12:59 p.m.
The answer to that question was in previous email where I posted the entire
kdbgscan output. I believe the mdd was used to acquire the image.
On Wed, Aug 22, 2012 at 12:54 PM, Michael Hale Ligh
<michael.hale(a)gmail.com>wrote:
Hey Jon,
Was there any more output from kdbgscan (other
than what you pasted
in the first email)? If so can you paste the entire output of kdbgscan,
please?
You didn't answer that question above...does that mean there is *not* any
additional kdbgscan output other than what you pasted in the first email?
Any you're supplying --profile=Win2008SP1x86 to the psscan and modscan
commands also? What software was used to acquire the memory dump?
Thanks,
MHL
On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
As far as modscan I also just get the header and
nothing further.
On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh <
michael.hale(a)gmail.com> wrote:
Hey Jon,
Was there any more output from kdbgscan (other than what you pasted in
the first email)? If so can you paste the entire output of kdbgscan, please?
The fact that psscan doesn't show results is definitely strange. What
about the modscan command?
Thanks!
MHL
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan
>
> and...
>
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
>
> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com>wrote:
>
>> Can you paste the command line invocation you are running Vol with?
>>
>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote:
>> > I am using the 2.1 Windows standalone exe.
>> >
>> > I have a dd image of memory from the subject operating system and
>> when I try
>> > to use pslist with the Win2008SP1x86 profile I get the following
>> errors:
>> >
>> > Traceback (most recent call last):
>> > File "<string>", line 185, in <module>
>> > File "<string>", line 176, in main
>> > File
>> >
>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>> > line 111, in execute
>> > File "C:\volatility\volatility\plugins\taskmods.py", line 138,
in
>> > render_text
>> > File
>> >
>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>> > line 72, in pslist
>> > File
>> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>> > line 40, in processes
>> > AttributeError: Could not list tasks, please verify your --profile
>> with
>> > kdbgscan
>> >
>> >
>> > When I try to verify my profile with kdbgscan I get the following
>> for all
>> > profiles:
>> >
>> > **************************************************
>> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
>> > Offset (V) : 0x8193ec90
>> > Offset (P) : 0x193ec90
>> > KDBG owner tag check : True
>> > Profile suggestion (KDBGHeader): Win2008SP1x86
>> > Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
>> > Service Pack (CmNtCSDVersion) : 1
>> > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
>> > PsActiveProcessHead : 0x81954990 (0 processes)
>> > PsLoadedModuleList : 0x8195ec70 (0 modules)
>> > KernelBase : 0x81847000 (Matches MZ: True)
>> > Major (OptionalHeader) : 6
>> > Minor (OptionalHeader) : 0
>> > KPCR : 0x8193f800 (CPU 0)
>> > KPCR : 0x803d1000 (CPU 1)
>> >
>> > Any help would be greatly appreciated.
>> >
>> > Jon
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users(a)volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>>
>
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users