Re: [Vol-users] hibinfo script
6 Oct
2009
6 Oct
'09
3:27 p.m.
I'm sorry, that by far exceeds my knowledge about the hibernate stuff. I
don't even have a suitable file for testing on stock. Could someone else
please look into this?
Thanks,
Andreas
Mark Morgan:
Andreas,
Thanks for the quick reply. I changed the line as requested and here
is the error I get:
$ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\
Morgan/My\ Doc
uments/sandman/hiberfil.sys -d hiber.dd
Signature:
SystemTime: Thu Jan 01 00:00:00 1970
Control registers flags
CR0: 80010031
CR0[PAGING]: 1
CR3: 0afc0080
CR4: 000006f1
CR4[PSE]: 1
CR4[PAE]: 1
Traceback (most recent call last):
File "volatility", line 219, in <module>
main()
File "volatility", line 212, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute
self.cmd_execute(module, args)
File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo
(major,minor,build) = hiberAS.get_version()
File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py",
line 467, in
get_version
['_KGDTENTRY','BaseLow'], NtTibAddr)
File "c:\Volatility-1.3_Beta\forensics\object.py", line 246, in
read_obj
return read_value(addr_space, current_type, vaddr + offset)
File "c:\Volatility-1.3_Beta\forensics\object.py", line 71, in
read_value
buf = addr_space.read(vaddr, type_size)
File "c:\Volatility-1.3_Beta\forensics\x86.py", line 313, in read
paddr = self.vtop(vaddr)
File "c:\Volatility-1.3_Beta\forensics\x86.py", line 294, in vtop
if not self.entry_present(pdpe):
File "c:\Volatility-1.3_Beta\forensics\x86.py", line 239, in
entry_present
if (entry & (0x00000001)) == 0x00000001:
TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'
And here is the portion of the hiber_addrspace.py that I changed:
from forensics.addrspace import FileAddressSpace
import forensics.x86
from forensics.object import *
from forensics.win32.xpress import xpress_decode
from thirdparty.progressbar import *
from forensics.win32.datetime import *
from vtypes import xpsp2types as types
from forensics.x86 import IA32PagedMemory,IA32PagedMemoryPae
Mark Morgan
On Tue, Oct 6, 2009 at 11:06 AM, Andreas Schuster
<a.schuster(a)yendor.net> wrote:
Mark,
Thank you for your bug report.
CR4[PAE]: 1
File
"c:\Volatility-1.3_Beta\forensics\win32
\hiber_addrspace.py",
line 452, in
get_version
addr_space = IA32PagedMemoryPae(self,self.CR3)
NameError: global name 'IA32PagedMemoryPae' is not defined
I am wondering if it is because this is a sp3
box??? Any
help would
be appreciated.
No, it happens because the system was in PAE mode (CR4[PAE]:
1), but the
programmer forgot to import the PAE address space.
Please edit forensics/win32/hiber_addrspace.py, line 43, to
become:
from forensics.x86 import IA32PagedMemory, IA32PagedMemoryPae
Please let us know if this fixes the problem.
Thanks!
Andreas