On Wed, Aug 22, 2012 at 11:44 AM, Jon Nelson <
dotcop@gmail.com> wrote:
> Here is imageinfo:
>
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd imageinfo
>
> Volatile Systems Volatility Framework 2.1
> Determining profile based on KDBG search...
>
> Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86,
> VistaSP2x86
> AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
> AS Layer2 : FileAddressSpace
> (G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd)
> PAE type : PAE
> DTB : 0x122000L
> KDBG : 0x8193ec90L
> Number of Processors : 2
> Image Type (Service Pack) : 1
> KPCR for CPU 0 : 0x8193f800L
> KPCR for CPU 1 : 0x803d1000L
> KUSER_SHARED_DATA : 0xffdf0000L
> Image date and time : 2010-10-26 18:35:11 UTC+0000
> Image local date and time : 2010-10-26 14:35:11 -0400
>
>
> Here is the complete output of kdbgscan:
>
> Offset (V) : 0x8193ec90
> Offset (P) : 0x193ec90
> KDBG owner tag check : True
> Profile suggestion (KDBGHeader): Win2008SP1x86
> Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
> Service Pack (CmNtCSDVersion) : 1
> Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
> PsActiveProcessHead : 0x81954990 (0 processes)
> PsLoadedModuleList : 0x8195ec70 (0 modules)
> KernelBase : 0x81847000 (Matches MZ: True)
> Major (OptionalHeader) : 6
> Minor (OptionalHeader) : 0
> KPCR : 0x8193f800 (CPU 0)
> KPCR : 0x803d1000 (CPU 1)
>
> **************************************************
> Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
> Offset (V) : 0x8193ec90
> Offset (P) : 0x193ec90
> KDBG owner tag check : True
> Profile suggestion (KDBGHeader): VistaSP1x86
> Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
> Service Pack (CmNtCSDVersion) : 1
> Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
> PsActiveProcessHead : 0x81954990 (0 processes)
> PsLoadedModuleList : 0x8195ec70 (0 modules)
> KernelBase : 0x81847000 (Matches MZ: True)
> Major (OptionalHeader) : 6
> Minor (OptionalHeader) : 0
> KPCR : 0x8193f800 (CPU 0)
> KPCR : 0x803d1000 (CPU 1)
>
> **************************************************
> Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
> Offset (V) : 0x8193ec90
> Offset (P) : 0x193ec90
> KDBG owner tag check : True
> Profile suggestion (KDBGHeader): VistaSP2x86
> Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
> Service Pack (CmNtCSDVersion) : 1
> Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
> PsActiveProcessHead : 0x81954990 (0 processes)
> PsLoadedModuleList : 0x8195ec70 (0 modules)
> KernelBase : 0x81847000 (Matches MZ: True)
> Major (OptionalHeader) : 6
> Minor (OptionalHeader) : 0
> KPCR : 0x8193f800 (CPU 0)
> KPCR : 0x803d1000 (CPU 1)
>
> **************************************************
> Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
> Offset (V) : 0x8193ec90
> Offset (P) : 0x193ec90
> KDBG owner tag check : True
> Profile suggestion (KDBGHeader): Win2008SP2x86
> Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
> Service Pack (CmNtCSDVersion) : 1
> Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
> PsActiveProcessHead : 0x81954990 (0 processes)
> PsLoadedModuleList : 0x8195ec70 (0 modules)
> KernelBase : 0x81847000 (Matches MZ: True)
> Major (OptionalHeader) : 6
> Minor (OptionalHeader) : 0
> KPCR : 0x8193f800 (CPU 0)
> KPCR : 0x803d1000 (CPU 1)
>
> I also tried providing the kdbg value on the command line and got:
>
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86
> --kdbg=0x8193ec90L pslist
> Volatile Systems Volatility Framework 2.1
> Usage: Volatility - A memory forensics analysis platform.
>
> volatility-2.1.standalone.exe: error: option --kdbg: invalid integer value:
> '0x8193ec90L'
>
> Is that an indication of an invalid memory address?
>
> Thanks!
>
> Jon
>
> On Wed, Aug 22, 2012 at 12:30 PM, Andrew Case <
atcuno@gmail.com> wrote:
>>
>> From your original post:
>>
>> PsActiveProcessHead : 0x81954990 (0 processes)
>> PsLoadedModuleList : 0x8195ec70 (0 modules)
>>
>> That is not good ... 0 processes off activeprocesshead
>>
>> Do you only get one result from kdbgscan? Can you try just running the
>> 'imageinfo' plugin on your image (don't give it --profile), and send
>> me the results?
>>
>> On Wed, Aug 22, 2012 at 11:27 AM, Jon Nelson <
dotcop@gmail.com> wrote:
>> > C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>> > G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86
>> > kdbgscan
>> >
>> > and...
>> >
>> > C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>> > G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
>> >
>> > On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <
atcuno@gmail.com> wrote:
>> >>
>> >> Can you paste the command line invocation you are running Vol with?
>> >>
>> >> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <
dotcop@gmail.com> wrote:
>> >> > I am using the 2.1 Windows standalone exe.
>> >> >
>> >> > I have a dd image of memory from the subject operating system and
>> >> > when I
>> >> > try
>> >> > to use pslist with the Win2008SP1x86 profile I get the following
>> >> > errors:
>> >> >
>> >> > Traceback (most recent call last):
>> >> > File "<string>", line 185, in <module>
>> >> > File "<string>", line 176, in main
>> >> > File
>> >> >
>> >> > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>> >> > line 111, in execute
>> >> > File "C:\volatility\volatility\plugins\taskmods.py", line 138, in
>> >> > render_text
>> >> > File
>> >> >
>> >> >
>> >> > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>> >> > line 72, in pslist
>> >> > File
>> >> > "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>> >> > line 40, in processes
>> >> > AttributeError: Could not list tasks, please verify your --profile
>> >> > with
>> >> > kdbgscan
>> >> >
>> >> >
>> >> > When I try to verify my profile with kdbgscan I get the following for
>> >> > all
>> >> > profiles:
>> >> >
>> >> > **************************************************
>> >> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
>> >> > Offset (V) : 0x8193ec90
>> >> > Offset (P) : 0x193ec90
>> >> > KDBG owner tag check : True
>> >> > Profile suggestion (KDBGHeader): Win2008SP1x86
>> >> > Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
>> >> > Service Pack (CmNtCSDVersion) : 1
>> >> > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
>> >> > PsActiveProcessHead : 0x81954990 (0 processes)
>> >> > PsLoadedModuleList : 0x8195ec70 (0 modules)
>> >> > KernelBase : 0x81847000 (Matches MZ: True)
>> >> > Major (OptionalHeader) : 6
>> >> > Minor (OptionalHeader) : 0
>> >> > KPCR : 0x8193f800 (CPU 0)
>> >> > KPCR : 0x803d1000 (CPU 1)
>> >> >
>> >> > Any help would be greatly appreciated.
>> >> >
>> >> > Jon
>> >> >
>> >> > _______________________________________________
>> >> > Vol-users mailing list
>> >> >
Vol-users@volatilityfoundation.org
>> >> >
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >> >
>> >
>> >
>
>