Re: [Vol-users] Sample error or real module? (and other questions)

15 May 2015

      Can you do:

addrspace().base

in volshell?

if base is FileAddressSpace then its a raw file. If its
Elf/crash/hibernation/etc. then its not.

I am pretty sure pmem would default to ELF or similar. Not many tools do
raw files anymore because of how big 64 bit ones can get with gaps in
the physical address space.

Thanks,
Andrew (@attrc)

On 05/15/2015 11:23 AM, Gregory Pendergast wrote:
...
  So, I thought it was a raw image. Now, not so sure. It
was created using
 the winpmem_1.6.2 defaults, with the simple command line:
 winpmem_1.6.2 <output_filename>.  The image is from a 64-bit system, so
 it would have defaulted (as I understand it) to using PTE Remapping.

 Here's the output of addrspace():
 >>addrspace() 
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object

 Thanks,
 Greg

 On Fri, May 15, 2015 at 11:57 AM, Michael Ligh &lt;michael.ligh(a)mnin.org
 <mailto:michael.ligh@mnin.org>  wrote:

 Hmm, that does not appear to sync up as expected. What format is your
 memory dump? Strings requires a "raw" memory dump. You can check by
 typing addrspace().base in volshell and if its a raw memory dump
 you'll see FileAddressSpace. If you don't have a raw memory image, use
 the imagecopy plugin to create a raw memory dump from whatever format
 you have and then translate the strings again.

 MHL

 On 5/15/15 11:48 AM, Gregory Pendergast wrote:
  Thanks gentlemen. No worries there. I didn't
take it badly. Sorry
 for the oversight.  
  Correcting the command gives me output, but
leaves me with a new
 question. The string of interest seems nowhere to be found (maybe
 it's unicode? I'm not sure how to tell...):  
  >>
db(0xf9805ba44800)  0xf9805ba44800  00 00 00 00 00 00 00 00 1b 00 01 00 28 00 00 00
 ............(... 0xf9805ba44810  28 00 00 00 18 00 00 00 00 00 00
 00 00 00 02 00 (............... 0xf9805ba44820  00 00 00 00 00 00
 00 00 48 a4 83 08 a0 f8 ff ff ........H....... 0xf9805ba44830  06
 09 65 f1 02 00 00 00 00 00 00 00 00 00 00 00 ..e.............
 0xf9805ba44840  00 00 00 00 00 00 00 00 a8 00 00 00 00 00 00 00
 ................ 0xf9805ba44850  01 00 00 00 40 00 00 00 00 00 00
 00 00 00 00 00 ....@........... 0xf9805ba44860  07 00 07 00 28 00
 40 00 68 00 40 00 18 00 01 00 ....(.@.h.@..... 0xf9805ba44870  38
 00 20 00 04 00 02 00 0b 9e 00 00 00 00 00 00 8...............  
  >>
db(0xf9805ba44800,length=0xFF)  0xf9805ba44800  00 00 00 00 00 00 00 00 1b 00 01 00
28 00 00 00
 ............(... 0xf9805ba44810  28 00 00 00 18 00 00 00 00 00 00
 00 00 00 02 00 (............... 0xf9805ba44820  00 00 00 00 00 00
 00 00 48 a4 83 08 a0 f8 ff ff ........H....... 0xf9805ba44830  06
 09 65 f1 02 00 00 00 00 00 00 00 00 00 00 00 ..e.............
 0xf9805ba44840  00 00 00 00 00 00 00 00 a8 00 00 00 00 00 00 00
 ................ 0xf9805ba44850  01 00 00 00 40 00 00 00 00 00 00
 00 00 00 00 00 ....@........... 0xf9805ba44860  07 00 07 00 28 00
 40 00 68 00 40 00 18 00 01 00 ....(.@.h.@..... 0xf9805ba44870  38
 00 20 00 04 00 02 00 0b 9e 00 00 00 00 00 00 8...............
 0xf9805ba44880  50 14 9e 00 00 00 00 00 03 ee e4 ad 6d 83 d0 01
 P...........m... 0xf9805ba44890  03 ee e4 ad 6d 83 d0 01 18 24 3a
 05 d4 82 d0 01 ....m....$:..... 0xf9805ba448a0  26 20 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 &............... 0xf9805ba448b0  00
 00 00 00 90 05 00 00 00 00 00 00 00 00 00 00 ................
 0xf9805ba448c0  a0 3f 54 90 00 00 00 00 f2 c6 e4 ad 6d 83 d0 01
 .?T.........m... 0xf9805ba448d0  f2 c6 e4 ad 6d 83 d0 01 18 24 3a
 05 d4 82 d0 01 ....m....$:..... Here's the string I expect to see
 based on the strings output: 4397692928 [kernel:f9805ba44800]
 Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware,
 Ltd. ALL RIGHTS RESERVED.  
  Thanks again for the help. Greg  
  On Fri, May 15, 2015 at 11:30 AM, Michael Ligh
 &lt;michael.ligh(a)mnin.org <mailto:michael.ligh@mnin.org> 
<mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>>  wrote:  
  Hey Greg....Andrew just (to my surprise) asked me
why I was being
 "rough" on you, so I apologize if that's how it came across...the
 goal was just to point out the issue as fast as possible.  
  MHL  
  On 5/15/15 11:15 AM, Michael Ligh wrote:
> My command:  
 > db(0xf9805ba44800)  
 > Your command:  
 > db(f9805ba44800)  
 > The missing 0x in front makes Python think
f9805ba44800 is a
> variable name rather than a number.  
 > On 5/15/15 11:05 AM, Gregory Pendergast
wrote:
>> Thanks Michael. I did try that, and received an error. That's
>> why I thought I must be doing/forgetting something stupid. Now
>> that I'm back at my analysis machine, here's the output:  
>>>> > db(f9805ba44800)
>>> Traceback (most recent call last): File "<console>",
line 1,
>>> in <module> NameError: name 'f9805ba44800' is not defined
>>>>>> addrspace()
>>> <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object
>>> at 0xbef520c>
>>> >> >>> Note that
I'm using Volatilty through the VM provided for the
>>> most recent class in Reston, in case the version is in
>>> question. The profile for this sample is WIn7SP1x64.

 >> Thanks, Greg  

 >> On Fri, May 15, 2015 at 10:49 AM, Michael
Ligh
>> &lt;michael.ligh(a)mnin.org <mailto:michael.ligh@mnin.org> 
<mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>>
  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org>  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org> >>
  wrote:  
 >> You would just type db(0xf9805ba44800) in
volshell (or
>> whatever other address you want to see).  
 >>
https://github.com/volatilityfoundation/volatility/wiki/Command%20Re  f

 >>  e

 >> > re

 > nce#volshell
>> <https://github.com/volatilityfoundation/volatility/wiki/Command%20R  e

 >>  f

 >> > erence#volshell>

 >> I would also search an electronic copy of
the AMF book for
>> "volshell" - there are lots of examples.  

 >> On 5/14/15 10:52 PM, Gregory Pendergast
wrote:
>>> Thanks Michael. Regarding the latter part of inspecting the
>>> data around the strings, that's where I really need the help.
>>> I know I can accomplish that with volshell, but I'm not
>>> proficient enough yet to know how to get at it.  
 >>> If you could provide the necessary
commands to get at the
>>> data around this hit [kernel:f9805ba44800] as an example,
>>> that would be most helpful.  
 >>> I'm sure I was doing something
n00bishly wrong, but I could
>>> never get to the point of displaying the data around that
>>> location. I'd be more specific about my attempts, but I'm
>>> not in front of my analysis machine right now and don't
>>> recall exactly what I tried.  
 >>> thanks, greg  
 >>>> On May 14, 2015, at 9:39 PM,
Michael Ligh
>>>> &lt;michael.ligh(a)mnin.org <mailto:michael.ligh@mnin.org> 
<mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>>
>>  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org>  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org> >>
>>>>  wrote: 
>> >> >>>> I wouldn't think
the module at 0x48706657040b0003 requires
>>>> investigation. Not only bc its not in the 0xfffff8 range,
>>>> but you might notice legitimate modules are typically loaded
>>>> at page aligned base addresses (not XXX0003). Your result
>>>> looks like a false positive and given the way modscan works
>>>> (pool scanning) its probably a partially overwritten
>>>> structure in free/deallocated memory. We *could* put a sanity
>>>> check in the code to suppress entries that aren't loaded at
>>>> page aligned addresses, but there are a few exceptions where
>>>> you'll have modules loaded from non-page aligned addresses.
>>>> For example, we just looked at a rootkit today in class that
>>>> is loaded at 0x81b91b80 (on a 32-bit system). Jared's advice
>>>> is also good - if you ever suspect something like this again,
>>>> you can use volshell to display the data at the alleged base
>>>> address and see what's there. If its not an MZ signature,
>>>> then its probably not a currently loaded module (but keep in
>>>> mind you can overwrite the MZ with 00 or anything else as a
>>>> trick...but in that case you'll see real executable code not
>>>> too far away).

 >>> I would suggest trying to figure out
what downloaded the EXE
>>> in the first place, so that you can determine what it does
>>> after the download finishes (drop to disk and run, drop to
>>> disk and run then delete, load directly into memory without
>>> touching disk, etc). I would also inspect the data around the
>>> strings you found in kernel and free memory - is it verbatim
>>> with what you see in the pcap (i.e. just a copy of the
>>> packet) or has it been altered (i.e. unpacked, executed,
>>> expanded).  
>>>>>>> On 5/14/15 4:31 PM, Gregory Pendergast wrote: Just as
>>>>>>> a follow up to my last reply, the shimcache plugin
>>>>>>> reported that there was no shimcache data, and the
>>>>>>> timeliner plugin didn't reveal anything apparently
>>>>>>> interesting except IE history related to the download.
>>>> >>
>>>> >> Thanks, Greg
>>>> >>
>>>> >>
>>>>>>> On May 14, 2015, at 12:35 PM, Jared Greenhill
>>>>>>> &lt;jared703(a)gmail.com <mailto:jared703@gmail.com>
 <mailto:jared703@gmail.com <mailto:jared703@gmail.com>>
  <mailto:jared703@gmail.com
<mailto:jared703@gmail.com>  <mailto:jared703@gmail.com
<mailto:jared703@gmail.com >>
>>  <mailto:jared703@gmail.com
<mailto:jared703@gmail.com>  <mailto:jared703@gmail.com
<mailto:jared703@gmail.com>>
  <mailto:jared703@gmail.com
<mailto:jared703@gmail.com>  <mailto:jared703@gmail.com
<mailto:jared703@gmail.com>>>> 
wrote: 
>>>> >>
>>>>>>>> Hey Greg,
>>>>> >>
>>>>>>>> A couple thoughts/ideas:
>>>>> >>
>>>>>>>> What was the initial reason for investigation- the
>>>>>>>> suspect EXE? Do you have a timeframe of the suspect
>>>>>>>> activity?
>>>>> >>
>>>>>>>> What was the context around the suspect EXE
>>>>>>>> download, just the PCAP or? If so, did the memory
>>>>>>>> capture occur when there was still an active
>>>>>>>> connection? Sometimes this can be a dealbreaker when
>>>>>>>> the connection isn't there.
>>>>> >>
>>>>>>>> Does moddump work on the module with that base
>>>>>>>> address? If so, what type of strings are you seeing?
>>>>> >>
>>>>>>>> As far as execution goes, does the shimcache
plugin
>>>>>>>> provide any results around the time of interest?
>>>>>>>> Assuming you have a time of interest, you could also
>>>>>>>> try the timeliner plugin to pull in other temporal
>>>>>>>> artifacts to hone in around that suspect time.
>>>>> >>
>>>>>>>> hope this helps, Jared - @jared703
>>>>> >>
>>>>> >>
>>>>>>>> On Tue, May 12, 2015 at 3:36 PM, Gregory
Pendergast
>>>>>>>> &lt;greg.pendergast(a)gmail.com
<mailto:greg.pendergast@gmail.com>
 >>>>>>>
<mailto:greg.pendergast@gmail.com  <mailto:greg.pendergast@gmail.com>>
 >>>>>>>
<mailto:greg.pendergast@gmail.com  <mailto:greg.pendergast@gmail.com>
> <mailto:greg.pendergast@gmail.com <mailto:greg.pendergast@gmail.com >> 

>>>>>>> <mailto:greg.pendergast@gmail.com 
<mailto:greg.pendergast@gmail.com>
  <mailto:greg.pendergast@gmail.com
<mailto:greg.pendergast@gmail.com>>
 > <mailto:greg.pendergast@gmail.com
<mailto:greg.pendergast@gmail.com>  <mailto:greg.pendergast@gmail.com
 <mailto:greg.pendergast@gmail.com>>>>  wrote: 
>>>>>
>> >>>>>>>> Greeting,
>>>>> >>
>>>>>>>> I'm examining a memory sample (captured locally
with
>>>>>>>> winpmem_1.6.2) <yeah...i know...>
>>>>> >>
>>>>>>>> Modscan shows one apparently strange module that
has
>>>>>>>> no name and no file listed. The base address space
>>>>>>>> also seems way out of whack for the rest of the
>>>>>>>> sample.
>>>>> >>
>>>>>>>> So all i have are offset, base, and size:
>>>>>>>> 0x000000023a80b540 0x48706657040b0003 0xf3a54f0
>>>>> >>
>>>>>>>> In particular, that base address seems way out of
>>>>>>>> range compared to everything else in 0xfffff8....
>>>>>>>> space
>>>>> >>
>>>>>>>> How can I tell if this is an error of some kind in
>>>>>>>> the captured sample versus a legitimate anomaly that
>>>>>>>> bears investigation?
>>>>> >>
>>>>> >>
>>>>>>>> Lastly, and pardon me if this is a n00b question,
>>>>>>>> but how can I determine why specific strings appear
>>>>>>>> in kernel memory (based on strings plugin output)?
>>>>>>>> For context, I have a suspicious executable download,
>>>>>>>> but there appears to be no evidence of the file in
>>>>>>>> $MFT (I don't have access to UsnJrnl) and I'm
trying
>>>>>>>> to find out what happened to it and whether it ran.
>>>>>>>> Strings from the executable (ontained from pcap) do
>>>>>>>> appear in Free Memory and Kernel memory, but I'm not
>>>>>>>> clear whether that's a symptom of the download or a
>>>>>>>> sign of execution.
>>>>> >>
>>>>>>>> Thanks, greg
>>>>> >>
>>>>> >>
>>>>>>>>>> On May 11, 2015, at 11:30 AM, Torres,
Geoff
>>>>>>>>>> (Cyber Security)
>>>>>>>>> &lt;geoff.torres(a)hp.com
<mailto:geoff.torres@hp.com>
 <mailto:geoff.torres@hp.com <mailto:geoff.torres@hp.com>>
  <mailto:geoff.torres@hp.com
<mailto:geoff.torres@hp.com>  <mailto:geoff.torres@hp.com
<mailto:geoff.torres@hp.com >>
>>  <mailto:geoff.torres@hp.com
<mailto:geoff.torres@hp.com>  <mailto:geoff.torres@hp.com
<mailto:geoff.torres@hp.com>>
  <mailto:geoff.torres@hp.com
<mailto:geoff.torres@hp.com>  <mailto:geoff.torres@hp.com
<mailto:geoff.torres@hp.com>> >>
>>>>>>>>  wrote:
>>>>>> >>
>>>>>>>>> Thanks Michael,
>>>>>> >>
>>>>>>>>> I confirm that I now see what I was expecting.
>>>>>>>>> Sorry for the
>>>>>>>> rookie mistake.
>>>>>> >>
>>>>>>>>> I *really* need to get to your class...
>>>>>> >>
>>>>>>>>> Geoff
>>>>>> >>
>>>>>>>>>> Don't be afraid to tell me I'm
doing something
>>>>>>>>>> stupid... :-)
>>>>>> >>
>>>>>>>>> I only said that because I didn't think I
was...
>>>>>>>>> :-P
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>>>>> -----Original Message----- From:
>>>>>>>>> vol-users-bounces(a)volatilityfoundation.org
 <mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>>
>> 
<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org >> 
>>>>>>>  <mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>>
>> 
<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org> >> 

>>>>>>> [mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>>
>> 
<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org >> 
>>>>>>>  <mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>>
>> 
<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>>>>] On Behalf
 >>>>>>> Of Michael Ligh
>>>>>>>> Sent: Saturday, May 09, 2015 9:00 AM To:
>>>>>>>> vol-users(a)volatilityfoundation.org 
<mailto:vol-users@volatilityfoundation.org>
  <mailto:vol-users@volatilityfoundation.org
 <mailto:vol-users@volatilityfoundation.org>>
>> 
<mailto:vol-users@volatilityfoundation.org 
<mailto:vol-users@volatilityfoundation.org>
  <mailto:vol-users@volatilityfoundation.org
 <mailto:vol-users@volatilityfoundation.org >> 
>>>>>>>  <mailto:vol-users@volatilityfoundation.org 
<mailto:vol-users@volatilityfoundation.org>
  <mailto:vol-users@volatilityfoundation.org
 <mailto:vol-users@volatilityfoundation.org>>
>> 
<mailto:vol-users@volatilityfoundation.org 
<mailto:vol-users@volatilityfoundation.org>
  <mailto:vol-users@volatilityfoundation.org
 <mailto:vol-users@volatilityfoundation.org> >> >>>>>>>>> Subject: Re:
[Vol-users] Output of strings not
>>>>>>>>> found in memdump
>>>>>>>> output - QEMU/QEVM sample
>>>>>>> Hi Geoff,
>>>> >>
>>>>>>> The key to get strings working is to make sure you
have
>>>>>>> a raw
>>>>>>>>> memory dump. lqs2mem *should* give you that,
>>>>>>>>> however I've not personally used it before.
>>>> >>
>>>>>>> One discrepancy I see with your logic is regarding
>>>>>>> this line:
>>>> >>
>>>>>>> memory_dump.ram.vol.strings:183190042 [3156:0189321a]
>>>>>>>>> <Search_String>
>>>> >>
>>>>>>> It tells you the search string is at virtual address
>>>>>>> 0189321a in
>>>>>>>>> pid 3156. You then dumped the *executable* for pid
>>>>>>>>> 3156 which gives you memory from the base of the
>>>>>>>>> exe 400000 to its base + size (nowhere near
>>>>>>>>> 0189321a).
>>>> >>
>>>>>>> Try using the memdump or vaddump plugins on 3156
>>>>>>> instead. That
>>>>>>>>> will give you ALL of the process's addressable
>>>>>>>>> memory, not just the range that contains the exe.
>>>> >>
>>>>>>  MHL
>>>> >>
>>>>>>>>>>> On 5/7/15 3:03 PM, Torres, Geoff
(Cyber
>>>>>>>>>>> Security) wrote: Hi,
>>>>>>>> >>
>>>>>>>>>>> Sorry for the 'me too'
response, but I'm
>>>>>>>>>>> having this exact same problem.  However,
the
>>>>>>>>>>> main difference is that I'm using a
'QEMU'
>>>>>>>>>>> memory image (Hex dump sig is QEVM in the
first
>>>>>>>>>>> 4 bytes) from a
>>>>>>>>> cloud
>>>>>>>>>>> instance.
>>>>>>>> >>
>>>>>>>>>>> I've converted these in the past
using the
>>>>>>>>>>> 'lqs2mem' tool
>>>>>>>>> written by
>>>>>>>>>>> Juerg Haefliger and Andrew Tappert and
it's
>>>>>>>>>>> worked perfectly
>>>>>>>>> for the
>>>>>>>>>>> 'netscan' and 'ps' type
plugins.  However, I
>>>>>>>>>>> haven't needed to dump processes before
and
>>>>>>>>>>> look for specific strings.  I can locate the
>>>>>>>>>>> strings in the converted image, but it's
not
>>>>>>>>>>> translating to the processes that are
>>>>>>>>>>> identified by the 'strings' plugin.
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>> Here's the steps I've been
taking -
>>>>>>>> >>
>>>>>>>>>>> ## Memory dump info
>>>>>>>>>>>> ll memory_dump
>>>>>>>>>>> -rw------- 1 geoff citsirt 7579914273 Apr 27
>>>>>>>>>>> 13:36 memory_dump
>>>>>>>> >>
>>>>>>>>>>>> file memory_dump
>>>>>>>>>>> memory_dump: QEMU suspend to disk image
>>>>>>>> >>
>>>>>>>>>>>> xxd memory_dump | head -n1
>>>>>>>>>>> 0000000: 5145 564d 0000 0003 0100 0000 0105
>>>>>>>>>>> 626c QEVM..........bl
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>> ## Convert the dump
>>>>>>>>>>>> lqs2mem -w pc.ram memory_dump
>>>>>>>>>>>> memory_dump.ram
>>>>>>>>>>> section = pc.ram                          
size
>>>>>>>>>>> = 8192 [MB] 8589934592 [bytes] section =
>>>>>>>>>>> pc.bios size = 128 [KB]       131072 [bytes]
>>>>>>>>>>> section = pc.rom size = 128 [KB]      
131072
>>>>>>>>>>> [bytes] section = vga.vram size =    16 [MB]
>>>>>>>>>>> 16777216 [bytes] section =
>>>>>>>>>>> 0000:00:02.0/cirrus_vga.rom size = 64 [KB]
>>>>>>>>>>> 65536 [bytes] Wrote 8589934592 bytes from
>>>>>>>>>>> section 'pc.ram' to file
memory_dump.ram
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>> ## Create the strings file
>>>>>>>>>>>> strings -a -t d memory_dump.ram >
>>>>>>>>>>>> memory_dump.ram.strings
>>>>>>>> >>
>>>>>>>>>>>> strings -a -t d -el memory_dump.ram
>>
>>>>>>>>>>>> memory_dump.ram.strings
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>> ## Create the volatility strings file
>>>>>>>>>>>> python
>>>>>>>>>>>>
/data/download/apps/forensic_tools/volatility/vol.py
>>>>>>>>> >>
>>>>>>>>> >>

>>>>>>>>> >>
>>>>>>>>> >>
> -f memory_dump.ram --profile=Win2008SP2x64 strings
>>>>>>>>>>>> -s
--output-file=memory_dump.ram.vol.strings
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>>> ll memory_dump.ram.strings
>>>>>>>>>>>> memory_dump.ram.vol.strings
>>>>>>>>>>> -rw-rw-r-- 1 geoff citsirt 2914258187 May  7
>>>>>>>>>>> 08:58 memory_dump.ram.strings -rw-rw-r-- 1
>>>>>>>>>>> geoff citsirt 4292775089 May 7 12:17
>>>>>>>>>>> memory_dump.ram.vol.strings
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>> ## '<Search_String>' is
found in both string
>>>>>>>>>>> files as expected
>>>>>>>>>>>> fgrep <Search_String>
>>>>>>>>>>>> memory_dump.ram.strings
>>>>>>>>>>>> memory_dump.ram.vol.strings
>>>>>>>>>>> memory_dump.ram.strings:183190042
>>>>>>>>>>> <Search_String>
>>>>>>>>>>> memory_dump.ram.vol.strings:183190042
>>>>>>>>>>> [3156:0189321a]
>>>>>>>>> <Search_String>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>> ## Dump process 3156 as identified by
>>>>>>>>>>> volatility
>>>>>>>>>>>> python
>>>>>>>>>>>>
/data/download/apps/forensic_tools/volatility/vol.py
>>>>>>>>> >>
>>>>>>>>> >>

>>>>>>>>> >>
>>>>>>>>> >>
> -f memory_dump.ram --profile=Win2008SP2x64 procdump
>>>>>>>>>>>> -p 3156 -D processes -m
>>>>>>>>>>> Volatility Foundation Volatility Framework
2.4
>>>>>>>>>>> Process(V) ImageBase          Name Result
>>>>>>>>>>> ------------------ ------------------
>>>>>>>>>>> -------------------- ------
0xfffffa800a4e6370
>>>>>>>>>>> 0x0000000000400000 iwproxy.exe OK:
>>>>>>>>>>> executable.3156.exe
>>>>>>>> >>
>>>>>>>>>>>> ll processes/executable.3156.exe
>>>>>>>>>>> -rw-rw-r-- 1 geoff citsirt 3248128 May  7
>>>>>>>>>>> 12:35 processes/executable.3156.exe
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>> ## '<Search_String>' not
found in the dumped
>>>>>>>>>>> executable
>>>>>>>>>>>> strings -a processes/executable.3156.exe
|
>>>>>>>>>>>> fgrep <Search_String> strings -a
-el
>>>>>>>>>>>> processes/executable.3156.exe | fgrep
>>>>>>>>>>>> <Search_String>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>> I've tried many different
variations of the
>>>>>>>>>>> above steps and all have the same results.
>>>>>>>> >>
>>>>>>>>>>> According to what I've read in this
thread is
>>>>>>>>>>> that the issue is to make sure the original
>>>>>>>>>>> dump is properly converted.  How can I do
>>>>>>>>>>> that? 'lqs2mem' has limited options.
>>>>>>>> >>
>>>>>>>>>>> Any ideas on what I can do differently
to get
>>>>>>>>>>> this to work?
>>>>>>>> >>
>>>>>>>>>>> Thanks,
>>>>>>>> >>
>>>>>>>>>>> Geoff
>>>>>>>> >>
>>>>>>>>>>> Don't be afraid to tell me I'm
doing something
>>>>>>>>>>> stupid... :-)
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>> -----Original Message----- From:
>>>>>>>>>>> vol-users-bounces(a)volatilityfoundation.org
 <mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>>
>> 
<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org >> 
>>>>>>>>  <mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>>
>> 
<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org> >> 
>>>
>>>>>>> [mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>>
>> 
<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org >> 
>>>>>>>>  <mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>>
>> 
<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>

<mailto:vol-users-bounces@volatilityfoundation.org 
<mailto:vol-users-bounces@volatilityfoundation.org>>>>] On Behalf
 >>>>>>>> Of Michael
>>>>>>>>>> Ligh Sent: Tuesday, March 24, 2015 6:49 AM To:
>>>>>>>>>> Bridgey theGeek Cc:
>>>>>>>>>> vol-users(a)volatilityfoundation.org 
<mailto:vol-users@volatilityfoundation.org>
  <mailto:vol-users@volatilityfoundation.org
 <mailto:vol-users@volatilityfoundation.org>>
>> 
<mailto:vol-users@volatilityfoundation.org 
<mailto:vol-users@volatilityfoundation.org>
  <mailto:vol-users@volatilityfoundation.org
 <mailto:vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:vol-users@volatilityfoundation.org 
<mailto:vol-users@volatilityfoundation.org>
  <mailto:vol-users@volatilityfoundation.org
 <mailto:vol-users@volatilityfoundation.org>>
>> 
<mailto:vol-users@volatilityfoundation.org 
<mailto:vol-users@volatilityfoundation.org>
  <mailto:vol-users@volatilityfoundation.org
 <mailto:vol-users@volatilityfoundation.org>>>> Subject: Re:
>>>>>>>>> [Vol-users] Output of
>>>>>>>>>>> strings not found in memdump output
>>>>>>>> >>
>>>>>>>>>>> Perfect! Glad to hear all is good in
the world
>>>>>>>>>>> ;-)
>>>>>>>> >>
>>>>>>>>>>  MHL
>>>>>>>> >>
>>>>>>>>>>>> On 3/24/15 5:05 AM, Bridgey theGeek
wrote:
>>>>>>>>>>>> Awesome, thanks Michael.
>>>>>>>> >>
>>>>>>>>>>>> I generated a raw dump as follows,
with the
>>>>>>>>>>>> vmsn and vmem files in the same folder:
$
>>>>>>>>>>>> python vol.py -f winxp.vmem
>>>>>>>>>>>> --profile=WinXPSP2x86 imagecopy -O
winxp.raw
>>>>>>>> >>
>>>>>>>>>>>> Then ran strings again (having
generated a
>>>>>>>>>>>> new input text file because of course
the
>>>>>>>>>>>> offsets will be different): $ python
vol.py
>>>>>>>>>>>> -f winxp.raw --profile=WinXPSP2x86
strings
>>>>>>>>>>>> -s pk.txt
>>>>>>>> >>
>>>>>>>>>>>> I was then able to find the banner
at the
>>>>>>>>>>>> offsets reported by strings. And all was
>>>>>>>>>>>> good in the world.
>>>>>>>> >>
>>>>>>>>>>>> Thank you very much for the
support.
>>>>>>>> >>
>>>>>>>>>>>> Adam
>>>>>>>> >>
>>>>>>>>>>>> On 23 March 2015 at 19:39, Michael
Ligh
>>>>>>>>>>>> &lt;michael.ligh(a)mnin.org
<mailto:michael.ligh@mnin.org>
 >>>>>>>>>>>
<mailto:michael.ligh@mnin.org  <mailto:michael.ligh@mnin.org>>
 >>>>>>>>>>>
<mailto:michael.ligh@mnin.org  <mailto:michael.ligh@mnin.org>
> <mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org >> 
>>>>>>>>  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org> >>>>>>>>>
<mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>>
>>>>>>>> 
<mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>
>>>>>>>>> <mailto:michael.ligh@mnin.org
 <mailto:michael.ligh@mnin.org> >>
 >>>>>>>>>>>
<mailto:michael.ligh@mnin.org  <mailto:michael.ligh@mnin.org>
 >>>>>>>>>>>
<mailto:michael.ligh@mnin.org  <mailto:michael.ligh@mnin.org>>
 >>>>>>>>>>>
<mailto:michael.ligh@mnin.org  <mailto:michael.ligh@mnin.org>
> <mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org >> 

>>>>>>>>>>> <mailto:michael.ligh@mnin.org 
<mailto:michael.ligh@mnin.org>
 >>>>>>>>>>>
<mailto:michael.ligh@mnin.org  <mailto:michael.ligh@mnin.org>>
>>  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org> >>> <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org>>>
>> 
>>>>>>>> 
wrote: 
>>>>>>>>
>> >>>>>>>>>>>> Hey Adam,
>>>>>>>> >>
>>>>>>>>>>>> A few things:
>>>>>>>> >>
>>>>>>>>>>>> * Yes, vmss2core creates a windows
crash
>>>>>>>>>>>> dump * You can use volatility on the
>>>>>>>>>>>> original vmem/vmss by doing the
following:
>>>>>>>> >>
>>>>>>>>>>>> * make sure both vmem and vmss
files are in
>>>>>>>>>>>> the same dir * make sure they have the
same
>>>>>>>>>>>> base name (i.e. test.vmem and test.vmss)
*
>>>>>>>>>>>> run your volatility plugins against the
vmem
>>>>>>>> >>
>>>>>>>>>>>> In this case, it would also be
required to
>>>>>>>>>>>> generate a raw memory dump before
running
>>>>>>>>>>>> strings. So you would use imagecopy on
the
>>>>>>>>>>>> vmem.
>>>>>>>> >>
>>>>>>>>>>>> LMK if that helps! Michael
>>>>>>>> >>
>>>>>>>>>>>>> On 3/23/15 10:51 AM, Bridgey
theGeek
>>>>>>>>>>>>> wrote: Hi Michael,
>>>>>>>> >>
>>>>>>>>>>>>> *sigh* When will I learn to
check the
>>>>>>>>>>>>> origin of my samples?!
>>>>>>>> >>
>>>>>>>>>>>>> The guy who provided me with
the sample
>>>>>>>>>>>>> tells me that he took a snapshot of
a
>>>>>>>>>>>>> VMWare machine and then used vss2core
to
>>>>>>>>>>>>> convert it. I BELIEVE that makes it
into a
>>>>>>>>>>>>> Windows Memory Core Dump..?
>>>>>>>> >>
>>>>>>>>>>>>> I got hold of the original vmem
and vmsn
>>>>>>>>>>>>> files. Trying to use imagecopy on the
vmsn
>>>>>>>>>>>>> just replicated the input file. I
think
>>>>>>>>>>>>> the header is not what Volatility
would
>>>>>>>>>>>>> expect: $ xxd Windows\ XP\ Pro\ SP2\
>>>>>>>>>>>>> \(32-bit\)-Snapshot49.vmsn |head
0000000:
>>>>>>>>>>>>> d2be d2be 0800 0000 6300 0000 4368
6563
>>>>>>>>>>>>> ........c...Chec 0000010: 6b70 6f69
6e74
>>>>>>>>>>>>> 0000 0000 0000 0000 0000
kpoint..........
>>>>>>>>>>>>> 0000020: 0000 0000 0000 0000 0000
0000
>>>>>>>>>>>>> 0000 0000 ................ 0000030:
0000
>>>>>>>>>>>>> 0000 0000 0000 0000 0000 0000 0000
>>>>>>>>>>>>> ................ 0000040: 0000 0000
0000
>>>>>>>>>>>>> 0000 0000 0000 fc1e 0000
................
>>>>>>>>>>>>> 0000050: 0000 0000 ab03 0000 0000
0000 4775
>>>>>>>>>>>>> 6573 ............Gues 0000060: 7456
6172
>>>>>>>>>>>>> 7300 0000 0000 0000 0000 0000
>>>>>>>>>>>>> tVars........... 0000070: 0000 0000
0000
>>>>>>>>>>>>> 0000 0000 0000 0000 0000
................
>>>>>>>>>>>>> 0000080: 0000 0000 0000 0000 0000
0000
>>>>>>>>>>>>> 0000 0000 ................ 0000090:
0000
>>>>>>>>>>>>> 0000 0000 0000 0000 0000 a722 0000
>>>>>>>>>>>>> ............."..
>>>>>>>> >>
>>>>>>>>>>>>> Does that mean I can't use
this with
>>>>>>>>>>>>> Volatility?
>>>>>>>> >>
>>>>>>>>>>>>> Thank you, Adam
>>>>>>>> >>
>>>>>>>>>>>>> On 23 March 2015 at 14:57,
Michael Ligh
>>>>>>>>> &lt;michael.ligh(a)mnin.org
<mailto:michael.ligh@mnin.org>
>>>>>>>>> <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org>>
>>>>>>>> 
<mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>
>>>>>>>>> <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org >>
>>  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org>  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org>>
  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org>  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org> >>
>
>>>>>>>>>>> <mailto:michael.ligh@mnin.org 
<mailto:michael.ligh@mnin.org>
> <mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>>
> >>>>>>>>>>>
<mailto:michael.ligh@mnin.org  <mailto:michael.ligh@mnin.org>
> <mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org >> 
> >>>>>>>>>>>
<mailto:michael.ligh@mnin.org  <mailto:michael.ligh@mnin.org>
> <mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>>
>>  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org> >>> <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org>> >>
>>>>>>>> 
<mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>
>>>>>>>>> <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org>>
>>>>>>>> 
<mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>
>>>>>>>>> <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org >>
>>>>>>>> 
<mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>
>>>>>>>>> <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org>>
>>>>>>>> 
<mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>
>>>>>>>>> <mailto:michael.ligh@mnin.org
 <mailto:michael.ligh@mnin.org> >>
>
>>>>>>>>>>> <mailto:michael.ligh@mnin.org 
<mailto:michael.ligh@mnin.org>
> <mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>>
> >>>>>>>>>>>
<mailto:michael.ligh@mnin.org  <mailto:michael.ligh@mnin.org>
> <mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org >> 
>>>>>>>>  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org> >>>>>>>>>
<mailto:michael.ligh@mnin.org <mailto:michael.ligh@mnin.org>>
>>  <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org> >>> <mailto:michael.ligh@mnin.org
<mailto:michael.ligh@mnin.org>>>>
>> 
  wrote:
>>>>>>>> >>
>>>>>>>>>>>>> Hey Adam,
>>>>>>>> >>
>>>>>>>>>>>>> We forgot to ask if the sample
was a raw
>>>>>>>>>>>>> memory dump. For example:
>>>>>>>> >>
>>>>>>>>>>>>> $ xxd ~/Desktop/memory.dmp |
less
>>>>>>>> >>
>>>>>>>>>>>>> 0000000: 5041 4745 4455 4d50
0f00 0000
>>>>>>>>>>>>> 280a 0000 PAGEDUMP....(... 0000010:
8001
>>>>>>>>>>>>> 6c07 00c0 e680 a031 5580 5892 5580
>>>>>>>>>>>>> ..l......1U.X.U. 0000020: 4c01 0000
0100
>>>>>>>>>>>>> 0000 8000 0000 5444 4f00
L...........TDO.
>>>>>>>>>>>>> 0000030: 0000 0000 0000 0000 0000
0000 5041
>>>>>>>>>>>>> 4745 ............PAGE 0000040: 5041
4745
>>>>>>>>>>>>> 5041 4745 5041 4745 5041 4745
>>>>>>>>>>>>> PAGEPAGEPAGEPAGE
>>>>>>>> >>
>>>>>>>>>>>>> If its something like a crash
dump,
>>>>>>>>>>>>> hibernation, etc then the file
format
>>>>>>>>>>>>> headers throw off the offsets. You
can
>>>>>>>>>>>>> convert those special file types into
a
>>>>>>>>>>>>> raw memory dump with the imagecopy
plugin
>>>>>>>>>>>>> and then your strings translations
should
>>>>>>>>>>>>> be accurate.
>>>>>>>> >>
>>>>>>>>>>>>> Cheers! MHL
>>>>>>>> >>
>>>>>>>>>>>>>> On 3/23/15 8:54 AM, Bridgey
theGeek
>>>>>>>>>>>>>> wrote: Hi Andrew,
>>>>>>>> >>
>>>>>>>>>>>>>> I was certain I was running
the latest
>>>>>>>>>>>>>> version, but just to be sure I
grabbed
>>>>>>>>>>>>>> the latest version. Same result,
same
>>>>>>>>>>>>>> offsets.
>>>>>>>> >>
>>>>>>>>>>>>>> I can make the sample
available, but
>>>>>>>>>>>>>> more than happy to do whatever
debugging
>>>>>>>>>>>>>> needs doing (if I can!)
>>>>>>>> >>
>>>>>>>>>>>>>> Adam
>>>>>>>> >>
>>>>>>>>>>>>>> On 23 March 2015 at 13:03,
Andrew Case
>>>>>>>>>>>>>> &lt;atcuno(a)gmail.com
<mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com> >>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>> >>
>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com> >>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>> >>
>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com> >>
>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>> >>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com> >>
>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>>>>
>> 
>>>>>>>> 
wrote: 
>>>>>>>>
>> >>>>>>>>>>>>>> Are you using the
latest git checkout of
>>>>>>>>>>>>>> Volatility or the 2.4 release?
Can you
>>>>>>>>>>>>>> try the latest checkout and
re-run
>>>>>>>>>>>>>> Volatility strings (you can run
it on
>>>>>>>>>>>>>> just the offsets from PID 123 to
make it
>>>>>>>>>>>>>> faster).
>>>>>>>> >>
>>>>>>>>>>>>>> If you are already on the
latest
>>>>>>>>>>>>>> checkout then we will need to
debug
>>>>>>>>>>>>>> further.
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>>>>> Thanks, Andrew (@attrc)
>>>>>>>> >>
>>>>>>>>>>>>>>> On 03/23/2015 04:38 AM,
Bridgey
>>>>>>>>>>>>>>> theGeek wrote: Thanks
Andrew:
>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> python vol.py
--profile=WinXPSP2x86 -f
>>>>>>>>>>>>>>> memory.dmp volshell -p 123
Volatility
>>>>>>>>>>>>>>> Foundation Volatility
Framework 2.4
>>>>>>>>>>>>>>> Current context: myapp.exe @
>>>>>>>>>>>>>>> 0x822042f8, pid=123,
ppid=392
>>>>>>>>>>>>>> DTB=0x76c0040
>>>>>>>>>>>>>>> Welcome to volshell! Current
memory
>>>>>>>>>>>>>>> image is:
file:///home/memory.dmp To
>>>>>>>>>>>>>>> get help, type
'hh()'
>>>>>>>>>>>>>>>>>> db(0x75b6b4d8)
>>>>>>>>>>>>>>> 0x75b6b4d8  c3 7c 15 c7 85 00
ff ff ff
>>>>>>>>>>>>>>> 01 00 00 00 75 09 8d
.|...........u..
>>>>>>>>>>>>>>> 0x75b6b4e8 85 0c ff ff ff 50
ff 17 39
>>>>>>>>>>>>>>> 9d 00 ff ff ff 89 85
.....P..9.......
>>>>>>>>>>>>>>> 0x75b6b4f8 30 ff ff ff 74 12
6a 0c 8d
>>>>>>>>>>>>>>> 85 c4 fe ff ff 50 6a
0...t.j.......Pj
>>>>>>>>>>>>>>> 0x75b6b508 07 6a fe e8 ea 92
ff ff 83
>>>>>>>>>>>>>>> bd 28 ff ff ff 0c 0f
.j........(.....
>>>>>>>>>>>>>>> 0x75b6b518 84 8c 59 00 00 e9
18 ff ff
>>>>>>>>>>>>>>> ff 90 90 47 00 6c 00
..Y.........G.l.
>>>>>>>>>>>>>>> 0x75b6b528  6f 00 62 00 61 00
6c 00 5c
>>>>>>>>>>>>>>> 00 54 00 65 00 72 00
o.b.a.l.\.T.e.r.
>>>>>>>>>>>>>>> 0x75b6b538  6d 00 53 00 72 00
76 00 52
>>>>>>>>>>>>>>> 00 65 00 61 00 64 00
m.S.r.v.R.e.a.d.
>>>>>>>>>>>>>>> 0x75b6b548  79 00 45 00 76 00
65 00 6e
>>>>>>>>>>>>>>> 00 74 00 00 00 90 90
y.E.v.e.n.t.....
>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> Nope, still no
banner. But it is
>>>>>>>>>>>>>>> identical to what I find at
>>>>>>>>>>>>>> 0x1a34d8 in
>>>>>>>>>>>>>>> 123.dmp. (As you'd
expect.)
>>>>>>>>>>>>>>> Double-checked that I was
searching
>>>>>>>>>>>>>>> Unicode and ASCII - still no
luck.
>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> Hmmm.
>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> Adam
>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> On 23 March
2015 at 04:02, Andrew Case
>>>>>>>>>>>>>>> &lt;atcuno(a)gmail.com
<mailto:atcuno@gmail.com>
>>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>>>
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com >> 
>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com> >>
>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>> >>
>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com> >>
>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>> >>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com> >>
>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>> >>
>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com> >>
>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>>>
>> 
>>>>>>>>>>>>>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>
>>>>>>>>>>>>>>>
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
>>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>>>
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com >>
>>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>>>
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
>>>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>>>>
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> >> 
>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>> >>
>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com> >>
>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>> >>
>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>>>>>>>>>>>  <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com> >>
>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>> >>
>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
>>>>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>>>>>>>>>>> <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com> >>
>>>>>>>> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com> 
<mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com >>
>>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>
  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>  <mailto:atcuno@gmail.com
<mailto:atcuno@gmail.com>>>>>>
>> 
>>>>>>>> 
wrote: 
>>>>>>>>>>>> >>
>>>>>>>>>>>>>>> Can do you:
>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> vol.py ...
volshell -p 123
>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> Then in
volshell do:
>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>
db(0x75b6b4d8)
>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> And see if you
get the banner printed
>>>>>>>>>>>>>>> at the beginning?
>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> Also, how are
you searching 123.dmp?
>>>>>>>>>>>>>>> Did you search ascii &
>>>>>>>>>>>>>> unicode
>>>>>>>>>>>>>>> (most common error)
>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> Thanks, Andrew
(@attrc)
>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>> On
03/20/2015 03:59 PM, Bridgey
>>>>>>>>>>>>>>>> theGeek wrote: Hi all,
>>>>>>>>>>>>> >>
>>>>>>>>>>>>>>>> I can't quite
see what's wrong with
>>>>>>>>>>>>>>>> my logic here, but I must
be
>>>>>>>>>>>>>>> missing
>>>>>>>>>>>>>>>> something. Hoping someone
can help
>>>>>>>>>>>>>>>> me out.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>>>>> I'm looking for
a private key in a
>>>>>>>>>>>>>>>> memory sample
(WinXPSP2x86).
>>>>>>>>>>>>>>>> Specifically, to find out
which
>>>>>>>>>>>>>>>> process/es is/are
accessing it.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>>>>> I can find the key
by searching the
>>>>>>>>>>>>>>>> raw memory dump
>>>>>>>>>>>>>> (memory.dmp).
>>>>>>>>>>>>>>>> As you might expect
it's between:
>>>>>>>>>>>>>>>> -----BEGIN RSA PRIVATE
KEY-----
>>>>>>>>>>>>>>>> -----END RSA PRIVATE
KEY-----
>>>>>>>>>>>>> >>
>>>>>>>>>>>>>>>> I generated an
offset:string file by
>>>>>>>>>>>>>>>> using strings. Then,
using the
>>>>>>>>>>>>>>>> strings plugin I get this
output: $
>>>>>>>>>>>>>>>> python vol.py -f
memory.dmp
>>>>>>>>>>>>>>>> --profile=WinXPSP2x86
strings
>>>>>>>>>>>>>> -s pk.txt
>>>>>>>>>>>>>>>> Volatility Foundation
Volatility
>>>>>>>>>>>>>>>> Framework 2.4 188435934
[FREE
>>>>>>>>>>>>>>>> MEMORY:-1] -----BEGIN RSA
PRIVATE
>>>>>>>>>>>>>>>> KEY----- 188435968 [FREE
MEMORY:-1]
>>>>>>>>>>>>>>>> -----END RSA PRIVATE
KEY-----
>>>>>>>>>>>>>>>> 317375704
[kernel:d2ab24d8]
>>>>>>>>>>>>>>>> -----BEGIN RSA PRIVATE
KEY-----
>>>>>>>>>>>>>>>> 317376575
[kernel:d2ab283f] -----END
>>>>>>>>>>>>>>>> RSA PRIVATE KEY-----
417203416
>>>>>>>>>>>>>>>> [123:75b6b4d8] -----BEGIN
RSA PRIVATE
>>>>>>>>>>>>>>>> KEY----- 417204287
[123:75b6b83f]
>>>>>>>>>>>>>>>> -----END RSA PRIVATE
KEY-----
>>>>>>>>>>>>>>>> 419888606 [FREE
MEMORY:-1] -----BEGIN
>>>>>>>>>>>>>>>> RSA PRIVATE KEY-----
419888640 [FREE
>>>>>>>>>>>>>>>> MEMORY:-1] -----END RSA
PRIVATE
>>>>>>>>>>>>>>>> KEY-----
>>>>>>>>>>>>> >>
>>>>>>>>>>>>>>>> Lovely. So I now do
a memdump of
>>>>>>>>>>>>>>>> process 123: $ python
vol.py -f
>>>>>>>>>>>>>>>> memory.dmp
--profile=WinXPSP2x86
>>>>>>>>>>>>>>>> memdump
>>>>>>>>>>>>>> --pid=123
>>>>>>>>>>>>>>>> --dump-dir=123 Volatility
Foundation
>>>>>>>>>>>>>>>> Volatility Framework 2.4
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>
**************************************************************
 *

>>>>>> >>  *

>>>>>> >> > *

>>>>>> >> >>
***

>>>>>> >>
>>> *
>>>> >> >>>> *
>>>>>>> **
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>>>>>> Writing myapp.exe [  
123] to 123.dmp
>>>>>>>>>>>>> >>
>>>>>>>>>>>>>>>> However, if I
search 123.dmp neither
>>>>>>>>>>>>>>>> the BEGIN or END
>>>>>>>>>>>>>> strings are
>>>>>>>>>>>>>>> present.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>>>>> So I thought
I'd try and find it via
>>>>>>>>>>>>>>>> the virtual address
give,
>>>>>>>>>>>>>>> 0x75b6b4d8:
>>>>>>>>>>>>>>>> $ python vol.py -f
memory.dmp
>>>>>>>>>>>>>>>> --profile=WinXPSP2x86
memmap
>>>>>>>>>>>>>> --pid=123
>>>>>>>>>>>>>>>> Virtual    Physical      
  Size
>>>>>>>>>>>>>>>> DumpFileOffset ----------
----------
>>>>>>>>>>>>>>>> ---------- --------------
--SNIP--
>>>>>>>>>>>>>>>> 0x75b6b000 0x18de0000    
0x1000
>>>>>>>>>>>>>>>> 0x1a3000 --SNIP--
>>>>>>>>>>>>> >>
>>>>>>>>>>>>>>>> The text is indeed
at 0x18de04d8 in
>>>>>>>>>>>>>>>> memory.dmp, but not at
>>>>>>>>>>>>>> 0x1a34d8 in
>>>>>>>>>>>>>>>> 123.dmp. Again, it's
no where to be
>>>>>>>>>>>>>>>> found in 123.dmp.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>>>>> Any
suggestions..??
>>>>>>>>>>>>> >>
>>>>>>>>>>>>>>>> Many thanks, Adam
>>>>>>>>>>>>> >> 
>>>>>>>>>>>>> >>
>>>>>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>>> >> 
>>>>>>>>>>>>> >>  
>>>>>>>>>>>>> >> 
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> >> Vol-users mailing list
>>>>>>>>>>>>>>>>
Vol-users(a)volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>> >> 
>>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>> >> 
>>>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>> >> 
>>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>>> >>
>>>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>> >> 
>>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>> >> 
>>>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>> >> 
>>>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>>>> >> 

>>>>>>>>>>>>>>>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-u  s

>>>>>>>>>>>>> >>  e

>>>>>>>>>>>>> >> > r

>>>>>>>>>>>>> >> >> s
>>>>>> >>
>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>>
>> 
>>>>>>>>>>>>> >> >>>
_______________________________________________
>>>>>>>>>>>>>> Vol-users mailing list
>>>>>>>>>>>>>>
Vol-users(a)volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>> >> 
>>>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>> >> 

>>>>>>>>>>>>>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-use  r

>>>>>>>>>>>
>>  s
>>>>>> >>
>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>>>>>
>>  
>>>>>>>>>>>
>> 
>>>>>>>>>>> >> >> _______________________________________________
Vol-users
>>>>>>>>>>> mailing list
Vol-users(a)volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>>> >>>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>> >>
>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>

>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>> _______________________________________________ Vol-users
>>>>>>>>>>> mailing list
Vol-users(a)volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>>> >>>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>> >>
>>>> >>
>>>>>>>> >>

>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>> _______________________________________________
>>>>>>>>> Vol-users mailing list
>>>>>>>>> Vol-users(a)volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>> >>
>>>>>> >>  
>>>>>> >>
>>>>>> >>
>>>>>> >>
>> _______________________________________________ Vol-users
>>>>>>>>> mailing list Vol-users(a)volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>>
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>> >>
>>>>>> >>  
>>>>>> >>
>>>>>> >>
>>>>>> >>
>> _______________________________________________ Vol-users
>> mailing
>>>>>>>> list Vol-users(a)volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>>>>>  <mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org> >> 
>>>>
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>> >>
>>>> >>
>>>> >>
>>>>> >>  
>>>>> >>
>>>>> >>
>>>>> >> >>
_______________________________________________ Vol-users
>> mailing
>>>>>>> list Vol-users(a)volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
>>>
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >> 
>>>> >>  
>>>> >>
>>>> >> >
_______________________________________________ Vol-users mailing
>>>> list Vol-users(a)volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
>> 
<mailto:Vol-users@volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org >> 
 >>>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users  

 >>
_______________________________________________ Vol-users
>> mailing list Vol-users(a)volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
 >>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users  
 >
_______________________________________________ Vol-users
> mailing list Vol-users(a)volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>
  <mailto:Vol-users@volatilityfoundation.org
 <mailto:Vol-users@volatilityfoundation.org>>
 >
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users  

  _______________________________________________
Vol-users mailing
 list Vol-users(a)volatilityfoundation.org 
<mailto:Vol-users@volatilityfoundation.org>

http://lists.volatilityfoundation.org/mailman/listinfo/vol-users  

 _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [Vol-users] Sample error or real module? (and other questions)