-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hey Adam,
We forgot to ask if the sample was a raw memory dump. For example:
$ xxd ~/Desktop/memory.dmp | less
0000000: 5041 4745 4455 4d50 0f00 0000 280a 0000 PAGEDUMP....(...
0000010: 8001 6c07 00c0 e680 a031 5580 5892 5580 ..l......1U.X.U.
0000020: 4c01 0000 0100 0000 8000 0000 5444 4f00 L...........TDO.
0000030: 0000 0000 0000 0000 0000 0000 5041 4745 ............PAGE
0000040: 5041 4745 5041 4745 5041 4745 5041 4745 PAGEPAGEPAGEPAGE
If its something like a crash dump, hibernation, etc then the file
format headers throw off the offsets. You can convert those special
file types into a raw memory dump with the imagecopy plugin and then
your strings translations should be accurate.
Cheers!
MHL
On 3/23/15 8:54 AM, Bridgey theGeek wrote:
> Hi Andrew,
>
> I was certain I was running the latest version, but just to be sure
> I grabbed the latest version. Same result, same offsets.
>
> I can make the sample available, but more than happy to do
> whatever debugging needs doing (if I can!)
>
> Adam
>
> On 23 March 2015 at 13:03, Andrew Case <atcuno@gmail.com
> <mailto:atcuno@gmail.com>> wrote:
>
> Are you using the latest git checkout of Volatility or the 2.4
> release? Can you try the latest checkout and re-run Volatility
> strings (you can run it on just the offsets from PID 123 to make it
> faster).
>
> If you are already on the latest checkout then we will need to
> debug further.
>
>
>
>
> Thanks, Andrew (@attrc)
>
> On 03/23/2015 04:38 AM, Bridgey theGeek wrote:
>> Thanks Andrew:
>>
>> python vol.py --profile=WinXPSP2x86 -f memory.dmp volshell -p
>> 123 Volatility Foundation Volatility Framework 2.4 Current
>> context: myapp.exe @ 0x822042f8, pid=123, ppid=392
> DTB=0x76c0040
>> Welcome to volshell! Current memory image is:
>> file:///home/memory.dmp To get help, type 'hh()'
>>>>> db(0x75b6b4d8)
>> 0x75b6b4d8 c3 7c 15 c7 85 00 ff ff ff 01 00 00 00 75 09 8d
>> .|...........u.. 0x75b6b4e8 85 0c ff ff ff 50 ff 17 39 9d 00 ff
>> ff ff 89 85 .....P..9....... 0x75b6b4f8 30 ff ff ff 74 12 6a 0c
>> 8d 85 c4 fe ff ff 50 6a 0...t.j.......Pj 0x75b6b508 07 6a fe e8
>> ea 92 ff ff 83 bd 28 ff ff ff 0c 0f .j........(..... 0x75b6b518
>> 84 8c 59 00 00 e9 18 ff ff ff 90 90 47 00 6c 00 ..Y.........G.l.
>> 0x75b6b528 6f 00 62 00 61 00 6c 00 5c 00 54 00 65 00 72 00
>> o.b.a.l.\.T.e.r. 0x75b6b538 6d 00 53 00 72 00 76 00 52 00 65 00
>> 61 00 64 00 m.S.r.v.R.e.a.d. 0x75b6b548 79 00 45 00 76 00 65 00
>> 6e 00 74 00 00 00 90 90 y.E.v.e.n.t.....
>>
>> Nope, still no banner. But it is identical to what I find at
> 0x1a34d8 in
>> 123.dmp. (As you'd expect.) Double-checked that I was searching
>> Unicode and ASCII - still no luck.
>>
>> Hmmm.
>>
>> Adam
>>
>> On 23 March 2015 at 04:02, Andrew Case <atcuno@gmail.com
> <mailto:atcuno@gmail.com>
> <mailto:Vol-users@volatilityfoundation.org>> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>> wrote:
>>
>> Can do you:
>>
>> vol.py ... volshell -p 123
>>
>> Then in volshell do:
>>
>> db(0x75b6b4d8)
>>
>> And see if you get the banner printed at the beginning?
>>
>> Also, how are you searching 123.dmp? Did you search ascii &
> unicode
>> (most common error)
>>
>> Thanks, Andrew (@attrc)
>>
>> On 03/20/2015 03:59 PM, Bridgey theGeek wrote:
>>> Hi all,
>>>
>>> I can't quite see what's wrong with my logic here, but I must
>>> be
>> missing
>>> something. Hoping someone can help me out.
>>>
>>> I'm looking for a private key in a memory sample
>>> (WinXPSP2x86). Specifically, to find out which process/es
>>> is/are accessing it.
>>>
>>> I can find the key by searching the raw memory dump
> (memory.dmp).
>>> As you might expect it's between: -----BEGIN RSA PRIVATE
>>> KEY----- -----END RSA PRIVATE KEY-----
>>>
>>> I generated an offset:string file by using strings. Then, using
>>> the strings plugin I get this output: $ python vol.py -f
>>> memory.dmp --profile=WinXPSP2x86 strings
> -s pk.txt
>>> Volatility Foundation Volatility Framework 2.4 188435934 [FREE
>>> MEMORY:-1] -----BEGIN RSA PRIVATE KEY----- 188435968 [FREE
>>> MEMORY:-1] -----END RSA PRIVATE KEY----- 317375704
>>> [kernel:d2ab24d8] -----BEGIN RSA PRIVATE KEY----- 317376575
>>> [kernel:d2ab283f] -----END RSA PRIVATE KEY----- 417203416
>>> [123:75b6b4d8] -----BEGIN RSA PRIVATE KEY----- 417204287
>>> [123:75b6b83f] -----END RSA PRIVATE KEY----- 419888606 [FREE
>>> MEMORY:-1] -----BEGIN RSA PRIVATE KEY----- 419888640 [FREE
>>> MEMORY:-1] -----END RSA PRIVATE KEY-----
>>>
>>> Lovely. So I now do a memdump of process 123: $ python vol.py
>>> -f memory.dmp --profile=WinXPSP2x86 memdump
> --pid=123
>>> --dump-dir=123 Volatility Foundation Volatility Framework 2.4
>>>
>>
> ************************************************************************
>
>
>> Writing myapp.exe [ 123] to 123.dmp
>>>
>>> However, if I search 123.dmp neither the BEGIN or END
> strings are
>> present.
>>>
>>> So I thought I'd try and find it via the virtual address give,
>> 0x75b6b4d8:
>>> $ python vol.py -f memory.dmp --profile=WinXPSP2x86 memmap
> --pid=123
>>> Virtual Physical Size DumpFileOffset ----------
>>> ---------- ---------- -------------- --SNIP-- 0x75b6b000
>>> 0x18de0000 0x1000 0x1a3000 --SNIP--
>>>
>>> The text is indeed at 0x18de04d8 in memory.dmp, but not at
> 0x1a34d8 in
>>> 123.dmp. Again, it's no where to be found in 123.dmp.
>>>
>>> Any suggestions..??
>>>
>>> Many thanks, Adam
>>>
>>>
>>> _______________________________________________ Vol-users
>>> mailing list Vol-users@volatilityfoundation.org
> <mailto:Vol-users@volatilityfoundation.org>
> <mailto:Vol-users@volatilityfoundation.org>>
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>
>>
>
>
>
>
> _______________________________________________ Vol-users mailing
> list Vol-users@volatilesystems.com
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
iF4EAREKAAYFAlUQKcQACgkQXnt9v1O0LIuwSwEAhKUK1clPJ5l8ujiKwRHfOO3M
Hzw2CpeyvY7XCCoHViAA/1D+gc/0ZWL5TNSQEi5FkwKq4TIlfEaWk0nrH0/loplk
=cA1W
-----END PGP SIGNATURE-----