11:24 a.m.
Hi Konrads,
Thanks for the output. At the moment, its looks like the page table is corrupt (based on
the errors trying to read physical addresses in the range 0xf8b4c0575d000, which is way
outside the size of your file). Whether the acquisition tool or Volatility's address
space parser is to blame, I'm not currently sure. Can you answer a few additional
questions, please:
* Does it also hang on Linux also, or does it complete sometime after printing those
"None object instantiated: Unable to read_long_long_phys" messages?
* What tool did you acquire memory with? Is it possible to re-acquire in a different
format, such as a Windows crash dump?
Thanks,
Michael
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
Training: http://memoryanalysis.net
On Mar 1, 2014, at 5:35 PM, "Smelkovs, Konrads (London)"
<Konrads.Smelkovs(a)KPMG.co.uk> wrote:
Hi Michael,
I had to run it eventually on Linux 2.3.1 as there is no way to redirect stderr on
Windows to a file. Output is as follows:
Volatility Foundation Volatility Framework 2.3.1
DEBUG : volatility.obj : Applying modification from AtomTablex64Overlay
DEBUG : volatility.obj : Applying modification from BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ControlAreaModification
DEBUG : volatility.obj : Applying modification from ELF64Modification
[snip]
DEBUG : volatility.obj : Applying modification from ShellBagsTypesXP
DEBUG : volatility.obj : Applying modification from ShimCacheTypesXPx86
DEBUG : volatility.obj : Applying modification from Win32KCoreClasses
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0xf0e33d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime
header signature
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.obj : None object instantiated: Invalid hibernation header
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No xpress
signature found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic
found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64
Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware
signature: 0x0
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0xf0e3490>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x0 of size 0x4
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x0 of size 0x4
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime
header signature
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000,
instantiating PO_MEMORY_IMAGE
DEBUG1 : volatility.obj : None object instantiated: Invalid hibernation header
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x0 of size 0x8
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x1000 of size 0x8
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x2000 of size 0x8
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x3000 of size 0x8
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x4000 of size 0x8
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x5000 of size 0x8
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x6000 of size 0x8
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x7000 of size 0x8
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x8000 of size 0x8
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x9000 of size 0x8
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No xpress
signature found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x0 of size 0x8
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000,
instantiating HPAK_HEADER
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic
found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x0 of size 0x6
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64
Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000,
instantiating _VMWARE_HEADER
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware
signature: -
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.obj : None object instantiated: Could not read_chunks from addr
0x0 of size 0x8
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Can not stack over
another paging address space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Incompatible
profile Win7SP1x64 selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Incompatible
profile Win7SP1x64 selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Can not stack over
another paging address space
DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys
at 0xf8b4c0575d000L
DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys
at 0xf8b4c0575d008L
DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys
at 0xf8b4c0575d010L
DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys
at 0xf8b4c0575d018L
DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys
at 0xf8b4c0575d020L
DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys
at 0xf8b4c0575d028L
DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys
at 0xf8b4c0575d030L
DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys
at 0xf8b4c0575d038L
DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys
at 0xf8b4c0575d040L
DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys
at 0xf8b4c0575d048L
--
Konrads Smelkovs
KPMG LLP
www.kpmg.com/uk/cyber | Love challenge? Work for us: www.kpmgcareers.co.uk
15 Canada Square
London, E14 5GL
☎ Mobile +44 (0) 7990 987 057
☎ Direct +44 (0) 2076 945 519
✉ E-mail konrads.smelkovs(a)kpmg.co.uk
-----Original Message-----
From: Michael Ligh [mailto:michael.ligh@mnin.org]
Sent: 01 March 2014 21:22
To: Smelkovs, Konrads (London)
Cc: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64
Hi Konrads,
Could you paste us the output of:
volatility-2.3.1.standalone.exe -d -d -d -f C:\image.raw kdbgscan --profile=Win7SP1x64
Notice the 3 -d options after the program name. This will enable some extra debugging
that might help us figure out what's going on.
Thanks!
Michael
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
Training: http://memoryanalysis.net
On Mar 1, 2014, at 10:55 AM, "Smelkovs, Konrads (London)"
<Konrads.Smelkovs(a)KPMG.co.uk> wrote:
Hello,
C:\ >volatility-2.3.1.standalone.exe -f C:\image.raw kdbgscan
--profile=Win7SP1x64 Volatility Foundation Volatility Framework 2.3.1
.....
Never finishes - analysing 8 gig dump, CPU max. Help?
This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc,
KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company
under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited
(together, "KPMG"). ELLP does not provide services to clients and none of its
subsidiaries has authority to bind it.
This email, and any attachments, is confidential and may be privileged or otherwise
protected from disclosure. It is intended solely for the stated addressee(s) and access to
it by any other person is unauthorised. If you are not the intended recipient, you must
not disclose, copy, circulate or in any other way use or rely on the information contained
herein. If you have received this email in error, please inform us immediately and delete
all copies of it.
Any communications made with KPMG may be monitored and a record may be kept of any
communication.
Any opinion or advice contained herein is subject to the terms and conditions set out in
your KPMG LLP client engagement letter.
A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered
office.
KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited
liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered
no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited
(registered no. 03580549) are companies registered in England and Wales. Each entity's
registered office is at 15 Canada Square, London, E14 5GL.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc,
KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company
under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited
(together, "KPMG"). ELLP does not provide services to clients and none of its
subsidiaries has authority to bind it.
This email, and any attachments, is confidential and may be privileged or otherwise
protected from disclosure. It is intended solely for the stated addressee(s) and access to
it by any other person is unauthorised. If you are not the intended recipient, you must
not disclose, copy, circulate or in any other way use or rely on the information contained
herein. If you have received this email in error, please inform us immediately and delete
all copies of it.
Any communications made with KPMG may be monitored and a record may be kept of any
communication.
Any opinion or advice contained herein is subject to the terms and conditions set out in
your KPMG LLP client engagement letter.
A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered
office.
KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited
liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered
no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited
(registered no. 03580549) are companies registered in England and Wales. Each entity's
registered office is at 15 Canada Square, London, E14 5GL.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users