5:44 p.m.
Good evening,
I have what purports to be a Windows Server 2003 vmss file from an ESXi
server.
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86
AS Layer1 : FileAddressSpace (E:\memory.vmss)
PAE type : No PAE
DTB : 0xe02000L
KDBG : 0x89e3e0
Number of Processors : 32
Image Type (Service Pack) : 8388479
KPCR for CPU 1 : 0xb4428734L
KPCR for CPU 105 : 0x6ab88836
KPCR for CPU 187 : 0xbbb081feL
KPCR for CPU 217 : 0xd26666cfL
KPCR for CPU 244 : 0xf6396926L
KPCR for CPU 43 : 0xdb784fe4L
KPCR for CPU 0 : 0xbfcc7b14L
KPCR for CPU 144 : 0xfdce5831L
KPCR for CPU 163 : 0xe645d2edL
KPCR for CPU 240 : 0xe641b395L
KPCR for CPU 0 : 0x54430b95
KPCR for CPU 121 : 0xe647cb92L
KPCR for CPU 156 : 0x11fcab95
KPCR for CPU 88 : 0x7e5a9411
KPCR for CPU 0 : 0x3a144ddb
KPCR for CPU 0 : 0xad8d25f2L
KPCR for CPU 167 : 0x6a05fdd2
KPCR for CPU 149 : 0x9623d84aL
KPCR for CPU 116 : 0x4d5a811c
KPCR for CPU 0 : 0x770a23f1
KPCR for CPU 0 : 0x62485716
KPCR for CPU 47 : 0xb52572fcL
KPCR for CPU 0 : 0x1449293a
KPCR for CPU 46 : 0x4997edb2
KPCR for CPU 0 : 0x95971adeL
KPCR for CPU 0 : 0x95bcc716L
KPCR for CPU 53 : 0x55851105
KPCR for CPU 0 : 0x55bcc700
KPCR for CPU 0 : 0xd5893716L
KPCR for CPU 169 : 0x4a21113d
KPCR for CPU 1 : 0x88f33d8dL
KPCR for CPU 0 : 0xa3d2de22L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 1970-01-01 00:00:00 UTC+0000
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File "E:\Tools\volatility-2.2\volatility\commands.py", line 111, in
execute
func(outfd, data)
File "E:\Tools\volatility-2.2\volatility\plugins\imageinfo.py", line 34,
in re
nder_text
for k, v in data:
File "E:\Tools\volatility-2.2\volatility\plugins\imageinfo.py", line 109,
in c
alculate
yield ('Image local date and time',
timefmt.display_datetime(data['ImageDate
time'].as_datetime(), data['ImageTz']))
File "E:\Tools\volatility-2.2\volatility\timefmt.py", line 82, in
display_date
time
dt = dt.astimezone(custom_tz)
ValueError: tzinfo.utcoffset() returned 1440; must be in -1439 .. 1439
Or, maybe it isn't.
Anyhow, I converted it with imagecopy and while imageinfo returns the same
information, none of the other commands will work:
E:\Tools\volatility-2.2>python vol.py -f E:\RAM\memory.raw
--profile=Win2003SP2x86 connections
Volatile Systems Volatility Framework 2.2
No suitable address space mapping found
Tried to open image as:
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64: Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Win2003SP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Any thoughts on how to work with this image would be most welcome.
-David