Rob,
According to the psscan output you posted the PDB (Process directory
base) is 0xcf3392c0. This is clearly an invalid address since a DTB is
always aligned on page boundaries.
Can you dump other processes from this image? Is it possible that you
dont have the correct profile chosen for your image?
Michael.
On 30 October 2012 17:07, Dewhirst, Rob <robdewhirst(a)gmail.com> wrote:
The process doesn't appear to have exited based on
pslist (and it was
still generating network traffic while I dumped ram)
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x8b3802a8 System 4 0 127 -------- ------
0
0x89be3290 smss.exe 312 4 2 -------- ------
0 2012-10-26 02:29:26
[...]
0x89b1e020 redactedxx.e 1684 432 15 -------- ------
0 2012-10-26 02:29:39
Don't know if this helps
psxview
Volatile Systems Volatility Framework 2.2
Offset(P) Name PID pslist psscan thrdproc pspcdid csrss
---------- -------------------- ------ ------ ------ -------- ------- -----
0x09b17b70 svchost.exe 2632 True True False False False
[...]
0x09b1e020 redactedxx.e 1684 True True False False False
psscan
sansforensics@SIFT-Workstation:~/Desktop$ vol.py -f
~/Desktop/image.raw --profile Win2003SP2x86 psscan
Volatile Systems Volatility Framework 2.2
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
-------------------- --------------------
0x09b1e020 redactedxx.e 1684 432 0xcf3392c0 2012-10-26 02:29:39
On Mon, Oct 29, 2012 at 6:44 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
This means that the DTB (page directory) for the
process doesn't appear
valid, which is typically because the process has exited (although the
_EPROCESS structure itself may still exist, its page tables can be corrupt).
Can you check the exit time for this process with pslist or psscan?
MHL
On Mon, Oct 29, 2012 at 5:46 PM, Dewhirst, Rob <robdewhirst(a)gmail.com>
wrote:
Have never seen this error when trying to dump a process. Any
suggestions? tried -u as well with the same results.
vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p 1684
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire process
AS
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users