Re: [Vol-users] Win 2008 Enterprise Server SP1 Errors

Thanks for the detailed response. I would be more than happy to share the image. Just tell me where to upload it to. On Aug 22, 2012 6:39 PM, "Michael Hale Ligh" &lt;michael.hale(a)gmail.com&gt; wrote: > Hey Jon, > > On Wed, Aug 22, 2012 at 1:54 PM, Jon Nelson &lt;dotcop(a)gmail.com&gt; wrote: > >> psscan, modscan, driverscan, filescan, mutantscan, symlinkscan, >> thrdscan, and netscan produced no output other than the header. > > > So the main three reasons I can think of for these scanners failing are: > > 1) the image is corrupt (i.e. the acquisition tool didn't capture several > areas of memory) > 2) malware modified pool tags (i.e. DKOM) > 3) the wrong profile is being used > > So they are all possibilities, but let's discuss their likelihood. #1 is > unlikely IMO because kdbgscan was able to print lines like these: > > Service Pack (CmNtCSDVersion) : 1 > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 > > Those values are extracted from the ntoskrnl.exe kernel driver, which > means at least one module is in memory...yet modscan doesn't pick it up. #2 > is unlikely because malware that uses DKOM typically does so to hide an > individual process, not overwrite an object's pool tags (although its > possible). Plus I'd expect if malware did overwrite pool tags, it would do > it for certain objects only (i.e. just processes and threads or just > network objects) and not all tags associated with all objects. #3 is > unlikely - we know from kdbgscan output that its SP1 something. We know its > x86 and not x64 because kdbgscan is able to find a valid DTB. Out of the > kdbgscan suggestions, you've already tried both VistaSP1x86 and > Win2008SP1x86 and neither seemed to work. > > So pretty strange, I don't know what the problem is at this point. If its > just a testing/training image (i.e. doesn't contain sensitive information) > and you can share it with the volatility dev team, we'll be glad to take a > look and report back what we find. That would reduce the number of emails > back and forth and is probably your best bet to figuring it out. If you > want, we have private drop boxes where you can upload the image and it will > only be accessible by a few devs. Let me know. > > >> impscan, svcscan, and cmdscan all returned errors. > > > That makes sense. Although they have "scan" in the name, these three > plugins scan process memory as opposed to the ones you listed above > (psscan, modscan, etc...). Thus if no processes can be found (i.e. pslist > fails) then all 3 of these will fail with the same error. > > >> hivescan returned a bunch of offsets with no other info > > > That's OK. The output of hivescan is supposed to only contain offsets. > See [1]. Perhaps you could try hivelist which lists the offsets plus the > path to the hive. See [2]. > > [1]. http://code.google.com/p/volatility/wiki/CommandReference21#hivescan > [2]. http://code.google.com/p/volatility/wiki/CommandReference21#hivelist > > >> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f >> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=VistaSP1x86 >> --kdbg=0x8193ec90 cmdscan >> Volatile Systems Volatility Framework 2.1 >> Traceback (most recent call last): >> File "<string>", line 185, in <module> >> File "<string>", line 176, in main >> File >> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", >> line 111, in execute >> File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line >> 670, in render_text >> File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line >> 656, in calculate >> File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line >> 624, in cmdhistory_process_filter >> File >> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", >> line 72, in pslist >> File >> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", line >> 40, in processes >> AttributeError: Could not list tasks, please verify your --profile with >> kdbgscan >> >> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f >> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile >> =VistaSP1x86 --kdbg=0x8193ec90 hivescan >> Volatile Systems Volatility Framework 2.1 >> Offset(P) >> ---------- >> 0x00553008 >> 0x01ca9008 >> 0x01d09008 >> 0x0cbea008 >> 0x4072b008 >> 0x48c31008 >> 0x4cdfa008 >> 0x4f4ee008 >> 0x53217850 >> 0x5841d008 >> 0x62aa0008 >> 0x6dc6a850 >> 0x7d5a6850 >> >> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f >> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile >> =VistaSP1x86 --kdbg=0x8193ec90 svcscan >> Volatile Systems Volatility Framework 2.1 >> Traceback (most recent call last): >> File "<string>", line 185, in <module> >> File "<string>", line 176, in main >> File >> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", >> line 111, in execute >> File "C:\volatility\volatility\plugins\malware\svcscan.py", line 307, >> in render_text >> File "C:\volatility\volatility\plugins\malware\svcscan.py", line 271, >> in calculate >> File >> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", >> line 72, in pslist >> File >> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", line >> 40, in processes >> AttributeError: Could not list tasks, please verify your --profile with >> kdbgscan >> >> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f >> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile >> =VistaSP1x86 --kdbg=0x8193ec90 impscan >> Volatile Systems Volatility Framework 2.1 >> IAT Call Module Function >> ---------- ---------- -------------------- -------- >> Traceback (most recent call last): >> File "<string>", line 185, in <module> >> File "<string>", line 176, in main >> File >> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", >> line 111, in execute >> File "C:\volatility\volatility\plugins\malware\impscan.py", line 361, >> in render_text >> File "C:\volatility\volatility\plugins\malware\impscan.py", line 253, >> in calculate >> File >> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", >> line 72, in pslist >> File >> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", line >> 40, in processes >> AttributeError: Could not list tasks, please verify your --profile with >> kdbgscan >> >> >> On Wed, Aug 22, 2012 at 1:02 PM, Jamie Levy &lt;jamie.levy(a)gmail.com&gt; >> wrote: >> >>> Cool, no worries. I'm guessing it was missed in the crossfire. >>> >>> Just looking at your directory listing I might have guessed it was >>> FTK: G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd >>> >>> of course I could be wrong since "AD" may refer to something else... >>> >>> Try as many "scanning" plugins as you can muster and see if anything >>> comes out while we think of something else. BTW, we aren't helping >>> you cheat are we? ;-) The thought occurred to me that this sample >>> could be intentionally broken. >>> >>> >>> >>> On Wed, Aug 22, 2012 at 12:59 PM, Jon Nelson &lt;dotcop(a)gmail.com&gt; wrote: >>> > The answer to that question was in previous email where I posted the >>> entire >>> > kdbgscan output. I believe the mdd was used to acquire the image. >>> > >>> > >>> > On Wed, Aug 22, 2012 at 12:54 PM, Michael Hale Ligh < >>> michael.hale(a)gmail.com&gt; >>> > wrote: >>> >> >>> >> Hey Jon, >>> >> >>> >> > Was there any more output from kdbgscan (other than what you pasted >>> >> > in the first email)? If so can you paste the entire output of >>> kdbgscan, >>> >> > please? >>> >> >>> >> You didn't answer that question above...does that mean there is >>> *not* any >>> >> additional kdbgscan output other than what you pasted in the first >>> email? >>> >> >>> >> Any you're supplying --profile=Win2008SP1x86 to the psscan and >>> modscan >>> >> commands also? What software was used to acquire the memory dump? >>> >> >>> >> Thanks, >>> >> MHL >>> >> >>> >> On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson &lt;dotcop(a)gmail.com&gt; >>> wrote: >>> >>> >>> >>> As far as modscan I also just get the header and nothing further. >>> >>> >>> >>> >>> >>> On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh >>> >>> &lt;michael.hale(a)gmail.com&gt; wrote: >>> >>>> >>> >>>> Hey Jon, >>> >>>> >>> >>>> Was there any more output from kdbgscan (other than what you >>> pasted in >>> >>>> the first email)? If so can you paste the entire output of >>> kdbgscan, please? >>> >>>> >>> >>>> The fact that psscan doesn't show results is definitely strange. >>> What >>> >>>> about the modscan command? >>> >>>> >>> >>>> Thanks! >>> >>>> MHL >>> >>>> >>> >>>> >>> >>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson &lt;dotcop(a)gmail.com&gt; >>> wrote: >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson &lt;dotcop(a)gmail.com&gt; >>> wrote: >>> >>>>>> >>> >>>>>> >>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f >>> >>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd >>> --profile=Win2008SP1x86 kdbgscan >>> >>>>>> >>> >>>>>> and... >>> >>>>>> >>> >>>>>> >>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f >>> >>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd >>> --profile=Win2008SP1x86 pslist >>> >>>>>> >>> >>>>>> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case &lt;atcuno(a)gmail.com&gt; >>> >>>>>> wrote: >>> >>>>>>> >>> >>>>>>> Can you paste the command line invocation you are running Vol >>> with? >>> >>>>>>> >>> >>>>>>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson &lt;dotcop(a)gmail.com&gt; >>> wrote: >>> >>>>>>> > I am using the 2.1 Windows standalone exe. >>> >>>>>>> > >>> >>>>>>> > I have a dd image of memory from the subject operating system >>> and >>> >>>>>>> > when I try >>> >>>>>>> > to use pslist with the Win2008SP1x86 profile I get the >>> following >>> >>>>>>> > errors: >>> >>>>>>> > >>> >>>>>>> > Traceback (most recent call last): >>> >>>>>>> > File "<string>", line 185, in <module> >>> >>>>>>> > File "<string>", line 176, in main >>> >>>>>>> > File >>> >>>>>>> > >>> >>>>>>> > >>> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", >>> >>>>>>> > line 111, in execute >>> >>>>>>> > File "C:\volatility\volatility\plugins\taskmods.py", line >>> 138, in >>> >>>>>>> > render_text >>> >>>>>>> > File >>> >>>>>>> > >>> >>>>>>> > >>> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", >>> >>>>>>> > line 72, in pslist >>> >>>>>>> > File >>> >>>>>>> > >>> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", >>> >>>>>>> > line 40, in processes >>> >>>>>>> > AttributeError: Could not list tasks, please verify your >>> --profile >>> >>>>>>> > with >>> >>>>>>> > kdbgscan >>> >>>>>>> > >>> >>>>>>> > >>> >>>>>>> > When I try to verify my profile with kdbgscan I get the >>> following >>> >>>>>>> > for all >>> >>>>>>> > profiles: >>> >>>>>>> > >>> >>>>>>> > ************************************************** >>> >>>>>>> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 >>> 32bit) >>> >>>>>>> > Offset (V) : 0x8193ec90 >>> >>>>>>> > Offset (P) : 0x193ec90 >>> >>>>>>> > KDBG owner tag check : True >>> >>>>>>> > Profile suggestion (KDBGHeader): Win2008SP1x86 >>> >>>>>>> > Version64 : 0x8193ec68 (Major: 15, Minor: >>> 6001) >>> >>>>>>> > Service Pack (CmNtCSDVersion) : 1 >>> >>>>>>> > Build string (NtBuildLab) : >>> 6001.18000.x86fre.longhorn_rtm.0 >>> >>>>>>> > PsActiveProcessHead : 0x81954990 (0 processes) >>> >>>>>>> > PsLoadedModuleList : 0x8195ec70 (0 modules) >>> >>>>>>> > KernelBase : 0x81847000 (Matches MZ: True) >>> >>>>>>> > Major (OptionalHeader) : 6 >>> >>>>>>> > Minor (OptionalHeader) : 0 >>> >>>>>>> > KPCR : 0x8193f800 (CPU 0) >>> >>>>>>> > KPCR : 0x803d1000 (CPU 1) >>> >>>>>>> > >>> >>>>>>> > Any help would be greatly appreciated. >>> >>>>>>> > >>> >>>>>>> > Jon >>> >>>>>>> > >>> >>>>>>> > _______________________________________________ >>> >>>>>>> > Vol-users mailing list >>> >>>>>>> > Vol-users(a)volatilityfoundation.org >>> >>>>>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>> >>>>>>> > >>> >>>>>> >>> >>>>>> >>> >>>>> >>> >>>>> >>> >>>>> _______________________________________________ >>> >>>>> Vol-users mailing list >>> >>>>> Vol-users(a)volatilityfoundation.org >>> >>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>> >>>>> >>> >>>> >>> >>> >>> >> >>> > >>> > >>> > _______________________________________________ >>> > Vol-users mailing list >>> > Vol-users(a)volatilityfoundation.org >>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>> > >>> >>> >>> >>> -- >>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 >>> >> >>