Hi James,
Thanks for testing. The hivedump plugin was not accepting hex encoded offsets (integers would have probably worked) so it got confused by the 0xe1036b60.

I have just pushed a fix that makes it also accept offsets in hex which should fix the issue.

Thanks,

Michael

On 15 April 2013 17:53, James Lay <jlay@slave-tothe-box.net> wrote:

Hey all,

So far I am unable to get hivedump to work specifying an offset in either interactive or non-interactive mode:

Offset(V) Offset(P) Name
0xe1036b60 0x4948ab60 \Device\HarddiskVolume1\Windows\system32\config\SYSTEM @ 0xe1036b60

./vol.py --profile=WinXPSP3x86 -f ../20130412-194645.raw hivedump -o 0xe1036b60
**************************************************
Hive -

Last Written Key
------------------------ ---
ERROR:root:Error: invalid literal for int() with base 10: 'x'
ERROR:root:invalid literal for int() with base 10: 'x'. Try --debug for more information.

Not specifying an offset works however:

./vol.py --profile=WinXPSP3x86 -f ../20130412-194645.raw hivedump
**************************************************
Hive \Device\HarddiskVolume1\Documents and Settings\ACS\NTUSER.DAT @ 0xe1452b60

Last Written Key
------------------------ ---
2013-04-10 18:32:35+0000 CMILoadedHive-{D6ED518C-64C9-49F9-A016-8B8A7E2C051E}/AppEvents
...

Any hints on what I could be doing wrong? Thank you.

James
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilesystems.com/mailman/listinfo/vol-users