Seems better:
root@Forensic-1:/case2/4132012/biweb/mem#
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time
created Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
...
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
...
On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
Try to place them in volatility/plugins/addrspaces/
instead and then
do a `make clean` before running
On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling <jessebowling(a)gmail.com>
wrote:
Disclaimer:
So I took Nir's files, and dropped them into my plugins folder...I did
not
see any new plugins using vol.py -h, and when I
tried to do an imageinfo
I
got:
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
imageinfo
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 44, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 119, in calculate
for offset in scanner.scan(aspace):
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 83, in scan
for offset in scan.BaseScanner.scan(self, address_space, offset,
maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
So:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
WindowsHiberFileSpace32: No xpress signature found
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
At least it doesn't crash. So now:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
I have limited testing time the next couple weeks, so will look to see
if I
can share this with someone like SA in the
meantime...
Cheers,
Jesse
On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr(a)gmail.com> wrote:
>
> I assume you need it for something other than test my patch,
> I can send parts of the vmss of the machine I already noticed more than
> one region.
> could you use that to gather the info you need?
>
> btw, I'm also using vmware converter standalone pretty often, it might
> also be related
>
>
> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net>
wrote:
>>
>>
>> Nir,
>>
>>
>>> AAron - actually it was quite rare, but the first vmss I used to test
>>> the patch
>>> had two or three, which made my patch break when i first tested it on
>>> other
>>> VMs.
>>> I could try to pinpoint it, but i guess it would be easier for me to
>>> reverse
>>> the vmware code than try it manually :)
>>> A thing to note is that that vmss also had two virtual CPUs, which
might
>>> have
>>> caused having more than one region. it also had ~4G of RAM. most of
the
>>> other
>>> VMs i used only had about 512M.
>>> did you try to run it on other vmss files that resemble the one i
>>> described?
>>
>>
>> Interesting. I have never seen a vmss with multiple regions. If you
>> happen to come across one again, please let me know. I'd be interested
in
what conditions or what product leads to more than one
region.
Thanks,
AW
--
Jesse Bowling
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92