase                    : 0xfffff80001c00000 (Matches MZ: True)
 Major (OptionalHeader)        : 6
 Minor (OptionalHeader)        : 1
 KPCR                          : 0xfffff80001df0d00 (CPU 0)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)

 **************************************************
 Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
 Offset (V)                    : 0xf80001def0a0
 Offset (P)                    : 0x1def0a0
 KDBG owner tag check          : True
 Profile suggestion (KDBGHeader): Win7SP0x64
 Version64                     : 0xf80001def068 (Major: 15, Minor: 7601)
 Service Pack (CmNtCSDVersion) : 1
 Build string (NtBuildLab)     : 7601.18247.amd64fre.win7sp1_gdr.
 PsActiveProcessHead           : 0xfffff80001e253d0 (0 processes)
 PsLoadedModuleList            : 0xfffff80001e436d0 (0 modules)
 KernelBase                    : 0xfffff80001c00000 (Matches MZ: True)
 Major (OptionalHeader)        : 6
 Minor (OptionalHeader)        : 1
 KPCR                          : 0xfffff80001df0d00 (CPU 0)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 KPCR                          : - (CPU -)
 $
 $
 $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 hivescan
 Volatility Foundation Volatility Framework 2.3.1
 Offset(P)
 ------------------
 0x0000000000431010
 0x00000000051a4010
 0x000000000f1d7010
 0x0000000013e15410
 0x0000000015875410
 0x000000005a517410
 0x000000006e434410
 0x000000007ddce410
 0x00000000a143e410
 0x00000000a7f8c410
 0x00000000c3b83010
 0x00000000cbb17410
 0x00000000d0768410
 $
 $
 $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 svcscan
 Volatility Foundation Volatility Framework 2.3.1
 Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 5, in <module>
    pkg_resources.run_script('volatility==2.3.1', 'vol.py')
  File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script
  File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in
run_script
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py",
 line 183, in <module>
    main()
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py",
 line 174, in main
    command.execute()
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py",
 line 121, in execute
    func(outfd, data)
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py",
 line 360, in render_text
    for rec in data:
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py",
 line 275, in calculate
    for task in tasks.pslist(addr_space):
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py",
 line 70, in pslist
    for p in get_kdbg(addr_space).processes():
  File
"/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py",
 line 42, in processes
    raise AttributeError("Could not list tasks, please verify your
 --profile with kdbgscan")
 AttributeError: Could not list tasks, please verify your --profile with kdbgscan
 _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
   _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [Vol-users] KDBG errors