hrmmm strange... Am I missing something or are you asking about two
different samples? I see two different file names, but you're writing
this as if they are one. Are these raw memory samples? Do you have
any idea what the system might be? Have you tried any of the scanning
plugins? Which of these two samples did you run redline on and what
did you get back... any valid info?
On Thu, Oct 4, 2012 at 2:58 PM, David Kovar <dkovar(a)gmail.com> wrote:
Greetings,
I am unable to get a viable profile for two different images. I built V2.2 on a MacBook
Pro running 10.8.2.
This one may be a bad image:
<kdbgscan returns silently>
DawnTreader:Mem Analysis kovar$ vol.py -f *dmp kdbgscan
Volatile Systems Volatility Framework 2.2
DawnTreader:Mem Analysis kovar$ vol.py -f *dmp imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : FileAddressSpace (/Users/kovar/Mem
Analysis/redacted-27-09-2012-10-47-50.dmp)
PAE type : No PAE
----------------
But this one loads in Mandiant Redline but Volatility will not produce any valid results.
I've tried all three profiles with no success.
DawnTreader:Mem Analysis kovar$ vol.py -f *mem imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/Users/kovar/Mem
Analysis/redacted_memdump.mem)
PAE type : PAE
DTB : 0x1595000L
KDBG : 0x808943e0
Number of Processors : 2
Image Type (Service Pack) : 2
KPCR for CPU 0 : 0xffdff000
KPCR for CPU 1 : 0xf772f000
KUSER_SHARED_DATA : 0xffdf0000
Image date and time : 2012-10-01 19:31:06 UTC+0000
Image local date and time : 2012-10-01 13:31:06 -0600
DawnTreader:Mem Analysis kovar$ vol.py -f *mem kdbgscan
Volatile Systems Volatility Framework 2.2
**************************************************
Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem Win2003SP0x86 (5.2.3789
32bit)
Offset (P) : 0x8943e0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2003SP1x86
Version64 : 0x8943b8 (Major: 15, Minor: 3790)
PsActiveProcessHead : 0x808ad0c8
PsLoadedModuleList : 0x808a6ea8
KernelBase : 0x80800000
**************************************************
Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem Win2003SP0x86 (5.2.3789
32bit)
Offset (P) : 0x8943e0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2003SP2x86
Version64 : 0x8943b8 (Major: 15, Minor: 3790)
PsActiveProcessHead : 0x808ad0c8
PsLoadedModuleList : 0x808a6ea8
KernelBase : 0x80800000
**************************************************
Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem Win2003SP0x86 (5.2.3789
32bit)
Offset (P) : 0x8943e0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2003SP0x86
Version64 : 0x8943b8 (Major: 15, Minor: 3790)
PsActiveProcessHead : 0x808ad0c8
PsLoadedModuleList : 0x808a6ea8
KernelBase : 0x80800000
DawnTreader:Mem Analysis kovar$ vol.py -f *mem --profile=Win2003SP0x86 pslist
Volatile Systems Volatility Framework 2.2
No suitable address space mapping found
Tried to open image as:
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemory: Module disabled
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64: Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Win2003SP0x86 selected
JKIA32PagedMemory: No valid DTB found
IA32PagedMemoryPae: Module disabled
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
-----
Thanks for any help you might be able to offer.
-David
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92