11:11 a.m.
Sure thing...
# vol.py -f myimage.vmss psscan --profile=Win2008R2SP1x64
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time
created Time exited
------------------ ---------------- ------ ------ ------------------
-------------------- --------------------
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 185, in <module>
main()
File "/usr/local/bin/vol.py", line 176, in main
command.execute()
File "/usr/local/src/volatility-read-only-1977/volatility/commands.py",
line 111, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/filescan.py",
line 444, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/filescan.py",
line 427, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-1977/volatility/scan.py", line
220, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-1977/volatility/scan.py", line
138, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/common.py",
line 55, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
With may01 version:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
--profile=Win2008R2SP1x64
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time
created Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line 218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line 136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
On Fri, Jul 6, 2012 at 11:01 AM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
Even though there might be an issue with the vmss
address space, if it
had succeeded, you would still have to specify the profile like so:
$ vol.py -f myimage.vmss psscan --profile=Win2008R2SP1x64
Could you try one time like that just to be sure?
On Fri, Jul 6, 2012 at 10:50 AM, Jesse Bowling <jessebowling(a)gmail.com>
wrote:
--
Jesse Bowling
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
--
Jesse Bowling
Seems better:
root@Forensic-1:/case2/4132012/biweb/mem#
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
...
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
...
On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy(a)gmail.com>
wrote:
>
> Try to place them in volatility/plugins/addrspaces/ instead and then
> do a `make clean` before running
>
>
>
> On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling <jessebowling(a)gmail.com>
> wrote:
> > Disclaimer:
> >
> > So I took Nir's files, and dropped them into my plugins folder...I did
> > not
> > see any new plugins using vol.py -h, and when I tried to do an
imageinfo
> > I
> > got:
> >
> > /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
> > imageinfo
> >
> > Volatile Systems Volatility Framework 2.1_alpha
> > Determining profile based on KDBG search...
> >
> > Traceback (most recent call last):
> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173,
in
> > <module>
> > main()
> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164,
in
> > main
> > command.execute()
> > File
> > "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
> > line 101, in execute
> > func(outfd, data)
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
> > line 34, in render_text
> > for k, v in data:
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
> > line 44, in calculate
> > suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
> > line 119, in calculate
> > for offset in scanner.scan(aspace):
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
> > line 83, in scan
> > for offset in scan.BaseScanner.scan(self, address_space, offset,
> > maxlen):
> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
> > line
> > 136, in scan
> > skip = max(skip, s.skip(data, i))
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
> > line 49, in skip
> > nextval = data.index(self.tag, offset + 1)
> > AttributeError: 'NoneType' object has no attribute 'index'
> >
> > So:
> >
> > # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
> > psscan
> >
> > Volatile Systems Volatility Framework 2.1_alpha
> > Offset(P) Name PID PPID PDB Time created
> > Time exited
> > ---------- ---------------- ------ ------ ----------
> > ------------------------ ------------------------
> > No suitable address space mapping found
> > Tried to open image as:
> > WindowsHiberFileSpace32: No base Address Space
> > VMWareSnapshotFile: No base Address Space
> > WindowsCrashDumpSpace32: No base Address Space
> > AMD64PagedMemory: No base Address Space
> > JKIA32PagedMemory: No base Address Space
> > JKIA32PagedMemoryPae: No base Address Space
> > IA32PagedMemoryPae: Module disabled
> > IA32PagedMemory: Module disabled
> > WindowsHiberFileSpace32: No xpress signature found
> > WindowsHiberFileSpace32: No xpress signature found
> > VMWareSnapshotFile: ('Header signature invalid', 4026597203)
> > WindowsCrashDumpSpace32: Header signature invalid
> > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
> > JKIA32PagedMemory: Failed valid Address Space check
> > JKIA32PagedMemoryPae: Failed valid Address Space check
> > IA32PagedMemoryPae: Module disabled
> > IA32PagedMemory: Module disabled
> > FileAddressSpace: Must be first Address Space
> >
> > At least it doesn't crash. So now:
> >
> > # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
> > --profile=Win2008R2SP1x64 psscan
> >
> > Volatile Systems Volatility Framework 2.1_alpha
> > Offset(P) Name PID PPID PDB Time created
> > Time exited
> > ---------- ---------------- ------ ------ ----------
> > ------------------------ ------------------------
> > Traceback (most recent call last):
> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173,
in
> > <module>
> > main()
> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164,
in
> > main
> > command.execute()
> > File
> > "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
> > line 101, in execute
> > func(outfd, data)
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> > line 415, in render_text
> > for eprocess in data:
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> > line 405, in calculate
> > for offset in PoolScanProcess().scan(address_space):
> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
> > line
> > 218, in scan
> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
> > line
> > 136, in scan
> > skip = max(skip, s.skip(data, i))
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
> > line 49, in skip
> > nextval = data.index(self.tag, offset + 1)
> > AttributeError: 'NoneType' object has no attribute 'index'
> >
> > # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
> > --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
> >
> > Volatile Systems Volatility Framework 2.1_alpha
> > Offset(P) Name PID PPID PDB Time created
> > Time exited
> > ---------- ---------------- ------ ------ ----------
> > ------------------------ ------------------------
> > Traceback (most recent call last):
> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173,
in
> > <module>
> > main()
> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164,
in
> > main
> > command.execute()
> > File
> > "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
> > line 101, in execute
> > func(outfd, data)
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> > line 415, in render_text
> > for eprocess in data:
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> > line 405, in calculate
> > for offset in PoolScanProcess().scan(address_space):
> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
> > line
> > 218, in scan
> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
> > line
> > 136, in scan
> > skip = max(skip, s.skip(data, i))
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
> > line 49, in skip
> > nextval = data.index(self.tag, offset + 1)
> > AttributeError: 'NoneType' object has no attribute 'index'
> >
> > I have limited testing time the next couple weeks, so will look to see
> > if I
> > can share this with someone like SA in the meantime...
> >
> > Cheers,
> >
> > Jesse
> >
> >
> > On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr(a)gmail.com> wrote:
> >>
> >> I assume you need it for something other than test my patch,
> >> I can send parts of the vmss of the machine I already noticed more
than
> >> one region.
> >> could you use that to gather the info you need?
> >>
> >> btw, I'm also using vmware converter standalone pretty often, it
might
> >> also be related
> >>
> >>
> >> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net>
> >> wrote:
> >>>
> >>>
> >>> Nir,
> >>>
> >>>
> >>>> AAron - actually it was quite rare, but the first vmss I used to
test
> >>>> the patch
> >>>> had two or three, which made my patch break when i first tested it
on
> >>>> other
> >>>> VMs.
> >>>> I could try to pinpoint it, but i guess it would be easier for me
to
> >>>> reverse
> >>>> the vmware code than try it manually :)
> >>>> A thing to note is that that vmss also had two virtual CPUs, which
> >>>> might
> >>>> have
> >>>> caused having more than one region. it also had ~4G of RAM. most of
> >>>> the
> >>>> other
> >>>> VMs i used only had about 512M.
> >>>> did you try to run it on other vmss files that resemble the one i
> >>>> described?
> >>>
> >>>
> >>> Interesting. I have never seen a vmss with multiple regions. If you
> >>> happen to come across one again, please let me know. I'd be
interested
>> in
>> what conditions or what product leads to more than one region.
>>
>> Thanks,
>>
>> AW
>
>
--
Jesse Bowling
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92