It appears to have been mdd_1.3.exe.

Since when is L not hex?! ;) Duh.

C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=VistaSP1x86 --kdbg=0x8193ec90 pslist
Volatile Systems Volatility Framework 2.1
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- --------------------
Traceback (most recent call last):
  File "<string>", line 185, in <module>
  File "<string>", line 176, in main
  File "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", line 111, in execute
  File "C:\volatility\volatility\plugins\taskmods.py", line 138, in render_text
  File "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", line 72, in pslist
  File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with kdbgscan


On Wed, Aug 22, 2012 at 1:01 PM, Michael Hale Ligh <michael.hale@gmail.com> wrote:
Hey Jon, 

Based on your kdbgscan output I would suggest a few things:

* Try using --profile=VistaSP1x86 
* When you supply --kdbg, leave off the L from 0x8193ec90L (that's just Python telling you the number is a long, its not really part of the number. 

Thanks,
MHL

On Wed, Aug 22, 2012 at 12:45 PM, Jon Nelson <dotcop@gmail.com> wrote:
Here is imageinfo:

C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd imageinfo

Volatile Systems Volatility Framework 2.1
Determining profile based on KDBG search...

          Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86
                     AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd)
                      PAE type : PAE
                           DTB : 0x122000L
                          KDBG : 0x8193ec90L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x8193f800L
                KPCR for CPU 1 : 0x803d1000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2010-10-26 18:35:11 UTC+0000
     Image local date and time : 2010-10-26 14:35:11 -0400


Here is the complete output of kdbgscan:

Offset (V)                    : 0x8193ec90
Offset (P)                    : 0x193ec90
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2008SP1x86
Version64                     : 0x8193ec68 (Major: 15, Minor: 6001)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab)     : 6001.18000.x86fre.longhorn_rtm.0
PsActiveProcessHead           : 0x81954990 (0 processes)
PsLoadedModuleList            : 0x8195ec70 (0 modules)
KernelBase                    : 0x81847000 (Matches MZ: True)
Major (OptionalHeader)        : 6
Minor (OptionalHeader)        : 0
KPCR                          : 0x8193f800 (CPU 0)
KPCR                          : 0x803d1000 (CPU 1)

**************************************************
Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
Offset (V)                    : 0x8193ec90
Offset (P)                    : 0x193ec90
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): VistaSP1x86
Version64                     : 0x8193ec68 (Major: 15, Minor: 6001)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab)     : 6001.18000.x86fre.longhorn_rtm.0
PsActiveProcessHead           : 0x81954990 (0 processes)
PsLoadedModuleList            : 0x8195ec70 (0 modules)
KernelBase                    : 0x81847000 (Matches MZ: True)
Major (OptionalHeader)        : 6
Minor (OptionalHeader)        : 0
KPCR                          : 0x8193f800 (CPU 0)
KPCR                          : 0x803d1000 (CPU 1)

**************************************************
Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
Offset (V)                    : 0x8193ec90
Offset (P)                    : 0x193ec90
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): VistaSP2x86
Version64                     : 0x8193ec68 (Major: 15, Minor: 6001)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab)     : 6001.18000.x86fre.longhorn_rtm.0
PsActiveProcessHead           : 0x81954990 (0 processes)
PsLoadedModuleList            : 0x8195ec70 (0 modules)
KernelBase                    : 0x81847000 (Matches MZ: True)
Major (OptionalHeader)        : 6
Minor (OptionalHeader)        : 0
KPCR                          : 0x8193f800 (CPU 0)
KPCR                          : 0x803d1000 (CPU 1)

**************************************************
Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
Offset (V)                    : 0x8193ec90
Offset (P)                    : 0x193ec90
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2008SP2x86
Version64                     : 0x8193ec68 (Major: 15, Minor: 6001)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab)     : 6001.18000.x86fre.longhorn_rtm.0
PsActiveProcessHead           : 0x81954990 (0 processes)
PsLoadedModuleList            : 0x8195ec70 (0 modules)
KernelBase                    : 0x81847000 (Matches MZ: True)
Major (OptionalHeader)        : 6
Minor (OptionalHeader)        : 0
KPCR                          : 0x8193f800 (CPU 0)
KPCR                          : 0x803d1000 (CPU 1)

I also tried providing the kdbg value on the command line and got:

C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 --kdbg=0x8193ec90L pslist
Volatile Systems Volatility Framework 2.1
Usage: Volatility - A memory forensics analysis platform.

volatility-2.1.standalone.exe: error: option --kdbg: invalid integer value: '0x8193ec90L'

Is that an indication of an invalid memory address?

Thanks!

On Wed, Aug 22, 2012 at 12:30 PM, Andrew Case <atcuno@gmail.com> wrote:
From your original post:


PsActiveProcessHead           : 0x81954990 (0 processes)
PsLoadedModuleList            : 0x8195ec70 (0 modules)

That is not good ... 0 processes off activeprocesshead

Do you only get one result from kdbgscan? Can you try just running the
'imageinfo' plugin on your image (don't give it --profile), and send
me the results?

On Wed, Aug 22, 2012 at 11:27 AM, Jon Nelson <dotcop@gmail.com> wrote:
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan
>
> and...
>
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
>
> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno@gmail.com> wrote:
>>
>> Can you paste the command line invocation you are running Vol with?
>>
>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop@gmail.com> wrote:
>> > I am using the 2.1 Windows standalone exe.
>> >
>> > I have a dd image of memory from the subject operating system and when I
>> > try
>> > to use pslist with the Win2008SP1x86 profile I get the following errors:
>> >
>> > Traceback (most recent call last):
>> >   File "<string>", line 185, in <module>
>> >   File "<string>", line 176, in main
>> >   File
>> > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>> > line 111, in execute
>> >   File "C:\volatility\volatility\plugins\taskmods.py", line 138, in
>> > render_text
>> >   File
>> >
>> > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>> > line 72, in pslist
>> >   File
>> > "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>> > line 40, in processes
>> > AttributeError: Could not list tasks, please verify your --profile with
>> > kdbgscan
>> >
>> >
>> > When I try to verify my profile with kdbgscan I get the following for
>> > all
>> > profiles:
>> >
>> >  **************************************************
>> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
>> > Offset (V)                    : 0x8193ec90
>> > Offset (P)                    : 0x193ec90
>> > KDBG owner tag check          : True
>> > Profile suggestion (KDBGHeader): Win2008SP1x86
>> > Version64                     : 0x8193ec68 (Major: 15, Minor: 6001)
>> > Service Pack (CmNtCSDVersion) : 1
>> > Build string (NtBuildLab)     : 6001.18000.x86fre.longhorn_rtm.0
>> > PsActiveProcessHead           : 0x81954990 (0 processes)
>> > PsLoadedModuleList            : 0x8195ec70 (0 modules)
>> > KernelBase                    : 0x81847000 (Matches MZ: True)
>> > Major (OptionalHeader)        : 6
>> > Minor (OptionalHeader)        : 0
>> > KPCR                          : 0x8193f800 (CPU 0)
>> > KPCR                          : 0x803d1000 (CPU 1)
>> >
>> > Any help would be greatly appreciated.
>> >
>> > Jon
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users@volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>
>


_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users