On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling <
jessebowling@gmail.com> wrote:
> Disclaimer:
>
> So I took Nir's files, and dropped them into my plugins folder...I did not
> see any new plugins using vol.py -h, and when I tried to do an imageinfo I
> got:
>
> /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss imageinfo
>
> Volatile Systems Volatility Framework 2.1_alpha
> Determining profile based on KDBG search...
>
> Traceback (most recent call last):
> File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
> <module>
> main()
> File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
> main
> command.execute()
> File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
> line 101, in execute
> func(outfd, data)
> File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
> line 34, in render_text
> for k, v in data:
> File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
> line 44, in calculate
> suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
> File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
> line 119, in calculate
> for offset in scanner.scan(aspace):
> File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
> line 83, in scan
> for offset in scan.BaseScanner.scan(self, address_space, offset,
> maxlen):
> File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
> 136, in scan
> skip = max(skip, s.skip(data, i))
> File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
> line 49, in skip
> nextval = data.index(self.tag, offset + 1)
> AttributeError: 'NoneType' object has no attribute 'index'
>
> So:
>
> # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
>
> Volatile Systems Volatility Framework 2.1_alpha
> Offset(P) Name PID PPID PDB Time created
> Time exited
> ---------- ---------------- ------ ------ ----------
> ------------------------ ------------------------
> No suitable address space mapping found
> Tried to open image as:
> WindowsHiberFileSpace32: No base Address Space
> VMWareSnapshotFile: No base Address Space
> WindowsCrashDumpSpace32: No base Address Space
> AMD64PagedMemory: No base Address Space
> JKIA32PagedMemory: No base Address Space
> JKIA32PagedMemoryPae: No base Address Space
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> WindowsHiberFileSpace32: No xpress signature found
> WindowsHiberFileSpace32: No xpress signature found
> VMWareSnapshotFile: ('Header signature invalid', 4026597203)
> WindowsCrashDumpSpace32: Header signature invalid
> AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
> JKIA32PagedMemory: Failed valid Address Space check
> JKIA32PagedMemoryPae: Failed valid Address Space check
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> FileAddressSpace: Must be first Address Space
>
> At least it doesn't crash. So now:
>
> # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
> --profile=Win2008R2SP1x64 psscan
>
> Volatile Systems Volatility Framework 2.1_alpha
> Offset(P) Name PID PPID PDB Time created
> Time exited
> ---------- ---------------- ------ ------ ----------
> ------------------------ ------------------------
> Traceback (most recent call last):
> File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
> <module>
> main()
> File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
> main
> command.execute()
> File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
> line 101, in execute
> func(outfd, data)
> File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> line 415, in render_text
> for eprocess in data:
> File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> line 405, in calculate
> for offset in PoolScanProcess().scan(address_space):
> File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
> 218, in scan
> for i in BaseScanner.scan(self, address_space, offset, maxlen):
> File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
> 136, in scan
> skip = max(skip, s.skip(data, i))
> File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
> line 49, in skip
> nextval = data.index(self.tag, offset + 1)
> AttributeError: 'NoneType' object has no attribute 'index'
>
> # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
> --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
>
> Volatile Systems Volatility Framework 2.1_alpha
> Offset(P) Name PID PPID PDB Time created
> Time exited
> ---------- ---------------- ------ ------ ----------
> ------------------------ ------------------------
> Traceback (most recent call last):
> File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
> <module>
> main()
> File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
> main
> command.execute()
> File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
> line 101, in execute
> func(outfd, data)
> File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> line 415, in render_text
> for eprocess in data:
> File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> line 405, in calculate
> for offset in PoolScanProcess().scan(address_space):
> File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
> 218, in scan
> for i in BaseScanner.scan(self, address_space, offset, maxlen):
> File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
> 136, in scan
> skip = max(skip, s.skip(data, i))
> File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
> line 49, in skip
> nextval = data.index(self.tag, offset + 1)
> AttributeError: 'NoneType' object has no attribute 'index'
>
> I have limited testing time the next couple weeks, so will look to see if I
> can share this with someone like SA in the meantime...
>
> Cheers,
>
> Jesse
>
>
> On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <
nirizr@gmail.com> wrote:
>>
>> I assume you need it for something other than test my patch,
>> I can send parts of the vmss of the machine I already noticed more than
>> one region.
>> could you use that to gather the info you need?
>>
>> btw, I'm also using vmware converter standalone pretty often, it might
>> also be related
>>
>>
>> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <
awalters@4tphi.net> wrote:
>>>
>>>
>>> Nir,
>>>
>>>
>>>> AAron - actually it was quite rare, but the first vmss I used to test
>>>> the patch
>>>> had two or three, which made my patch break when i first tested it on
>>>> other
>>>> VMs.
>>>> I could try to pinpoint it, but i guess it would be easier for me to
>>>> reverse
>>>> the vmware code than try it manually :)
>>>> A thing to note is that that vmss also had two virtual CPUs, which might
>>>> have
>>>> caused having more than one region. it also had ~4G of RAM. most of the
>>>> other
>>>> VMs i used only had about 512M.
>>>> did you try to run it on other vmss files that resemble the one i
>>>> described?
>>>
>>>
>>> Interesting. I have never seen a vmss with multiple regions. If you
>>> happen to come across one again, please let me know. I'd be interested in
>>> what conditions or what product leads to more than one region.
>>>
>>> Thanks,
>>>
>>> AW
>>
>>
>
>
>
> --
> Jesse Bowling
>
>
>