Disclaimer:

So I took Nir's files, and dropped them into my plugins folder...I did not see any new plugins using vol.py -h, and when I tried to do an imageinfo I got:

/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss imageinfo
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...

Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in <module>
    main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in main
    command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py", line 101, in execute
    func(outfd, data)
File "/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py", line 34, in render_text
    for k, v in data:
File "/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py", line 44, in calculate
    suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File "/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py", line 119, in calculate
    for offset in scanner.scan(aspace):
File "/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py", line 83, in scan
    for offset in scan.BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line 136, in scan
    skip = max(skip, s.skip(data, i))
File "/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py", line 49, in skip
    nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'

So:

# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name             PID    PPID   PDB        Time created             Time exited
---------- ---------------- ------ ------ ---------- ------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
WindowsHiberFileSpace32: No xpress signature found
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space

At least it doesn't crash. So now:

# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss --profile=Win2008R2SP1x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name             PID    PPID   PDB        Time created             Time exited
---------- ---------------- ------ ------ ---------- ------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in <module>
    main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in main
    command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py", line 101, in execute
    func(outfd, data)
File "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py", line 415, in render_text
    for eprocess in data:
File "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py", line 405, in calculate
    for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line 218, in scan
    for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line 136, in scan
    skip = max(skip, s.skip(data, i))
File "/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py", line 49, in skip
    nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'

# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name             PID    PPID   PDB        Time created             Time exited
---------- ---------------- ------ ------ ---------- ------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in <module>
    main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in main
    command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py", line 101, in execute
    func(outfd, data)
File "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py", line 415, in render_text
    for eprocess in data:
File "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py", line 405, in calculate
    for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line 218, in scan
    for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line 136, in scan
    skip = max(skip, s.skip(data, i))
File "/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py", line 49, in skip
    nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'

I have limited testing time the next couple weeks, so will look to see if I can share this with someone like SA in the meantime...

Cheers,

Jesse

On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr@gmail.com> wrote:

I assume you need it for something other than test my patch,
I can send parts of the vmss of the machine I already noticed more than one region.
could you use that to gather the info you need?

btw, I'm also using vmware converter standalone pretty often, it might also be related

On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters@4tphi.net> wrote:

Nir,

AAron - actually it was quite rare, but the first vmss I used to test the patch
had two or three, which made my patch break when i first tested it on other
VMs.
I could try to pinpoint it, but i guess it would be easier for me to reverse
the vmware code than try it manually :)
A thing to note is that that vmss also had two virtual CPUs, which might have
caused having more than one region. it also had ~4G of RAM. most of the other
VMs i used only had about 512M.
did you try to run it on other vmss files that resemble the one i described?

Interesting. I have never seen a vmss with multiple regions. If you happen to come across one again, please let me know. I'd be interested in what conditions or what product leads to more than one region.

Thanks,

AW

--
Jesse Bowling