On Fri, Jul 6, 2012 at 11:01 AM, Jamie Levy <jamie.levy@gmail.com> wrote:

Even though there might be an issue with the vmss address space, if it
had succeeded, you would still have to specify the profile like so:

$ vol.py -f myimage.vmss psscan --profile=Win2008R2SP1x64

Could you try one time like that just to be sure?

On Fri, Jul 6, 2012 at 10:50 AM, Jesse Bowling <jessebowling@gmail.com> wrote:
> Seems better:
>
> root@Forensic-1:/case2/4132012/biweb/mem#
> /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
>
> Volatile Systems Volatility Framework 2.1_alpha
> Offset(P) Name PID PPID PDB Time created
> Time exited
> ---------- ---------------- ------ ------ ----------
> ------------------------ ------------------------
> No suitable address space mapping found
> Tried to open image as:
> ...
>
> VMWareSnapshotFile: ('Header signature invalid', 4026597203)
> ...
>
>
>
>
>
> On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy@gmail.com> wrote:
>>
>> Try to place them in volatility/plugins/addrspaces/ instead and then
>> do a `make clean` before running
>>
>>
>>
>> On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling <jessebowling@gmail.com>
>> wrote:
>> > Disclaimer:
>> >
>> > So I took Nir's files, and dropped them into my plugins folder...I did
>> > not
>> > see any new plugins using vol.py -h, and when I tried to do an imageinfo
>> > I
>> > got:
>> >
>> > /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> > imageinfo
>> >
>> > Volatile Systems Volatility Framework 2.1_alpha
>> > Determining profile based on KDBG search...
>> >
>> > Traceback (most recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
>> > <module>
>> > main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
>> > main
>> > command.execute()
>> > File
>> > "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >
>> > "/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>> > line 34, in render_text
>> > for k, v in data:
>> > File
>> >
>> > "/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>> > line 44, in calculate
>> > suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
>> > File
>> >
>> > "/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>> > line 119, in calculate
>> > for offset in scanner.scan(aspace):
>> > File
>> >
>> > "/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>> > line 83, in scan
>> > for offset in scan.BaseScanner.scan(self, address_space, offset,
>> > maxlen):
>> > File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
>> > line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >
>> > "/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >
>> > So:
>> >
>> > # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> > psscan
>> >
>> > Volatile Systems Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > No suitable address space mapping found
>> > Tried to open image as:
>> > WindowsHiberFileSpace32: No base Address Space
>> > VMWareSnapshotFile: No base Address Space
>> > WindowsCrashDumpSpace32: No base Address Space
>> > AMD64PagedMemory: No base Address Space
>> > JKIA32PagedMemory: No base Address Space
>> > JKIA32PagedMemoryPae: No base Address Space
>> > IA32PagedMemoryPae: Module disabled
>> > IA32PagedMemory: Module disabled
>> > WindowsHiberFileSpace32: No xpress signature found
>> > WindowsHiberFileSpace32: No xpress signature found
>> > VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>> > WindowsCrashDumpSpace32: Header signature invalid
>> > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
>> > JKIA32PagedMemory: Failed valid Address Space check
>> > JKIA32PagedMemoryPae: Failed valid Address Space check
>> > IA32PagedMemoryPae: Module disabled
>> > IA32PagedMemory: Module disabled
>> > FileAddressSpace: Must be first Address Space
>> >
>> > At least it doesn't crash. So now:
>> >
>> > # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> > --profile=Win2008R2SP1x64 psscan
>> >
>> > Volatile Systems Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > Traceback (most recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
>> > <module>
>> > main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
>> > main
>> > command.execute()
>> > File
>> > "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >
>> > "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 415, in render_text
>> > for eprocess in data:
>> > File
>> >
>> > "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 405, in calculate
>> > for offset in PoolScanProcess().scan(address_space):
>> > File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
>> > line
>> > 218, in scan
>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>> > File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
>> > line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >
>> > "/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >
>> > # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> > --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
>> >
>> > Volatile Systems Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > Traceback (most recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
>> > <module>
>> > main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
>> > main
>> > command.execute()
>> > File
>> > "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >
>> > "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 415, in render_text
>> > for eprocess in data:
>> > File
>> >
>> > "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 405, in calculate
>> > for offset in PoolScanProcess().scan(address_space):
>> > File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
>> > line
>> > 218, in scan
>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>> > File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
>> > line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >
>> > "/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >
>> > I have limited testing time the next couple weeks, so will look to see
>> > if I
>> > can share this with someone like SA in the meantime...
>> >
>> > Cheers,
>> >
>> > Jesse
>> >
>> >
>> > On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr@gmail.com> wrote:
>> >>
>> >> I assume you need it for something other than test my patch,
>> >> I can send parts of the vmss of the machine I already noticed more than
>> >> one region.
>> >> could you use that to gather the info you need?
>> >>
>> >> btw, I'm also using vmware converter standalone pretty often, it might
>> >> also be related
>> >>
>> >>
>> >> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters@4tphi.net>
>> >> wrote:
>> >>>
>> >>>
>> >>> Nir,
>> >>>
>> >>>
>> >>>> AAron - actually it was quite rare, but the first vmss I used to test
>> >>>> the patch
>> >>>> had two or three, which made my patch break when i first tested it on
>> >>>> other
>> >>>> VMs.
>> >>>> I could try to pinpoint it, but i guess it would be easier for me to
>> >>>> reverse
>> >>>> the vmware code than try it manually :)
>> >>>> A thing to note is that that vmss also had two virtual CPUs, which
>> >>>> might
>> >>>> have
>> >>>> caused having more than one region. it also had ~4G of RAM. most of
>> >>>> the
>> >>>> other
>> >>>> VMs i used only had about 512M.
>> >>>> did you try to run it on other vmss files that resemble the one i
>> >>>> described?
>> >>>
>> >>>
>> >>> Interesting. I have never seen a vmss with multiple regions. If you
>> >>> happen to come across one again, please let me know. I'd be interested
>> >>> in
>> >>> what conditions or what product leads to more than one region.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> AW
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Jesse Bowling
>> >
>> >
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users@volatilesystems.com
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>>
>>
>>
>> --
>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>
>
>
>
> --
> Jesse Bowling
>
>

--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92