1:54 p.m.
psscan, modscan, driverscan, filescan, mutantscan, symlinkscan, thrdscan,
and netscan produced no output other than the header.
impscan, svcscan, and cmdscan all returned errors. hivescan returned a
bunch of offsets with no other info:
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=VistaSP1x86
--kdbg=0x8193ec90 cmdscan
Volatile Systems Volatility Framework 2.1
Traceback (most recent call last):
File "<string>", line 185, in <module>
File "<string>", line 176, in main
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
line 111, in execute
File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line 670,
in render_text
File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line 656,
in calculate
File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line 624,
in cmdhistory_process_filter
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
line 72, in pslist
File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with
kdbgscan
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
=VistaSP1x86 --kdbg=0x8193ec90 hivescan
Volatile Systems Volatility Framework 2.1
Offset(P)
----------
0x00553008
0x01ca9008
0x01d09008
0x0cbea008
0x4072b008
0x48c31008
0x4cdfa008
0x4f4ee008
0x53217850
0x5841d008
0x62aa0008
0x6dc6a850
0x7d5a6850
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
=VistaSP1x86 --kdbg=0x8193ec90 svcscan
Volatile Systems Volatility Framework 2.1
Traceback (most recent call last):
File "<string>", line 185, in <module>
File "<string>", line 176, in main
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
line 111, in execute
File "C:\volatility\volatility\plugins\malware\svcscan.py", line 307, in
render_text
File "C:\volatility\volatility\plugins\malware\svcscan.py", line 271, in
calculate
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
line 72, in pslist
File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with
kdbgscan
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
=VistaSP1x86 --kdbg=0x8193ec90 impscan
Volatile Systems Volatility Framework 2.1
IAT Call Module Function
---------- ---------- -------------------- --------
Traceback (most recent call last):
File "<string>", line 185, in <module>
File "<string>", line 176, in main
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
line 111, in execute
File "C:\volatility\volatility\plugins\malware\impscan.py", line 361, in
render_text
File "C:\volatility\volatility\plugins\malware\impscan.py", line 253, in
calculate
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
line 72, in pslist
File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with
kdbgscan
On Wed, Aug 22, 2012 at 1:02 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
Cool, no worries. I'm guessing it was missed in
the crossfire.
Just looking at your directory listing I might have guessed it was
FTK: G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd
of course I could be wrong since "AD" may refer to something else...
Try as many "scanning" plugins as you can muster and see if anything
comes out while we think of something else. BTW, we aren't helping
you cheat are we? ;-) The thought occurred to me that this sample
could be intentionally broken.
On Wed, Aug 22, 2012 at 12:59 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
The answer to that question was in previous email
where I posted the
entire
kdbgscan output. I believe the mdd was used to
acquire the image.
On Wed, Aug 22, 2012 at 12:54 PM, Michael Hale Ligh <
michael.hale(a)gmail.com>
wrote:
>
> Hey Jon,
>
> > Was there any more output from kdbgscan (other than what you pasted
> > in the first email)? If so can you paste the entire output of
kdbgscan,
> > please?
>
> You didn't answer that question above...does that mean there is *not*
any
> additional kdbgscan output other than what
you pasted in the first
email?
>
> Any you're supplying --profile=Win2008SP1x86 to the psscan and modscan
> commands also? What software was used to acquire the memory dump?
>
> Thanks,
> MHL
>
> On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
>>
>> As far as modscan I also just get the header and nothing further.
>>
>>
>> On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh
>> <michael.hale(a)gmail.com> wrote:
>>>
>>> Hey Jon,
>>>
>>> Was there any more output from kdbgscan (other than what you pasted in
>>> the first email)? If so can you paste the entire output of kdbgscan,
please?
>>>
>>> The fact that psscan doesn't show results is definitely strange. What
>>> about the modscan command?
>>>
>>> Thanks!
>>> MHL
>>>
>>>
>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com>
wrote:
>>>>
>>>>
>>>>
>>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com>
wrote:
>>>>>
>>>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe
-f
>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86
kdbgscan
>>>>>>
>>>>>> and...
>>>>>
>>>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe
-f
>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86
pslist
>>>>>
>>>>> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case
<atcuno(a)gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> Can you paste the command line invocation you are running Vol
with?
>>>>>>
>>>>>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson
<dotcop(a)gmail.com>
wrote:
>>>>>> > I am using the 2.1
Windows standalone exe.
>>>>>> >
>>>>>> > I have a dd image of memory from the subject operating
system and
>>>>>> > when I try
>>>>>> > to use pslist with the Win2008SP1x86 profile I get the
following
>>>>>> > errors:
>>>>>> >
>>>>>> > Traceback (most recent call last):
>>>>>> > File "<string>", line 185, in
<module>
>>>>>> > File "<string>", line 176, in main
>>>>>> > File
>>>>>> >
>>>>>> >
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>>>>>> > line 111, in
execute
>>>>>> > File
"C:\volatility\volatility\plugins\taskmods.py", line 138,
in
>>>>>> > render_text
>>>>>> > File
>>>>>> >
>>>>>> >
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>>>>>> > line 72, in pslist
>>>>>> > File
>>>>>> >
"C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>>>>>> > line 40, in
processes
>>>>>> > AttributeError: Could not list tasks, please verify your
--profile
>>>>>> > with
>>>>>> > kdbgscan
>>>>>> >
>>>>>> >
>>>>>> > When I try to verify my profile with kdbgscan I get the
following
>>>>>> > for all
>>>>>> > profiles:
>>>>>> >
>>>>>> > **************************************************
>>>>>> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001
32bit)
>>>>>> > Offset (V)
: 0x8193ec90
>>>>>> > Offset (P) : 0x193ec90
>>>>>> > KDBG owner tag check : True
>>>>>> > Profile suggestion (KDBGHeader): Win2008SP1x86
>>>>>> > Version64 : 0x8193ec68 (Major: 15,
Minor:
6001)
>>>> > Service Pack (CmNtCSDVersion) :
1
>>>> > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
>>>> > PsActiveProcessHead : 0x81954990 (0 processes)
>>>> > PsLoadedModuleList : 0x8195ec70 (0 modules)
>>>> > KernelBase : 0x81847000 (Matches MZ: True)
>>>> > Major (OptionalHeader) : 6
>>>> > Minor (OptionalHeader) : 0
>>>> > KPCR : 0x8193f800 (CPU 0)
>>>> > KPCR : 0x803d1000 (CPU 1)
>>>> >
>>>> > Any help would be greatly appreciated.
>>>> >
>>>> > Jon
>>>> >
>>>> > _______________________________________________
>>>> > Vol-users mailing list
>>>> > Vol-users(a)volatilityfoundation.org
>>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>> >
>>>
>>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>